While Apple Pay is the gold standard for safe card transactions, some partner banks are leaving customers vulnerable to fraud via identity theft thanks to weak checks when cards are added to Apple Pay, according to mobile commerce consultants Drop Labs. Some partner banks are consequently seeing fraud rates six times higher than with physical cards.

For consumers, Apple Pay is extremely safe, thanks to the use of Touch ID fingerprint verification and single-use code transmission rather than sharing full card details. Drop Labs claims that the weak link in the chain is what happens when cards are added to Apple Pay … 

When you add a card to Apple Pay, the bank is supposed to verify that you are the card’s owner, preventing an unauthorized user from adding your card to another phone. While some banks make these checks via secure mobile apps, others are simply asking customers to phone a call center. With access to hacked card details, such as those from high-profile breaches at major retailers like Target, a fraudster may have sufficient information to pass this phone check.

No, iPhones weren’t stolen and then used for unauthorized purchases, TouchID was not compromised, Credentials weren’t ripped out of Apple’s tamper proof secure element – nor the much feared but rarely attempted man-in-the-middle attacks (capture and relay an NFC transmission at a different terminal). Instead fraudsters bought stolen consumer identities complete with credit card information, and convinced both software and manual checks that they were indeed a legitimate customer.

Fraudsters can then use Apple Pay to make fraudulent transactions despite the built-in security, with the retailer satisfied that the safeguards make the transaction a safe one.

Drop Labs says that the problem can only be solved if banks improve the security of the so-called ‘Yellow Path’ procedures designed to ensure that cards are only added to Apple Pay by the genuine cardholder.

Apple Pay now has more than 45 partner banks, with Bank of America alone reporting 1.1 million cards added to the service.

Via Gizmodo

FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear