While Apple Pay is the gold standard for safe card transactions, some partner banks are leaving customers vulnerable to fraud via identity theft thanks to weak checks when cards are added to Apple Pay, according to mobile commerce consultants Drop Labs. Some partner banks are consequently seeing fraud rates six times higher than with physical cards.
For consumers, Apple Pay is extremely safe, thanks to the use of Touch ID fingerprint verification and single-use code transmission rather than sharing full card details. Drop Labs claims that the weak link in the chain is what happens when cards are added to Apple Pay …
When you add a card to Apple Pay, the bank is supposed to verify that you are the card’s owner, preventing an unauthorized user from adding your card to another phone. While some banks make these checks via secure mobile apps, others are simply asking customers to phone a call center. With access to hacked card details, such as those from high-profile breaches at major retailers like Target, a fraudster may have sufficient information to pass this phone check.
No, iPhones weren’t stolen and then used for unauthorized purchases, TouchID was not compromised, Credentials weren’t ripped out of Apple’s tamper proof secure element – nor the much feared but rarely attempted man-in-the-middle attacks (capture and relay an NFC transmission at a different terminal). Instead fraudsters bought stolen consumer identities complete with credit card information, and convinced both software and manual checks that they were indeed a legitimate customer.
Fraudsters can then use Apple Pay to make fraudulent transactions despite the built-in security, with the retailer satisfied that the safeguards make the transaction a safe one.
Drop Labs says that the problem can only be solved if banks improve the security of the so-called ‘Yellow Path’ procedures designed to ensure that cards are only added to Apple Pay by the genuine cardholder.