Banks rush to stem tide of fraudsters using stolen credit cards with Apple Pay

“Criminals in the US are using the new Apple Pay mobile payment system to buy high-value goods – often from Apple Stores – with stolen identities and credit card details,” Charles Arthur reports for The Guardian.

“Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system,” Arthur reports. “The crooks have not broken the secure encryption around Apple Pay’s fingerprint-activated wireless payment mechanism. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to ‘provision’ the victim’s card on the phone to use it to buy goods.”

“Criminals with the stolen IDs are understood to have targeted Apple Stores in particular because they both accept Apple Pay and offer high-value items, which can then be sold on for cash,” Arthur reports. “None of the US banks that offer Apple Pay contacted by the Guardian would discuss levels of fraud. But it is understood that US banks are seeking more robust methods to verify peoples’ identities before adding cards to the service.”

Read more in the full article here.

MacDailyNews Take: This is a failure of both the banks and Apple for not having a stringent enough system in place at launch to thwart the criminals from getting stolen cards registered into Apple Pay. The good news is that this has already and will continue to prompt more security at the outset and, as the initial wave of fraudsters are weeded out, Apple Pay’s extreme security itself will therefore reduce fraud significantly.

Read more via Drop Labs: Rampant: Explaining The Current State Of Apple Pay Fraud

29 Comments

  1. This is a credit card company issue and CC owner if they fail to report the theft. Credit card companies must ensure the correct owner is registering the card and a multi authentication system should be considered.

    The stolen cards being used could have easily been used to purchase goods.

    ApplePay is just making it more convenient.

      1. Yes I had a card cloned some years ago and only knew it when I got a letter from the fraud dept asking me to check I still had my card and if so not to worry. Fortunately I did worry and rang them on the Monday to find transactions from different ends of the country which the technology picked thankfully as it had me taking money out at 2 places at once (one being the real me) up but humans clearly weren’t too concerned about.

        Never did find out how it had been cloned as I only used it with reputable retailers and bank machines though the mechanisms exploiting the latter were little known at the time. However less than a year later I had a call from the same Bank to warn me about fraud on my card and that it was an inside job so maybe the first was too. Either way it was going to be some time before I would have known.

    1. These are not stolen cards. The credit card fraudsters capture the credit card number along with a few details about the user to fool the bank personnel on the other end of the phone. It’s low tech thievery. But it has worked so far with banks that have lax authentication requirements.

      1. That’s exactly right. Used a debit card at a CVS, and thieves captured the card number and the PIN from my keystrokes. From there they could use the card and even use telephone banking to transfer money from my savings account to checking account (the system only required card number and PIN).

        I no longer shop at CVS and have moved 100% of my business to Walgreens since they accept Apple Pay.

  2. This is nothing to do with Apple Pay. This is simply down to slack verification by banks of their own cutomer’s details /bank accounts. Banks should take steps and are obliged to ensure that those seeking to register credit cards are the bona fide owners of those cards.

  3. Actually this is the banks fault. Those with lousy “yellow path” verification are having issues. The bigger question is how scammers got CC and PII info. I wonder if scammers already have my info but haven’t used yet.

  4. Crabapple’s judgement:- This failure goes back to when Europe switched over to a chip and pin system whilst American financial institutions groundhogged on magnetic & signature stripped cards.
    American financial institutions are now learning the hard lesson Europe had learned but paying a dear price as sums involved now are much much larger.
    The next solution to be offered to beleaguered Americans will be credit card and Apple pay insurance. A method that will offer no penalty for insured individuals who’s cards or smart phones are stolen as long as they call a special hotline to report the theft or missing of said item to the banks or financial institutions.

  5. these maybe issues stemming from unknown thefts.

    You have to have the 3 digit security number to register the card. Is this number provided by a card swipe?

    I suggest looking at past culprits – Gas Stations, Home Depot, Target, and other retailers. It’s possible, they are still compromised.

    Also, I read last time this topic was posted, that these CCs were non-existent prior. They are made up accounts, or ID theft.

    How can you expect Apple to lock down their side, any more? Do we need dual factor authentication for entering your CC? Do you have to visit your bank and see the manager to approve this?

    Considering anyone can apply for a CC under anyone’s name, it seems the weakness is always going to be on the side of the bank, not Apple.

    1. My AMEX Card hooked to my Apple Pay does not have a bank ….

      Registration of the Card could perhaps be enhanced by requiring a phone call and email verification along with the steps already in place and maybe the phone has to be in use X Months before it is eligible for Apple Pay, make it a feature for those responsible enough to have!

  6. Love this quote: “Battle plans always look great until you meet the enemy.”

    Yeah kind of like the arrogance of some who show off their tiny little thermonuclear mushroom cloud ad nauseum while chanting their mantra “thermonuclear, thermonuclear, thermonuclear” then seeing that what the enemy has.

      1. Sure, I’ll try.

        Apple Pay is a deal/plan/approach laid out with banks and credit card companies so that people can pay with their iPhone. There is a weak link in that plan that criminals are taking advantage of so that the plan will have to be modified and change to minimize or eliminate this fraud type if possible.

        Now to put some context I’m including the entire paragraph of what was said: “Tim Sloane, vice president of payments innovation at the Massachusetts-based financial consultancy Mercator Group, said: “These are probably just some teething problems. If the banks can nail down the authentication, they should see less fraud on Apple Pay,”

        Now it could have stopped there, but that’s too clear, concise, precise and does not really reveal the required patriotism of the nation that Tim Sloane belongs to. Thus the addition of: “Battle plans always look great until you meet the enemy.”

        Now that’s a demonstration of full fledged patriotism of his country, turn any issue you can into a war, make it violent, bring out the weapons, warm up the torture chambers and of course aim the nuclear weapons because only one country has a monopoly on using them on unarmed civilians and they’d like to keep it that way.

        Similarly on another issue that makes the rounds here at MDN (I gather you are a regular here, if not you might have to go through the archives) is the relation between Steve Jobs having said that:

        “”I will spend my last dying breath if I need to, and I will spend every penny of Apple’s $40 billion in the bank, to right this wrong,” Jobs said. “I’m going to destroy Android, because it’s a stolen product. I’m willing to go thermonuclear war on this.”

        Now Steve Jobs is now deceased, and no thermonuclear weapons were released and Tim Cook defused the situation and out did the competition by creating superior products not bashing the competition. It’s quite peaceful and hence not very patriotic.

        Now even though Steve Jobs is dead and Tim Cook has taken a different approach with Apple, MDN consistently posts a thermonuclear cloud image when the topic of the competitor Samsung comes up.

        This image of course is iconic to the death of thousands. I am simply showing an alternative, that the sun, a nuclear reaction is iconic to the life of billions as a way to illustrate that there is always a choice. You can be someone from the free and civilized world, or you can be a war monger. It’s a matter of free will.

        I hope this further elucidates the point I made.

        1. Methinks you read way too much into some things. It’s sort of universal that battle plans don’t survive first contact with the enemy, not a position of patriotism in the USofA. And, I might add, the bank’s fraud department is largely defensive against attack by outsiders, which means self-defense. Would you prefer they go the Ghandi route with a sit-in?
          It’s convenient to forever blame the USofA for being the first country to use nuclear weapons on innocent people, but somewhat naive, too. The politics of the world back then to this day suggest many lives were saved by the deployment of those weapons. Innocent lives really don’t care what caused their journey around the sun to be cut short. And many innocents were killed just as dead by non-nuclear means in every war ever fought and in every non-war ever non-fought.
          Why is it such a clear-cut difference for you that you can either be A or be B — you’re either from a free and civilized world or you can be a war monger? Forget that you’re wording an apples and oranges comparison, but place it in the only world we have and know and there just isn’t such a simple answer. There are people who want to do you harm regardless of how peaceful your intentions are. They may simply be have-nots or they may be full-on war mongers. But to a large degree you and they exist in a free and civilized world.

          1. Nicely said. The flames of Hate are engulfing the world. Whether it be radical islam, racism or misogyny. Hate is the greatest threat to a free and civilized world. Unfortunately rule of law can do little to influence Hate.

            1. That’s all good! And by replying further down we can reclaim some indented margins to work with 😉 In a similar quirk, since this main story is passed over by more current stories, we can have a “private” discussion on-going without complaints about a Mac site being used for political discussions!!

  7. @MDN: It’s all well and good to criticize Apple and participating financial institutions for fraud. But doing so conveniently overlooks the source of the problem: the criminals themselves. Why is it that they get a pass? Are we positioning fraudsters as modern day Robin Hoods?

    While there are things that both Apple and the financial institutions may have overlooked, what your commentary overlooks is that people who commit fraud are criminals. They steal. They break the law. They are, to be charitable, human scum.

    No company, be it Apple or a financial institution, is perfect. Fraudsters are unfortunately opportunistic and creative. They have the advantage of playing to no rules, and anything they can steal is fair game to them. On the other hand, Apple, credit card clearinghouses and financial institutions have to fight a never-ending battle against criminals, an enemy that is constantly changing its tactics. The ground on which this battle is fought is shifting all the time. For any company to be able to anticipate everything a criminal will do is next to impossible.

    I do know this: with so much at stake, Apple, clearinghouses like Visa and Mastercard, and financial institutions are definitely at work on plugging this hole. It won’t be easy. And I would not be surprised if this type of fraud changes some fundamentals about credit cards themselves. But change it will.

    Still, to be so cavalier about the purported failings of Apple, clearinghouses and financial institutions does not really explain all that these companies have had to do to protect credit cards, and the tremendous challenges they face. To dismiss this with a simple explanation and a link does not do justice to the complexity of this subject.

  8. Last Friday mt credit union pushed a update to their mobile app. They asked permission to set up Touch ID on my iPhone 6 so I assume this is another step to verify my fingerprint and tie it to my accounts and credit card.

  9. Thanks for your insightful post.

    When the government nourishes war mongering coupled with media constantly propagating war mongering ideas it is picked up by the masses and thus becomes a patriotic fabric of the nation. I respectfully disagree, is a position of the USA, it is illustrated through the years of American history, 80% of them have had a war or conflict. It is illustrated by the incredible amount of resources and money the US contributes to their war machine.

    Certainly you are correct about the fraud department, it is largely defensive, though there are some offensive……….. what? Strategies? Tactics? Postures? those terms do not evoke aggressive violence. Battle plans do. I certainly have no qualms about going the Ghandi route.

    Case in point: I pointed out that enough was said with this statement: “These are probably just some teething problems. If the banks can nail down the authentication, they should see less fraud on Apple Pay,” There is nothing violent or aggressive with that statement.

    The idea behind the statement “Battle plans always look great until you meet the enemy.” could have equally evoked by saying “Our strategies will adapt to prevent fraud.” or something of that nature which does not evoke violence.

    Insofar as the nuclear weapons are concerned, I’m not blaming the US to use them, there was a fine rationalization at the time. On the other hand there was also a movement to demonstrate this terrible weapon to the enemy at the time. That could have saved a lot more lives, thousands of more lives than the actual use of them, but this movement was swept under the rug.

    It isn’t always clear cut difference between a free and civilized world or as you put it a war monger but for this particular case it is, and it is blatant.

    Now the experts say that you can’t compare Apples to Oranges. I always listen to what the experts say, they usually tell me what can’t be done then I go do it. You can compare Apples with Oranges, they are both fruit, both spherical, both acidic, both nutritious. I can go on.

    It’s not always a simple answer, but invading another country on a hallucination (Iraq Part II), torture, and the incredible invasion of privacy by the NSA, the sabotage, espionage and the other actions revealed by Snowden is quite simply not acceptable civilized behavior in this day and age. That’s my opinion, anyone is free to disagree with me, but I also believe that there are consequences to such behavior and war mongering and that the US is going to be hit with a dose of Karma that is going to be such a bitch. If and when that happens, well can’t say you weren’t warned.

    Anyway thank you for your insightful post, I enjoyed reading it and it’s good food for thought.

    1. It doesn’t sound as though you’re from the US – which is not a judgment or anything, just perhaps an insight into why your views of what is “US Patriotic” would differ from mine (I am a life-long US citizen). Our pilgrims fled (peacefully) from what they saw as oppression. Eventually that oppression followed them to the New World and resulted in fighting to cast off that oppression. I would not characterize that as war mongering, and while it involved fighting I’m not sure *I* would call that aggression: The letters of the founding fathers tell of sadness over loss of life; of very much wishing this weren’t so necessary. It was very much people fighting for an ideal. Come to the Civil War and I think we can agree the North, at least, was fighting for an ideal. The World Wars weren’t our doing, but once doing we sure as heck mongered war as best we could. Viet Nam was probably an ideal at the beginning but warped into something no one should be proud of. GW1 was a world response, regardless of arm-twisting that undoubtedly occurred, in fighting for an ideal. GW2 was kind of bizarre. So I’m not comfortable with saying 80% of our 239 years have been in conflict (at least in major open war — maybe you weren’t saying that either). But as a nation, the shock of December 7, 1941, was to say “never again” and mean it. So yes, there’s a lot of money spent here on defense and plenty of defensive work happens far from our borders. But I still see that as something more nuanced than a war mongering mentality brought about by constancy of doing and constancy of exposure.
      In fact, I would contend that the individual quoted with the “battle plans” comment is probably not a violent/aggressive person at all, but through constancy of exposure to news media has learned that startling comments make headlines far more often than soft spoken ones. That and he probably said a lot of things but the reporter writing his/her synopsis used the one comment that was expected to garner attention of editors and readers.
      So you have one way to compare apples and oranges, and while valid as comparisons, your way is not really altering the usefulness of the expression. But it does serve to highlight how we can both view the handling of the atomic weapon rollout as either the right choice or the wrong choice. Arguments abound for either choice. It’s intriguing to me that you say experts tell you what you can’t do but then you go an do them. Kudos to you, straight up honest admiration. I will say that in my experience those who do are always second-guessed by those who didn’t — and I try not to second guess the leaders who were making difficult decisions in their time: Should we have entered WWII sooner/later/not-at-all? Should we have escalated in Viet Nam? Should we have left Saddam Hussein alone (either time) or should we have pressed all the way to Baghdad in GW1? In general, in my years of adulthood, I’ve come to respect those who have to make those decisions with limited information, in limited timeframes, rarely either of which are of their choosing.
      Well, enough on this. I’ll look forward to your thoughts, and I’ll either buy you a pint or a bottle when next we meet!

  10. Why not have a fingerprint system in place to activate these cards. You would take it to the bank when received, plus 2 forms of ID, and your fingerprint, which would need to be verified by the FBI first, then the card would be activated. Then load into Apple pay after that is approved. Oh wait, people are too lazy and it would cost too much money to implement. Sorry.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.