Banks rush to stem tide of fraudsters using stolen credit cards with Apple Pay

“Criminals in the US are using the new Apple Pay mobile payment system to buy high-value goods – often from Apple Stores – with stolen identities and credit card details,” Charles Arthur reports for The Guardian.

“Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system,” Arthur reports. “The crooks have not broken the secure encryption around Apple Pay’s fingerprint-activated wireless payment mechanism. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to ‘provision’ the victim’s card on the phone to use it to buy goods.”

“Criminals with the stolen IDs are understood to have targeted Apple Stores in particular because they both accept Apple Pay and offer high-value items, which can then be sold on for cash,” Arthur reports. “None of the US banks that offer Apple Pay contacted by the Guardian would discuss levels of fraud. But it is understood that US banks are seeking more robust methods to verify peoples’ identities before adding cards to the service.”

Read more in the full article here.

MacDailyNews Take: This is a failure of both the banks and Apple for not having a stringent enough system in place at launch to thwart the criminals from getting stolen cards registered into Apple Pay. The good news is that this has already and will continue to prompt more security at the outset and, as the initial wave of fraudsters are weeded out, Apple Pay’s extreme security itself will therefore reduce fraud significantly.

Read more via Drop Labs: Rampant: Explaining The Current State Of Apple Pay Fraud


  1. This is a credit card company issue and CC owner if they fail to report the theft. Credit card companies must ensure the correct owner is registering the card and a multi authentication system should be considered.

    The stolen cards being used could have easily been used to purchase goods.

    ApplePay is just making it more convenient.

      1. Yes I had a card cloned some years ago and only knew it when I got a letter from the fraud dept asking me to check I still had my card and if so not to worry. Fortunately I did worry and rang them on the Monday to find transactions from different ends of the country which the technology picked thankfully as it had me taking money out at 2 places at once (one being the real me) up but humans clearly weren’t too concerned about.

        Never did find out how it had been cloned as I only used it with reputable retailers and bank machines though the mechanisms exploiting the latter were little known at the time. However less than a year later I had a call from the same Bank to warn me about fraud on my card and that it was an inside job so maybe the first was too. Either way it was going to be some time before I would have known.

    1. These are not stolen cards. The credit card fraudsters capture the credit card number along with a few details about the user to fool the bank personnel on the other end of the phone. It’s low tech thievery. But it has worked so far with banks that have lax authentication requirements.

      1. That’s exactly right. Used a debit card at a CVS, and thieves captured the card number and the PIN from my keystrokes. From there they could use the card and even use telephone banking to transfer money from my savings account to checking account (the system only required card number and PIN).

        I no longer shop at CVS and have moved 100% of my business to Walgreens since they accept Apple Pay.

  2. This is nothing to do with Apple Pay. This is simply down to slack verification by banks of their own cutomer’s details /bank accounts. Banks should take steps and are obliged to ensure that those seeking to register credit cards are the bona fide owners of those cards.

  3. Actually this is the banks fault. Those with lousy “yellow path” verification are having issues. The bigger question is how scammers got CC and PII info. I wonder if scammers already have my info but haven’t used yet.

  4. Crabapple’s judgement:- This failure goes back to when Europe switched over to a chip and pin system whilst American financial institutions groundhogged on magnetic & signature stripped cards.
    American financial institutions are now learning the hard lesson Europe had learned but paying a dear price as sums involved now are much much larger.
    The next solution to be offered to beleaguered Americans will be credit card and Apple pay insurance. A method that will offer no penalty for insured individuals who’s cards or smart phones are stolen as long as they call a special hotline to report the theft or missing of said item to the banks or financial institutions.

  5. these maybe issues stemming from unknown thefts.

    You have to have the 3 digit security number to register the card. Is this number provided by a card swipe?

    I suggest looking at past culprits – Gas Stations, Home Depot, Target, and other retailers. It’s possible, they are still compromised.

    Also, I read last time this topic was posted, that these CCs were non-existent prior. They are made up accounts, or ID theft.

    How can you expect Apple to lock down their side, any more? Do we need dual factor authentication for entering your CC? Do you have to visit your bank and see the manager to approve this?

    Considering anyone can apply for a CC under anyone’s name, it seems the weakness is always going to be on the side of the bank, not Apple.

    1. My AMEX Card hooked to my Apple Pay does not have a bank ….

      Registration of the Card could perhaps be enhanced by requiring a phone call and email verification along with the steps already in place and maybe the phone has to be in use X Months before it is eligible for Apple Pay, make it a feature for those responsible enough to have!

  6. Love this quote: “Battle plans always look great until you meet the enemy.”

    Yeah kind of like the arrogance of some who show off their tiny little thermonuclear mushroom cloud ad nauseum while chanting their mantra “thermonuclear, thermonuclear, thermonuclear” then seeing that what the enemy has.

      1. Sure, I’ll try.

        Apple Pay is a deal/plan/approach laid out with banks and credit card companies so that people can pay with their iPhone. There is a weak link in that plan that criminals are taking advantage of so that the plan will have to be modified and change to minimize or eliminate this fraud type if possible.

        Now to put some context I’m including the entire paragraph of what was said: “Tim Sloane, vice president of payments innovation at the Massachusetts-based financial consultancy Mercator Group, said: “These are probably just some teething problems. If the banks can nail down the authentication, they should see less fraud on Apple Pay,”

        Now it could have stopped there, but that’s too clear, concise, precise and does not really reveal the required patriotism of the nation that Tim Sloane belongs to. Thus the addition of: “Battle plans always look great until you meet the enemy.”

        Now that’s a demonstration of full fledged patriotism of his country, turn any issue you can into a war, make it violent, bring out the weapons, warm up the torture chambers and of course aim the nuclear weapons because only one country has a monopoly on using them on unarmed civilians and they’d like to keep it that way.

        Similarly on another issue that makes the rounds here at MDN (I gather you are a regular here, if not you might have to go through the archives) is the relation between Steve Jobs having said that:

        “”I will spend my last dying breath if I need to, and I will spend every penny of Apple’s $40 billion in the bank, to right this wrong,” Jobs said. “I’m going to destroy Android, because it’s a stolen product. I’m willing to go thermonuclear war on this.”

        Now Steve Jobs is now deceased, and no thermonuclear weapons were released and Tim Cook defused the situation and out did the competition by creating superior products not bashing the competition. It’s quite peaceful and hence not very patriotic.

        Now even though Steve Jobs is dead and Tim Cook has taken a different approach with Apple, MDN consistently posts a thermonuclear cloud image when the topic of the competitor Samsung comes up.

        This image of course is iconic to the death of thousands. I am simply showing an alternative, that the sun, a nuclear reaction is iconic to the life of billions as a way to illustrate that there is always a choice. You can be someone from the free and civilized world, or you can be a war monger. It’s a matter of free will.

        I hope this further elucidates the point I made.

        1. Methinks you read way too much into some things. It’s sort of universal that battle plans don’t survive first contact with the enemy, not a position of patriotism in the USofA. And, I might add, the bank’s fraud department is largely defensive against attack by outsiders, which means self-defense. Would you prefer they go the Ghandi route with a sit-in?
          It’s convenient to forever blame the USofA for being the first country to use nuclear weapons on innocent people, but somewhat naive, too. The politics of the world back then to this day suggest many lives were saved by the deployment of those weapons. Innocent lives really don’t care what caused their journey around the sun to be cut short. And many innocents were killed just as dead by non-nuclear means in every war ever fought and in every non-war ever non-fought.
          Why is it such a clear-cut difference for you that you can either be A or be B — you’re either from a free and civilized world or you can be a war monger? Forget that you’re wording an apples and oranges comparison, but place it in the only world we have and know and there just isn’t such a simple answer. There are people who want to do you harm regardless of how peaceful your intentions are. They may simply be have-nots or they may be full-on war mongers. But to a large degree you and they exist in a free and civilized world.

          1. Nicely said. The flames of Hate are engulfing the world. Whether it be radical islam, racism or misogyny. Hate is the greatest threat to a free and civilized world. Unfortunately rule of law can do little to influence Hate.

            1. That’s all good! And by replying further down we can reclaim some indented margins to work with 😉 In a similar quirk, since this main story is passed over by more current stories, we can have a “private” discussion on-going without complaints about a Mac site being used for political discussions!!

  7. @MDN: It’s all well and good to criticize Apple and participating financial institutions for fraud. But doing so conveniently overlooks the source of the problem: the criminals themselves. Why is it that they get a pass? Are we positioning fraudsters as modern day Robin Hoods?

    While there are things that both Apple and the financial institutions may have overlooked, what your commentary overlooks is that people who commit fraud are criminals. They steal. They break the law. They are, to be charitable, human scum.

    No company, be it Apple or a financial institution, is perfect. Fraudsters are unfortunately opportunistic and creative. They have the advantage of playing to no rules, and anything they can steal is fair game to them. On the other hand, Apple, credit card clearinghouses and financial institutions have to fight a never-ending battle against criminals, an enemy that is constantly changing its tactics. The ground on which this battle is fought is shifting all the time. For any company to be able to anticipate everything a criminal will do is next to impossible.

    I do know this: with so much at stake, Apple, clearinghouses like Visa and Mastercard, and financial institutions are definitely at work on plugging this hole. It won’t be easy. And I would not be surprised if this type of fraud changes some fundamentals about credit cards themselves. But change it will.

    Still, to be so cavalier about the purported failings of Apple, clearinghouses and financial institutions does not really explain all that these companies have had to do to protect credit cards, and the tremendous challenges they face. To dismiss this with a simple explanation and a link does not do justice to the complexity of this subject.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.