Scammers attack Apple Pay's "soft underbelly"
Apple said their digital payment system would be safer than plastic, but that might not be the case following new reports of an Apple Pay-linked fraud.
Leading up to its release, the tech giant celebrated the software's broad list of security checks and balances, including biometric touch ID and encrypted device-specific ID numbers, so the news may be surprising.
"It turns out five months in, that there's a soft underbelly, that there's a vulnerability that nobody really thought about, and that is identity fraud," The New Yorker magazine tech expert Nicholas Thompson said Wednesday on "CBS This Morning."
No one is hacking Apple Pay, but scammers have found a loophole around security measures. The flaw stems from banks' provisioning systems -- the process by which banks determine whether to issue a credit card to a valid user.
To add insult to injury, the majority of criminals' fraudulent purchases have been occurring at Apple stores where Apple Pay is accepted for high-price items that can be resold for cash.
The discovery was made by Cherian Abraham, a veteran consultant focused on mobile commerce. He writes in his blog Drop Labs, "These are organized crime rings that are handing out pre-provisioned devices to mules that are then being used to commit fraud."
Thompson said while Apple may need to change its infrastructure, it's the banks that really need to revamp protocol.
"They moved way too quickly on this; they need to slow down," Thompson said. "And when someone tries to get authorized for a new credit card inside of an Apple Pay account, they need to ask for more information."
According to their respective websites, Bank of America requires that customers call to verify Apple Pay information and Capital One offers an added level of protection by having members log into their own app.
Nevertheless, experienced criminals have been able to load stolen information on to phones. And thanks in part to Apple's own security measures, there's little merchants can do to detect fraud on site. Unlike when using plastic, cashiers can't see your name or credit card number.
"There are a bunch of holes in the system, but that is a really interesting one, because Apple set up that mechanism as a way to protect you, so the person at the checkout counter couldn't steal your name and number. But it turns out that it eliminates one little possible protection against it," Thompson said.