Fraudsters Exploit Issuers and Apple Pay
March 5, 2015
A security flaw in Apple Pay is making it relatively easy for fraudsters to provision credit cards into Apple Pay using stolen information. The vulnerability, first publicized by Drop Labs, has nothing to do with the biometric authentication of TouchID or the tokenization of card information that Apple Pay leverages, making transactions relatively secure. Instead, inadequate authentication of users trying to set up their credit card in Apple Pay is to blame.
“Credit card issuers in general have a good handle on fraud,” said the Drop Labs blog post on the subject. “They manage it under 10bps (i.e. losses of $0.10 or less per $100 of transactions) on transactions made with a dumb plastic card lacking any additional context. But fraud seems to have followed a different trajectory here. About a month post-launch, it seems like fraud has come to Apple Pay (in one case — as high as 600bps for an issuer that I cannot name).”
Card-not-present merchants, for once, seem to be at an advantage in this scenario. Where a fraudster might have simply used the stolen information to make a purchase online, Cherian Abraham of Drop Labs said they are using it instead to provision cards on Apple Pay because “online retailers who shoulder liability in the occurrence of fraud have become increasingly sophisticated in fighting it.” So, leveraging stolen credentials to provision a card account on Apple Pay acts like a counterfeit card—without the plastic or magstripe—that criminals can use to make purchases in a physical store.
“The 24 hours or more delivery window offers them a sufficient window of opportunity to deploy a number of fraud fighting measures (velocity, device fingerprinting, category checks) — and that’s too much of a coin-toss for a fraudster. AP is proving to be a lot simpler.”