Fraudsters are already finding ways to take advantage of holes in the security around Apple Pay.
Payments expert Cherian Abraham reportedly started warning banks and credit unions last month about vulnerabilities in Apple Pay’s verification process that enables users to add a credit card to the mobile-payment service, according to a Wall Street Journal story.
While Apple ultimately secures its service by using a fingerprint reader to ensure that the iPhone’s owner is making the purchase and a one-time code so merchants don’t see customers’ credit-card information, the vulnerability actually exists before these measures take place, the WSJ writes.
A fraudster can pose as a legitimate customer of a bank asking for permission to use a card issued by that bank in Apple Pay, particularly if the fraudster knows the customer’s Social Security number, phone number, or other information, explains the WSJ.
Many banks ask for additional information if the fraudster’s information doesn’t match Apple’s, but some banks “made it too easy for cards to be approved, because they wanted to reduce the friction of adding their cards to Apple Pay.”
Abraham blogged that such fraud “is growing like a weed, and the bank is unable to tell friend from foe.”
In response, financial institutions are tightening the verification process, with the hopes of minimizing the fraud, the WSJ writes.
In addition to Apple Pay, other mobile-payment services might be exposed to the same fraud problem, “irrespective of origin, scale, intent, or patron saint,” Abraham wrote.
An Apple spokeswoman told the newspaper that Apple Pay is “designed to be extremely secure and protect a user’s personal information,” and that “banks are always reviewing and improving their approval process, which varies by bank.”