CUPERTINO, Calif.—FIs are taking steps to address fraudsters who have been typing stolen credit card numbers into Apple Pay and making purchases with their iPhones.
A previous CUToday.info report revealed that FIs in their rush to enroll in Apple Pay have been overlooking standard security protocols, giving fraudsters an advantage by not using a second authentication factor—such as an e-mail or a text message—to confirm that individuals enrolling in Apple Pay are who they say they are. The fraudster simply obtains stolen credit card data, enrolls in the new service and then is good to tap and pay.
According to the Wall Street Journal, the wave of fraud hitting Apple Pay is being fueled by credit card data stolen in recent breaches of big retailers, including Home Depot Inc. and Target Corp. About 80% of the unauthorized purchases have been for big-ticket items bought with smartphones at Apple’s own stores, the newspaper reported.
A report in Bloomberg Business indicated that some FIs have begun to change how they activate customers’ credit card accounts to use Apple Pay.
“This is a black eye that needs to heal through improved authentication procedures,” Richard Crone, principal of Crone Consulting LLC in San Carlos, Calif., told Bloomberg Business. “Some banks are now requiring users to call them to activate Apple Pay, to ensure that their identities haven’t been stolen.”
“It comes down to making sure that the data that is being provisioned to a device is to a device of a cardholder,” Al Pascual, director of fraud and research at Javelin Strategy & Research, San Francisco, told Bloomberg Business.
Crone told CUtoday.info that a recent report indicated that fraud on Apple Pay transactions have risen to 6%, compared to six basis points on mag-stripe plastic.