While Apple Pay still remains secure and its encryption intact, identity thieves are exploiting the one weakness in the process — banks. People interested in using Apply Pay upload their credit card information to their iPhones, at which point banks are supposed to thoroughly verify each card and then beam over an encrypted version of the card details to be stored on the phone. U.S. banks use a “green path” for cards that are approved immediately based on data contained within the iPhone, such as the name of the device, its current location or if the user has a long history of transactions with iTunes.
“Yellow paths” are used for cards that require further checks, and request that users call in to confirm that they own the card in question. However many banks have relatively lax second-level checking procedures, such as only confirming the last four digits of Social Security numbers. While SSNs are meant to be secret, they are commonly stolen for identity theft.
Crooks are taking advantage of this vulnerability by setting up new iPhones with stolen personal information to convince both software and manual checks that they are the true owners of the victim’s credit card. According to The Guardian, “industry sources” suggest that identity theft fraud related to Apple Pay is much higher than expected, with total losses already running into the millions. Compare this to the $5 billion in smartphone-based retail payments expected to be made in the U.S. this year, and it becomes clear that the deficit puts a serious dent in revenue.
Cherian Abraham, a mobile-payments specialist who is a consultant to U.S. finance groups, stated on his blog that many banks participating in Apple Pay has seen significant provisioning fraud through customer account takeovers. He believes that organized gangs are conducting the fraud, and that intelligent criminals are even calling banks to alert them of “trips out of town” so that banks looking for locational transaction anomalies do not become suspicious.
Abraham believes U.S. banks must seek more robust identity verification methods, but warns, “Fraud scales - call centers don’t. There has to be an automated process that is invisible but secure. In hindsight the only thing Apple could have done better was to anticipate the problem, made it mandatory [to call] and helped build a better ‘yellow path’.”
According to the U.S. Department of Justice, 11.5 million Americans become victims of id theft each year. The average incident costs $4,930 per individual, and total national losses are about $24.7 billion annually.
Although there is no way to prevent identity theft from occurring entirely, there are a number of steps every person can take to protect themselves as much as possible. This includes:
- Protecting your identity by keeping social security cards in a secure location
- Using a credit monitoring service to check your credit file for certain kinds of activity that may indicate fraud.
- Being careful about revealing personal information online.
Taking these steps may help protect your identity and keep sensitive information out of the wrong hands.