Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Apple Pay's weakest link

Kenneth van Wyk | May 27, 2015
The mobile payment service remains solid, as long as banks beef up their card-registration procedures. But what weakness will fraudsters take advantage of next?

apple pay

You're only as secure as your weakest link. That bit of wisdom has hit home for Apple Pay of late. Fraudsters have wasted no time finding and exploiting the mobile payment system's weak link to their advantage.

The weak link is not in the transaction side of things. That part, as I've described, still appears to be quite solid, thanks to Apple having taken heed of a myriad of security architectural principles, like keeping the actual credit card account number out of the view of merchants.

What the fraudsters have gone after is the process of installing a credit card into an Apple Pay-equipped iOS device. And that part of the process is implemented by the issuing banks, not by Apple.

In order to use Apple Pay, the user (or the fraudster, it turns out) must enter pertinent information about her credit or debit cards. In addition to the static card information from the user, Apple provides the issuing bank with some low-level information on the user, such as the device's name and location. But when a fraudster gets the card information in conjunction with a hijacked Apple iTunes account, all of that information too can be spoofed, thereby allowing fraudsters to enter their victims'credit card data into an iOS device.

Once the credit card data is entered and accepted (by the banks) into Apple Pay, it becomes as powerful to the fraudster as a physical card. It can even then be used at any of the brick-and-mortar companies that accept Apple Pay because they will think the fraudster has possession of the card. This is a game-changer for the fraudsters and gives them more opportunities than they were previously accustomed to.

See why is this a big deal? Previously, with most stolen credit card account data, fraudsters were largely limited to online transactions and other "card not present"forms of payment. Yeah, they could generate fake physical cards, but that upped the price of attack as well as the likelihood of getting caught.

I've used my iPhone 6's Apple Pay feature dozens of times at merchants where it's accepted, both in-store and online. I've loved the ease of use and the relative safety of my transactions. But that darned weakest link is still a problem for Apple and its credit card bank partners.

When installing several of my credit and debit cards on my iPhone, I noticed immediately that there were subtle but important differences among the cards I use from various banks. For example, I could register some cards by simply entering the information on my cards, while others required a callback to my home phone (presumably using the number known to my banks) to provide me out-of-band a random number to enter in the process.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.