According to mobile payments expert Cherian Abraham, fraud on Apple's mobile payment platform – Apple Pay – is rampant. However, Apple's hardware and software security measures remain intact; the issue at the heart of most fraud cases is social engineering.
When getting started with Apple Pay, consumers can take an image of their card, allowing the app to scan the required credentials. However, they can also manually enter the details, which is where criminals have started focusing their attack.
The card details, along with other information related to the iTunes account (device name, current location, transaction history), are forwarded to the bank. At this point, the bank can choose to authorize the card for Apple Pay, or require additional information.
Since the technical security controls are tough to crack for the average crook, they've taken to targeting the weaker parts of the system, including the provisioning channel.
Cards that are automatically approved are listed under the green path. Cards on the red path are simply declined. However, Apple required banks and card issuers to develop a system of additional checks and fraud protection called the yellow path.
The yellow path was originally optional, but Apple made them mandatory a month prior to the Apple Pay release. Depending on the card issuer, the yellow path can include a number of different checks, including a conversation with someone at a call center, authentication with the bank's mobile app, or additional verification from two-factor authentication.
Yet, when the Apple Pay roll-out started, because the yellow path was optional, card issuers didn't give it much attention. After it became mandatory, there was a scramble to meet the requirements, leaving gaps for criminals to target.
Most card issuers have leveraged existing fraud checks and metrics, including the use of call centers for additional verification, and that's where the problem is.
"At this point, every issuer in [Apple Pay] has seen significant ongoing provisioning fraud via customer account takeover... Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe," Abraham wrote.
According to his post on the topic, there are crime rings operating in Miami and Dallas that are giving pre-provisioned Apple Pay devices to mules. The mules will use them to buy easily converted items from Apple Pay retailers, including Apple itself.
"What was surprising to hear was how many times Apple stores themselves popped up as the store of choice for the fraudster – and yet unsurprising, due to its nature as a luxury retailer. There is a certain irony in one compromised Apple Pay device paying for another – only to be drafted subsequently in to the fraudsters service," the post explained.
According to John Zurawski, Vice President of marketing at Authentify, a company that deals with out-of-band and multi-factor authentication, thirty percent of cross channel fraud can be traced back to the call center for a given financial institution.
"The call center is typically there to resolve an issue – not do any banking. In the Apple Pay fraud discussed, the fraudsters must be calling the call center, convincing someone to add an Apple iPhone 6 or better to an account, and asking to activate Apple Pay. The actual Apple Pay activation is initiated between Apple and the Bank. Apple passes to the Bank a person’s stolen credit card info, including the details backing their iTunes account," he said.
Targeting the weakest point in the security chain, criminals have bypassed the technical protections developed by Apple and turned their schemes towards the people managing the back end processes.
Call centers work on volume, and operators don't have time to vet every caller in order to ensure they're not being social engineered. If the caller has all of the correct information, that's viewed as solid authorization as far as the operator is concerned.
Given that the details required can be obtained from public records or from a criminal market in the aftermath of a data breach, the barrier of entry for this level of fraud is low, and the return is rather high.
Yet, unless banks and card issuers do away with allowing personal information as a form of authentication, such as asking for the last four digits of a Social Security Number, birth date, or mother's maiden name, this attack vector isn't going to go away.