Apple Pay Stung by Low-Tech Fraudsters

The headline makes it sound much worse than it is for Apple.

Apple Pay itself was not really hacked. Instead what we learn in the articles that have appeared in the press over the last week, is that stolen credit cards as far back as the Target Stores breach, have not been revoked by credit card issuers. Their rationale was that it was cheaper to absorb the fraud than to replace all of those millions of credit cards. Apple pay is a secure platform, but if someone uses a stolen credit card on it and impersonates the owner, Apple will have no way of knowing that the credit card is no longer legitimate, since the credit card issuer never canceled the card.  Security is only as strong as its weakest link.

I am reminded of when I first started working in the financial services industry. I was familiarized with all sorts of rules and regulations, secure software, and encryption techniques. And then I was told that the most common and successful form of fraud was for a criminal to call up and impersonate an account holder on the phone, explain some difficult circumstances, and ask for funds to be released. The phone call was often followed up with a fax, to make things seem even more legitimate. An ambitious criminal would make several carefully placed calls each week, until their name was well known throughout one of the bank’s departments. Each time they would call or fax they would mention the names of bank colleagues and make it seem as if they already had permission to withdraw the money and that you were the obstacle. These “social” methods are still one of the most common ways of perpetrating a fraud.

In our particular case here, the criminals are relying on the fact that card issuers have not canceled the cards, and identity related facts of the cardholders can be obtained either through phishing or social methods. Until credit card issuers cancel all of the compromised cards still in the marketplace, fraudsters will have an easy time of making a living. A good strategy for combating fraud is a comprehensive one.