back to article Apple Pay a haven for 'rampant' credit card fraud, say experts

Apple and its banker pals may have inadvertently lowered the barrier to credit card fraud by adding pay-by-wave technology to iPhones, security experts fear. Payment cards can be added to Apple Pay by taking a photo of the card, and allowing a device to run optical character recognition over the image to fill out the long card …

Page:

  1. Anonymous Coward
    Anonymous Coward

    thanks Apple, now I'm living the dream!

    You made my life so much better, now I'm rolling in cash.

    A true innovation :)

    laterz xx

    1. Anonymous Coward
      Anonymous Coward

      Re: thanks Apple, now I'm living the dream!

      Blame the banks not Apple. Their lax security procedures are to blame.

      Sadly that won't stop the Anti Apple brigade who lurk here from having a field day.

      Just remember that the article does say the Google Wallet etc will also suffer from this problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: thanks Apple, now I'm living the dream!

        Did I hear............"Anti Apple" ???

        Apple is equally to blame, they are the enabler. They signed up with these banks, they know how the banks operate, they go along with it for profit. Remember, this is "Apple Pay", not "$BANK_NAME Pay". What, you give a kid matches and you have no blame for the fire?

        As far as the article goes, Avivah Litan is way, way, WAY out of the loop. If he ever thought that having just the details was NOT enough, he clearly never read about #CC on Efnet or all the various versions of paypal's ability to add anyone's e-mail to anyone's account (countless other sites work too).

        But, I came for Anit Apple....stay focused! Apple pretends it's now cool to pay with credit cards via the internet. If they would of waited longer than 20+ years, they might of missed the window.

        1. SuccessCase

          Re: thanks Apple, now I'm living the dream!

          Clearly you like trolling. Go walk in yourself.

        2. Steve I

          Re: thanks Apple, now I'm living the dream!

          Is entrusting credit card verification to banks as irresponsible as giving a child matches?

          1. Arctic fox
            Headmaster

            @Steve I: Well, actually old chap, now that you mention it................

            "Is entrusting credit card verification to banks as irresponsible as giving a child matches?"

            ..........it would appear so. Although I also do not have much time for the fact that:

            " These numbers can be entered manually, so physical access to a card is not needed."

            ........was something that Cupertino failed to notice was not the smartest thing that they could be associated with.

            In short, neither the (w)bankers or the fruity company have exactly covered themselves with intellectual glory on this occasion.

            1. Lee D Silver badge

              Re: @Steve I: Well, actually old chap, now that you mention it................

              Although the banks are playing their part, Apple Pay is allowing a photo of a credit card to be used indefinitely as a payment option.

              The banks shouldn't be allowing it, but Apple Pay isn't being blocked by the banks either - so presumably Apple Pay are doing something in order to allow this situation to occur.

              If Apple are relying on the banks to authorise the transaction, they are still storing all that data and - presumably, like Amazon - taking the liability on it to an extent. Notice that Amazon don't put you through the Visa/MasterCard secure schemes where you have to type in codes and verify to the source bank - they are storing your information for 1-click and then taking the hit on fraud themselves.

              Presumably, Apple are doing the same here OR have negotiated their way out of liability with the banks.

              Seriously, people, all that Chip-and-PIN stuff that the EU fought for for years? It's worthless here. We're still doing transactions with just the card number. Do they even use the CCV code on the back of the card?

              If the number is enough (and it appears so for Amazon and Apple Pay) then the Chip & PIN stuff is worthless, even if the liability is shifted from the card issuer to the retailer. If the number isn't enough, Apple Pay wouldn't be able to operate as they are doing - and nor would Amazon. If the number is enough but liability is pushed to Apple, then it's partly Apple's fault for allowing this to happen for the sake of simpler business processes.

              1. Badvok

                @Lee D: Amazon <> Apple Pay

                I wouldn't really compare Apple Pay with Amazon in their use of number only.

                With Amazon you have to have an account, perhaps with dodgy details but you do typically need to get stuff delivered somewhere (well except the digital stuff though I doubt crims would bother with stuff they couldn't fence). With Apple Pay you can walk into a store, buy real stuff and walk out without anyone the wiser about who you really are.

              2. jai

                Re: @Steve I: Well, actually old chap, now that you mention it................

                As it says in the article: It is lax customer verification controls by banks rather than any inherent security weaknesses with Apply Pay

      2. eSeM

        Re: thanks Apple, now I'm living the dream!

        "Just remember that the article does say the Google Wallet etc will also suffer from this problem"

        No it doesn't.

        HTH

    2. Anonymous Coward
      Anonymous Coward

      Re: thanks Apple, now I'm living the dream!

      @first AC post. Do something useful with your life. Go back to Russia and hold up a pro-democracy anti-Putin plackard. Preferably outside he Kremlin.

  2. Anonymous Coward
    Anonymous Coward

    Yawn...

    Easy fix - don't active NFC for a week until the bank can send a snail mail confirmation letter.

    ...or is this only a problem because banks really, really want it to be?

    1. Bronek Kozicki

      Re: Yawn...

      And how exactly that would protect you?

      1. returnmyjedi

        Re: Yawn...

        Yoda?

      2. This post has been deleted by its author

      3. DragonLord

        Re: Yawn...

        If the bank sent a snail mail letter to the account holders address with a code attached, then the owner of the card would a) know it was stolen and b) be able to prevent the card been added to apple pay. If the hacker wants to get round this then they need to intercept the letter. At which point it's no longer a remote attack.

  3. Stevie

    Bah!

    Goddammit! The social security number is not to be used for identification purposes other than by the social security administration. How many times do the witless f*ckers in banking IT need to have that screamed at them? And then, having decided to ignore that stricture, to only use less than half the digits?

    Jesus f*cking Christ on a bike.

    How in f*ck's name could this level of stupid be deployed in this day and age in light of what we as an industry have learned regarding electronic banking and the methods to subvert them?

    To paraphrase the short guy from Game of Thrones:

    Hands. Coal hammers.

    1. PacketPusher
      Megaphone

      Re: Bah!

      It seems to me that the problem, in the US at least, is that the banks are not financially responsible for fraud. If fraud is claimed, the money is taken back from the vendor. The banks do not have an incentive to do a good job of verifying the user.

      1. P. Lee

        Re: Bah!

        Surely this is the same as a "cardholder not present" transaction.

        If you accept that kind of transaction, the vendor takes the extra risk.

        Not recommended if you can avoid it.

      2. Bob Dole (tm)

        Re: Bah!

        Banks everywhere have proven to "not be financially responsible". Period.

      3. Sam Liddicott

        Re: Bah!

        Maybe that is the scam! A way for apple to bring those billions back into the USA and avoid tax?

        Apple agents would also be the "scamming party" that scams Apple. The foreign fund holding division would make a loss as it refunds fraudulent payments in the USA from foreign held funds.

        Someone else work out the detail for me.

    2. hypernovasoftware

      Re: Bah!

      The reason so many companies use the ssn as the key to their databases is that they know they are guaranteed to be unique and the IT departments are too damn lazy to create their own indexes using some other data.

      1. jonathanb Silver badge

        Re: Bah!

        That's fine, but the Social Security Number should be treated as a name, not a password.

      2. wikkity

        Re: Bah!

        Sure use an ssn for identification but not _proof_ of identity, that's hardly any different to asking them to confirm their name.

      3. Stevie

        Re: SSN Guaranteed Unique

        In what alternate universe are Social Security Numbers "guaranteed to be unique"?

        Not in this one they ain't. I work at the sharp end of this and can state from actual knowledge gained at the expense of much pain, suffering and cries of "why me?" that the SSN is far from being guaranteed unique.

        Even if you discount the possibility of fraudulent SSN coinage, latency in the SSA's system can cause perfectly legitimate applications to be granted the same number, or could, 15 years ago. To design systems that use SSN as a unique identifier is to be shown to be the sort of IT professional who should be forced to wear very large shoes on their feet and a red rubber ball on their nose.

        I would hope that the latency issues have been addressed in the 15 years since I last investigated this, but nowhere will you find a statement to the effect that the SSN may be used by every Tom, Dick and Harry as a unique identifier without let or hindrance.

    3. JayKay

      Re: Bah!

      Precisely! These banks take the piss. I worked for an investment bank a few years ago... 2 days after starting I recievied an email from my manager telling me to put all my passwords in the Macro enabled Excel spreadsheet that was attached and upload to an SMB Share for "backup purposes". No S/MIME, nothing.

      I resigned the following week. Pathetic.

      1. jzlondon

        Re: Bah!

        You resigned? That was mature and productive and really showed them how to fix their issues. Well done you.

  4. Mark 85

    I see some poetic justice in this...

    The implantation has, shall we say, issues. So the crooks are using the iPhone to rip-off Apple in order to rip-off banks, private citizens, etc. The poetic is using a product to rip off the maker.

    The problem still boils down to the banks. IF they were serious, you'd take your phone and proper ID into the bank for verification. But that might inconvenience some users, right. It also, wouldn't let the bank off the hook when it's bailout time. Once again, users/taxpayers/honest citizens are screwed by the few and the mighty.

  5. hypernovasoftware

    Nice click-bait headline.

    It should read Banks lax security.

    It has nothing to do in particular with Apple Pay.

    Haters gonna hate as they say and the Reg has plenty.

    1. MrDamage Silver badge

      Apple deserves it share of the blame

      In the past, they have not been afraid to dictate to both users and companies alike, exactly how they are to do business with Apple.

      If Apple release this form of payment method, without demanding a high threshold of identification and verification parameters to be able to use this service, they they are just as much to blame as the banks.

      And yes, I would say the exact same thing about google wallet if they allow such lax measures to be used for verification.

    2. phuzz Silver badge
      Joke

      The crook still has to buy an iPhone for this to work. Just saying ;)

      1. 080

        Cook Scamms The Crook

        "The crook still has to buy an iPhone for this to work"

        You really have to admire Apple, they don't miss a single opportunity. But why use an expensive smartphone instead of a very small and conveniently carried piece of plastic with no need for charging?

  6. Ian Joyner Bronze badge

    ApplePay is very secure

    ApplePay is far more secure than carrying your credit card around in your wallet. It is far less likely for fraud due to the inbuilt security mechanisms.

    However, fraudsters will always try different ways - and these apply to any contactless payment, not just ApplePay (just Apple is so visible, putting Apple in a headline makes for a good headline).

    If fraudsters access a retail vendor's server database it is the fault of the vendor who are in turn a victim of the fraudsters.

    However, loading it on to a smart phone is a risk to the fraudster since it is more likely to be tracked (as in Find My iPhone). Maybe those anti-fraud measures are not in place at the moment, but it is easy to see that the backend could be tightened up in this way. No need for FUD against ApplePay, thanks.

    1. Mr.Mischief

      Re: ApplePay is very secure

      I dont get how Apple Pay is more secure than carrying your credit card in your pocket.

      With my card, its a physical card, it has my signature, chip and a PIN number to verify that it is in fact me using a physical card.

      With Apple Pay, the physical card is not present. It looks like all you need is a PHOTO of the card to load it into Apple Pay, and the SSN's last four digits.

      To compare, that would be like me giving the card to a friend along with the PIN number and telling them to go buy something for me.

      I'm sure all contactless payment systems may have the same problem, although it seems that Paypal and Google Wallet may not have had it to this extent. This could be either due to Google's registration process or through low usage. I dont know how rampant fraud was with GW.

      I guess "ease of use" and "ease of fraud" go hand in hand

      1. Ian Joyner Bronze badge

        Re: ApplePay is very secure

        "I dont get how Apple Pay is more secure than carrying your credit card in your pocket.

        With my card, its a physical card, it has my signature, chip and a PIN number to verify that it is in fact me using a physical card."

        The physical card can easily be stolen. If they steal your iPhone, they need your finger print to access the credit information. ApplePay is more secure than physical cards.

        "I guess "ease of use" and "ease of fraud" go hand in hand"

        No that is absolutely not true.

        1. PassiveSmoking

          Re: ApplePay is very secure

          It can also easily be cloned. All that data in the magnetic strip and onboard chip is very poorly protected and duplicating it all onto a blank card is child's play once you've got a copy of the data. The only bit that's not easily copied is the signature, and any competent fraudster should know how to forge a signature too. Not that anyone ever looks at the signature on the card any more, even when it's not a CNP transaction.

          1. Anonymous Coward
            Anonymous Coward

            Cloning the "chip"

            Got any references to this? You can't just read it via NFC, the chip is a tiny CPU and contains a private key you can't access. OK, you can probably use an electron microscope to read the chip if you know what you're doing and, you know, have an electron microscope, but if you're able to do that you can probably commit some more lucrative crimes instead of wasting your talents on card cloning.

      2. Ian Joyner Bronze badge

        Re: ApplePay is very secure

        "I guess "ease of use" and "ease of fraud" go hand in hand"

        I'll address that another way - making systems hard to use is security by obscurity and that is known not to be a good security strategy. Excellent security systems are also simple and provide ease of use. Apple has really excelled on that count with ApplePay.

      3. Anonymous Coward
        Anonymous Coward

        @Mr.Mischief

        Since Apple Pay is only in the US, you need to realize that in the US there is no "chip" and no "PIN" on a credit card number. It is processed with your signature alone. They'll take ANY scribble at all, they don't look at it and never check the signature on your card - I can say that for sure since I've never signed my cards! When you sign for a charge in person, it is considered "card present". If you phone in or web in an order there isn't a signature, so they ask for the three digit "security" code that's on the back of your card but not encoded in the mag stripe. That's "card not present" and the retailer pays a bigger cut for that type of transaction since fraud is more prevalent.

        What the article is talking about is that getting someone's card number is enough to enter it into Apple Pay, and those transactions are considered "card present". I suppose they could bump up the security a tiny bit making you enter the three digit code so you have to actually have the card (in theory) but that's not going to help much since such info is readily available from all the online retailers that have their databases cracked and contain millions of customer card numbers & codes.

        The best solution is what someone suggested above. In order to activate Apple Pay, the credit card company has to send you a snail mail letter to your billing address with a code that needs to be entered to activate the card in Apple Pay. That would make it less convenient and get rid of the instant gratification, but it would avoid the possibility of card numbers stolen online being used in this manner.

      4. OllyL

        Re: ApplePay is very secure

        I disagree somewhat with your conclusion there...

        I'd be interested in a quick straw-poll of the commentators on here to see how many have actually used Apple Pay.

        I'd be willing to wager I'm one of the few. I use Wells Fargo for my main credit/debit cards. When I got an iPhone 6 (in the UK incidentally), part of the setup noticed that the cards were iPay compatible, and would I like to use them. Once I'd done that I got an email from Wells Fargo telling me that someone had asked to add them to an Apple ID for use with iPay (I forget if it included the account details/phone #, but I'm due a new credit card soon, so I'll report back if I remember). I had to sign into the online banking, and run through additional security procedures before Wells Fargo would authorize the cards to be used with my iPhone (more than just the username/password to get into the online banking). Because the wife hadn't used her online banking in a long time, the bank actually insisted that she called up

        Another thought too, they'd have to be a fairly well heeled criminal to do this, as I'm sure if the transactions were flagged as suspect, then you'd lose the apple account and (one would assume) the iPhone attached to it...

      5. Mike Bell

        Re: ApplePay is very secure

        I dont get how Apple Pay is more secure than carrying your credit card in your pocket

        But you don't just carry the card in your pocket, do you. You get it out and, typically, stick it into a reader where you start typing your PIN. Your PIN can easily be sniffed by someone watching over your shoulder, or putting the card in a compromised reader. Your card/PIN can be cloned and used quite happily in parts of the world where they don't use Chip & PIN yet.

        Apple Pay uses secure tokens to ensure that your credentials are never divulged to anyone. Ergo: more secure.

        1. Michael Wojcik Silver badge

          Re: ApplePay is very secure

          "More secure" is a meaningless phrase outside the context of a threat model; ergo the posters making these claims don't know what they're talking about.

          1. Ian Joyner Bronze badge

            Re: ApplePay is very secure

            Did you just say anything? No just the spurious and wrong claim that I don't know what I'm talking about.

        2. Ian Joyner Bronze badge

          Re: ApplePay is very secure

          "Apple Pay uses secure tokens to ensure that your credentials are never divulged to anyone. Ergo: more secure."

          That's exactly right Mike. When you put a credit card in a reader, your numbers can be skimmed. With ApplePay, the iPhone does the job of the reader, validates you by your finger print, only unique numbers to do with the transaction are passed to the bank encrypted.

          Much safer than using your credit card. These stories really are FUD against ApplePay (and by that I could probably say Google Wallet and others).

          In the US they still use magnetic stripes and not even on-card chips, which are much harder to copy than mag stripes. So the US is way behind in security.

    2. Richard Jones 1
      FAIL

      Re: ApplePay is very secure

      Some years ago back in the mid 1990s I met with credit card companies on a project that was being developed. There were two issues then, limited imagination and the huge cost and near impossibility of adding security functionality to the streaming processes then used. I am pretty sure that number two still exists and we can see (1) being exhibited now. I am amazed that people were not aware that all this talk of 'very secure', is frankly hog wash - it is with all systems. Make a more secure anything and people will look for the easy way round the security. This is no exception. I suspect that the first error was to major all efforts on one device/method of initial verification. After that it was to allow a basically insecure method to 'verify' the voracity of the set up. If you do not employ a bit of lateral thinking and periodic re-verification your security will be breached. This is a consumer product so one perceived need is an easy ride for the user, but easy rides always come with costs.- The CVC code is pretty weak, and even the secondary card not present checks are not hugely strong but at least they are better and can be updated if/when needed via an established route.

      Frankly I do not care who allowed this to come about, the banks, apple, the man in the moon, or whoever, it makes no difference. It is still like making a secure vault with thick walls and armoured locks and having an unsecured air-conditioning duct or a plywood roof (it's safe at 10 feet off the ground). The product is end to end and the weakness is where ever and when ever it is found.

      The risk to the well organised fraudster is zero, phone cost is a few units of currency, (probably paid for with a stolen card), load it, use it for a few days make money, dump phone, bingo.

  7. JayKay

    As always the banks are the weakest link. You only need the last 4 digits of a widely available and insecure number to register a card.

    Blame the banks, this is an absolutely outrageous flaw in their registration process.

  8. Bob Dole (tm)

    Yawn...

    An article about bankers and lax controls around money. Who'd have thought the very people entrusted with our hard earned dough would overlook things like proper security. Only a few million in losses you say? Lol. Let us know when it's reached billions. That'll be a story and likely when bankers actually do something.

  9. a_milan

    Banks (and Apple) must be accountable for fraud

    As nicely pointed out by Bruce Schneier a while ago (https://www.schneier.com/crypto-gram/archives/2005/0415.html#2), until the financial institutions are held accountable for fraud, there won't be an incentive for them to build proper user data protection and identity verification.

    In this case Apple should take some share of responsibility but it seems their mechanism is reasonably safe, and far above what banks are doing.

    1. Mike Bell

      Re: Banks (and Apple) must be accountable for fraud

      Apple should take some share of responsibility

      They do. In return for their tiny cut on the transaction fee, Apple do take on partial liability, so it has been reported.

  10. Steve I

    Who's to blame..

    The Bank of England have been slammed that their new banknotes allow rampant fraud, banking experts are claiming.

    The problem is that whilst the notes themselves contain various security measures and are hard to copy, banks are being lazy and not checking the notes presented to them carefully enough and consequently are allowing people to deposit Monopoly money.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like