It appears that the latest method of choice for fraudsters in the US is to use Apple Pay, with this type of fraud said to be significantly on the increase. Brick and mortar stores are favored as there is less time for the more stringent checks taken by online retailers; ironically Apple stores are being targeted due to their desirable, high value, luxury products.
The issue stems from the point of the process in which an Apple partner bank verifies the identity of a customer when a request is made to add a card to Apple Pay, reports say that this process is not always rigorous enough and the fraudsters have been able to take advantage of this when using stolen credit cards and stolen personal information. The Apple support page that covers Apple Pay states “When you add a credit or debit card to Apple Pay, the information that you enter on your device by typing or using the iSight camera is encrypted and sent to Apple servers. If you use the camera to enter the card information, the information is never saved to the device or stored to the photo library. Apple decrypts the data, determines your card’s payment network, and re-encrypts the data with a key that only your payment network can unlock. Then it sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.” There are three different options used by banks for customer verification, these are the “green path”, “yellow path” and “red path”. The “green path” is taken when the bank has no concerns or suspicions about the card, this option allows immediate approval. The “yellow path” is used when the bank may have some concerns and requires further checks before verification is confirmed. The “red path” is used when a card is declined. The problem occurs when the “yellow path” is used; it seems the banks are often not requesting enough information, in many instances only asking for details that can easily be obtained by the criminals, which results in fraudulent cards being approved.
It is easy enough to place the responsibility for this problem squarely onto the shoulders of the banks but many are suggesting that Apple should take its share of the blame as the “yellow path” was initially an optional process for banks, Apple changed its mind and made it mandatory only four weeks before the launch of Apple Pay, giving the banks little time to implement the required security measures.
This kind of fraud is reported to have reached millions of US dollars, with the issuing banks liable as part of their Apple Pay agreement.