Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple Pay fraud stems from retailer data breaches, Apple Store purchases account for 80% of unauthorized buys

According to a report on Thursday, fraudsters are using credit card information gleaned from recent high-profile retail chain data to create Apple Pay accounts, while Apple Stores themselves account for 80 percent of unauthorized transactions.

Citing sources familiar with the matter, The Wall Street Journal reports criminals are purchasing big-ticket items at Apple Stores using fraudulent Apple Pay accounts created in part with credit card data stolen from Home Depot and Target. With the iPhone 6's NFC capabilities, the physical card may not be required for such purchases.

Apple Pay itself has not been breached, meaning customers who have provisioned cards with Apple's service are safe. The bank-side systems on which Apple Pay security is partially reliant, however, is apparently being gamed.

When Apple Pay users first opt to add a credit or debit card, the issuing bank can use a "green path," which immediately provisions the card, or a "yellow path" that requires additional steps to verify a user's identity. A study found the yellow path to be somewhat lenient, with banks asking for information that in some cases are relatively easy to attain, such as the last four digits of a user's social security number.

Methods of authentication vary from bank-to-bank, but some institutions require cardholders verify account details, log into online accounts or speak to a customer service representative. The publication said some banks send out a confirmation text message to a customer's phone, a technique often used by Web-based two-step authentication services.

The report echoes previous claims that Apple Pay bank partners are "scrambling" to stem the tide of fraudulent activity related to supposedly lax cardholder verification procedures. It is unclear what changes are being made on the backend, but it can be assumed that cardholders will soon see more stringent authentication protocols.