Apple Pay has proven to be a venue of convenience for criminals focusing on identity fraud, a new report suggests, with many fraudsters taking advantage of lax customer verification controls put in place by Apple's partner banks to make brick-and-mortar purchases using stolen credit cards via the growing mobile payment service.
Apple Pay itself has not been exploited, according to The Guardian, with issues instead arising at the issuing banks. The problem centers around the processes those banks use to verify customers' identity when adding a card to Apple Pay.
When adding a card, banks can reportedly choose to accept it immediately — using a so-called "green path" — or require additional verification, via a "yellow path." Apple provides the banks with contextual information, such as the name of the device Apple Pay is being configured on, the device's current location, and data about the length of iTunes transaction history, during setup to help identify cases where more stringent checks are required.
The yellow path processes have apparently been found lacking in some cases, with unnamed partner banks asking only for relatively easily-obtainable information, such as the last four digits of the customer's social security number. Once approved, criminals can then use Apple Pay to purchase products at retail, later selling them for cash — with Apple retail stores apparently a particularly attractive target.
Apple is said to have initially made the yellow path optional for banks, changing its mind to require such a process less than one month before Apple Pay's debut. That left banks little time to sort out a solution, with many falling back to call center-based procedures.
As part of their Apple Pay agreements, issuing banks agreed to accept liability for fraud through the platform. Thus far, that amount is thought to have risen into the millions of U.S. dollars, and banks are working on fixes.
"These are probably just some teething problems," Tim Sloan, an executive at financial consultancy Mercator Group, told the paper. "If the banks can nail down the authentication, they should see less fraud on Apple Pay," he continued, adding that "battle plans always look great until you meet the enemy."