A U.S. district judge has sentenced a 30-year-old Miami resident to over four years in federal prison for his part in a criminal enterprise that leveraged Apple Pay to make more than $1.5 million in purchases using victims' credit cards.
Daniel Butler and three accomplices obtained at least 477 credit card accounts, later linking them to Apple Pay on their iPhones, according to a statement released by the U.S. Attorney's Office on Friday.
According to a separate indictment of co-conspirator Max Johnny Wesley, filed with the U.S. District Court for the Middle District of Florida in 2018, members of the group would call credit card issuers and pose legitimate card holders, enabling access to and control over the credit card accounts in question. This method was likely used to provision each card in Apple Pay.
Starting in 2015, Butler and other members of the group began to make purchases via Apple Pay, skirting the need to present a physical card to retail staff for inspection. Whether the scheme was implemented to purchase goods online is unknown.
In total, the group made over $1.5 million in fraudulent purchases, according to the announcement.
U.S. District Judge Brian J. Davis sentenced Butler to 54 months in federal prison for conspiracy to commit wire fraud and identity theft. In December 2018, Wesley was sentenced to four years in federal prison. Rachel Bishop and Laurent Pierre Louis, also implicated in the plot, are scheduled for sentencing in December.
The group's activities match closely with a string of fraudulent purchases first reported in March 2015, some two months after Butler, Wesley, Bishop and Louis began their illicit venture. At the time, reports claimed criminals were purchasing big-ticket items at Apple Stores and other retailers using fraudulent Apple Pay accounts created in part with credit card data stolen from Home Depot and Target. Credit card information was subsequently added to Apple Pay on iPhone 6 devices and used to complete purchases at NFC point of sale terminals.
Shortly after Apple Pay launched, Apple's bank partners were sent "scrambling" to quash a rash fraudulent activity stemming from overly lax cardholder verification procedures. While Apple Pay is designed for a secure user experience, Apple itself is not in charge of credit card verification, a task that falls on the shoulders of issuing banks.
When the service debuted, financial partners sent customers down two verification paths: a so-called "green path" that immediately provisioned a card without further inspection or a "yellow path" that required additional steps to verify a user's identity. Though the yellow path was intended to provide additional safeguards against fraud, a study in 2015 found it to be somewhat lenient, with banks asking for information that was relatively easy to attain.
Many issuing banks have amended their respective guidelines to default to a more stringent user verification process. For example, some issuers mandate Apple Pay customers call banking staff to answer a panel of questions before a credit or debit card is provisioned for use.