Report: Cybercriminals Find Bug in Apple Pay | NBC Southern California
Press Here

Report: Cybercriminals Find Bug in Apple Pay

    processing...

    NEWSLETTERS

    Criminals are using stolen identities and credit cards on Apple Pay, according to reports.

    While its encryption hasn't been hacked, the cybercriminals have found a bug in the Apply Pay verification process which allows them to "add stolen credit cards to their iPhones," the Verge reported. The problem lies with the banks because a new credit card must be verified by an issuing bank, called a "green path" authentication.

    Apple sends encrypted data from the card to the bank, but the banks don't have to add any more verification. The "yellow path" requires additional verification with a text or email, and that's where criminals find their exploit. The banks usually typically require the last four digits of a social security number as verification, and that's an easy fix if you've already stolen someone's identity.

    Mobile payments are often a target for credit card thieves because it's an easy way to use stolen credit cards. There's no cashier, no new credit card and they can be quickly added and deleted to phones. The problem is that Apple says it isn't its problem; instead, it's the banks' problem to protect users.

    "Apple Pay is designed to be extremely secure and protect a user’s personal information. During setup Apple Pay requires banks to verify each and every card, and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank," an Apple spokesperson told the Verge.

    Banks have now begun securing their Apple Pay protocols, but it's unknown how many banks are still vulnerable. "At this point, every issuer in Apple Pay has seen significant ongoing provisioning fraud via customer account takeover," Cherian Abraham, a mobile payments specialist, wrote last month. "Fraud in the yellow path is growing like a weed, and the bank is unable to tell friend from foe."