Scammers may not be able to hack into your phone — but they may not need to.
They can just buy their own.
It turns out Apple Pay, touted by Apple as a system that would "change the way we pay for things," has a critical weakness: the actual "provisioning" of an iPhone with a credit card.
"Fraud in Apple Pay … came as a surprise to all," mobile payments specialist Cherian Abraham wrote on his blog late last month. "Tokenization, [o]n-device secure storage and biometrics separately and together are formidable, but the soft underbelly proved to be provisioning of cards in to [Apple Pay]."
Instead of getting past the tough security within Apple Pay, fraudsters are setting up entirely new iPhones using stolen personal information, then contacting banks directly to get the phones hooked up to a credit card.
Banks, often only asking for the last four digits of a Social Security number over the phone to verify a customer's identity, have been green-lighting fraudulent phones, and insiders estimate scammers have already made millions using the scheme, the Guardian reported.
“At this point, every issuer [bank] in Apple Pay has seen significant ongoing provisioning fraud via customer account takeover,” Abraham said.
An Apple spokesman defended the company's role in the design and implementation of Apple Pay, noting that banks have the ultimate responsibility of adding cards to phones.
“Apple Pay is designed to be extremely secure and protect a user’s personal information,” the spokesman told the Guardian. “During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”
But with security still lax at many financial institutions, some 2 million people using Apple Pay and more than 6 million Social Security numbers stolen each year (often along with credit card information), the likelihood of continued fraud through Apple Pay's "soft underbelly" seems very high.
Follow Zach Noble (@thezachnoble) on Twitter