Fraud cases raise question of whether Apple Pay is secure

An Apple executive demonstrates the Apple Pay mobile payment system at a Whole Foods store in Cupertino, Calif.
An Apple executive demonstrates the Apple Pay mobile payment system at a Whole Foods store in Cupertino, Calif. AP

A sharp rise in reports of fraudulent Apple Pay transactions is now raising questions about the security of the first mobile payment system to find a measure of popular success.

One mobile analyst, Cherian Abraham, estimated that as much as 6 percent of Apple Pay purchases are completed with stolen credit cards, or 60 times the rate of the old-fashioned plastic swipe.

The problem is Apple Pay might be too simple to set up, security analysts said. Fraudsters have been loading stolen cards onto iPhones to buy things at stores. As it turns out, it might have been better if Apple Pay required users to do more to prove their identities when they sign up for the service, these experts said.

Launched in October, Apple Pay was billed as simple to use, and the universe of stores and banks accepting the service has been growing steadily. Bank of America said customers added 1.1 million of its credit and debit cards to Apple devices in the first two months of Apple Pay.

But reports of fraud are giving retailers and banks pause.

“The issuers were probably so eager to be involved that they kind of forgot best practices and sidestepped some procedures they normally would’ve had (in order) to accept Apple Pay,” said Michelle Evans, senior analyst for consumer finance at market research firm Euromonitor.

The essential problem with Apple Pay is the setup, security analysts said. Users need only to open the app on their smartphones and enter a credit card number, the expiration date, and the three- or four-digit verification code. That information is instantly sent to Apple, which rates consumers as safe or risky. The bank or company that issued the card is also notified and has ultimate say on whether to reject a user.

Compared with traditional credit cards, Apple Pay does not do enough to weed out bad consumers from good ones, security analysts said.

“Apple Pay is designed to be extremely secure and protect a user’s personal information,” Apple said in a statement. “During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”

Others say the cases of fraud are more an early growing pain than a major problem for Apple Pay.

“This is more of an implementation issue than it is with the technology itself,” said cybersecurity blogger Brian Krebs. Apple’s technical strategy is a “sound one and is a much better approach than relying on these insecure stripes” on plastic cards.