When I wrote a couple of weeks ago about the issues with Apple Pay security problems (see post), I didn’t really understand the scope of what I was writing about. Thanks to Brian Krebs (see his post), I now understand the problem is bigger than I thought.
Let’s assume that you are a crook and you bought a bunch of credit card numbers on the dark web. How do you monetize this. One way is to go to some web site and buy some stuff with the stolen credit card numbers that you have. Now you need someone stupid enough to be your mule to accept the delivery and give you the merchandise. And that assumes that the merchant does not verify that the delivery address is one that is set up for that card. That also gives the merchant and credit card company a starting point to track you down.
Alternatively, you could go into a store and use the credit card. No one asks for ID, and you don’t have to give a name and address, so that should be safe. Oh, wait, you don’t have a card – just numbers. You could get the equipment – credit card printer and embosser, mag stripe writer. The big guys do that, but it is expensive and you have to know how do that. Also, the price for the information needed to burn a fake card is way more than just the numbers.
You think for a minute. POOF – APPLE TO THE RESCUE.
You take the stolen credit card numbers and your handy iphone that you bought earlier with another stolen credit card. You either create a bogus itunes account or buy a hacked one for $8 retail. You now tie your stolen credit card data to your hot iphone and voila, you have a virtual credit card. No fuss, no muss, no bother. You can now go into any store that accepts Apple Pay (like the Apple Store) and buy stuff just like you had the real credit card. You then turn around and sell the stuff for cash.
All of this only works because, as I wrote about in the earlier post, banks don’t do a very good job of validating people prior to linking their account to a phone. They are so worried about offending a customer and missing out on the Apple Pay hysteria, that they wind up with a very high level of fraud – right now about 6%, which is, as I said in my earlier post, a great way to go broke since the bank’s fees are no where near 6% (more like 2%).
And the bad news is that you don’t even need to be an Apple user to be a victim of this kind of fraud. If your credit card bank supports Apple Pay, there currently is no way to say that I do not want my cards to be linked to an Apple Pay.
Apple and the banks will eventually figure this out, but in the mean time, the crooks are making a LOT of money.