Experts point to Apple Pay’s vulnerabilities

04 Mar 2015

Apple and its banking associates might have made life easier for fraudsters by adding pay-by-wave technology to iPhones, security experts fear.

It is possible to add payment cards to Apple Pay by taking a photo of the card, and allowing a device to run optical character recognition over the image to fill out the long card number, expiry dates and other details. The fact that the numbers can be entered manually, obviates the need for physical access to cards.

After the addition of a credit or debit card to an iPhone's Apple Pay, the details are encrypted and forwarded to banks along with records on the user's iTunes account activity, transaction history and physical whereabouts, as explained in the Apple Pay support page.

The records are used by banks to decide whether to approve the addition of a card to Apple Pay or to request further checks over a follow-up phone call to ensure people did not add stolen cards to Apple Pay.

The issue was that a number of US lenders had made this verification easier than it needed to be by only asking callers to prove their identity using the last four digits of their social security number.

Meanwhile, some financial institutions have reported increased number of frauds on Apple Pay as criminals took advantage of vulnerabilities in the verification process when users added a credit card. Lenders are now working on securing the verification process right away.

A spokesperson for Apple did not comment on fraud rates, but said the programme was ''designed to be extremely secure and protect a user's personal information.''

The weakness did not arise at Apple's end, but to the process of a user adding a card. The verification process where banks added their cards to Apple Pay could at times, be very lenient, while the criminals who exploited the method advantage were highly sophisticated, say  experts.