back to article Apple Pay a haven for 'rampant' credit card fraud, say experts

Apple and its banker pals may have inadvertently lowered the barrier to credit card fraud by adding pay-by-wave technology to iPhones, security experts fear. Payment cards can be added to Apple Pay by taking a photo of the card, and allowing a device to run optical character recognition over the image to fill out the long card …

  1. Anonymous Coward
    Anonymous Coward

    thanks Apple, now I'm living the dream!

    You made my life so much better, now I'm rolling in cash.

    A true innovation :)

    laterz xx

    1. Anonymous Coward
      Anonymous Coward

      Re: thanks Apple, now I'm living the dream!

      Blame the banks not Apple. Their lax security procedures are to blame.

      Sadly that won't stop the Anti Apple brigade who lurk here from having a field day.

      Just remember that the article does say the Google Wallet etc will also suffer from this problem.

      1. Anonymous Coward
        Anonymous Coward

        Re: thanks Apple, now I'm living the dream!

        Did I hear............"Anti Apple" ???

        Apple is equally to blame, they are the enabler. They signed up with these banks, they know how the banks operate, they go along with it for profit. Remember, this is "Apple Pay", not "$BANK_NAME Pay". What, you give a kid matches and you have no blame for the fire?

        As far as the article goes, Avivah Litan is way, way, WAY out of the loop. If he ever thought that having just the details was NOT enough, he clearly never read about #CC on Efnet or all the various versions of paypal's ability to add anyone's e-mail to anyone's account (countless other sites work too).

        But, I came for Anit Apple....stay focused! Apple pretends it's now cool to pay with credit cards via the internet. If they would of waited longer than 20+ years, they might of missed the window.

        1. SuccessCase

          Re: thanks Apple, now I'm living the dream!

          Clearly you like trolling. Go walk in yourself.

        2. Steve I

          Re: thanks Apple, now I'm living the dream!

          Is entrusting credit card verification to banks as irresponsible as giving a child matches?

          1. Arctic fox
            Headmaster

            @Steve I: Well, actually old chap, now that you mention it................

            "Is entrusting credit card verification to banks as irresponsible as giving a child matches?"

            ..........it would appear so. Although I also do not have much time for the fact that:

            " These numbers can be entered manually, so physical access to a card is not needed."

            ........was something that Cupertino failed to notice was not the smartest thing that they could be associated with.

            In short, neither the (w)bankers or the fruity company have exactly covered themselves with intellectual glory on this occasion.

            1. Lee D Silver badge

              Re: @Steve I: Well, actually old chap, now that you mention it................

              Although the banks are playing their part, Apple Pay is allowing a photo of a credit card to be used indefinitely as a payment option.

              The banks shouldn't be allowing it, but Apple Pay isn't being blocked by the banks either - so presumably Apple Pay are doing something in order to allow this situation to occur.

              If Apple are relying on the banks to authorise the transaction, they are still storing all that data and - presumably, like Amazon - taking the liability on it to an extent. Notice that Amazon don't put you through the Visa/MasterCard secure schemes where you have to type in codes and verify to the source bank - they are storing your information for 1-click and then taking the hit on fraud themselves.

              Presumably, Apple are doing the same here OR have negotiated their way out of liability with the banks.

              Seriously, people, all that Chip-and-PIN stuff that the EU fought for for years? It's worthless here. We're still doing transactions with just the card number. Do they even use the CCV code on the back of the card?

              If the number is enough (and it appears so for Amazon and Apple Pay) then the Chip & PIN stuff is worthless, even if the liability is shifted from the card issuer to the retailer. If the number isn't enough, Apple Pay wouldn't be able to operate as they are doing - and nor would Amazon. If the number is enough but liability is pushed to Apple, then it's partly Apple's fault for allowing this to happen for the sake of simpler business processes.

              1. Badvok

                @Lee D: Amazon <> Apple Pay

                I wouldn't really compare Apple Pay with Amazon in their use of number only.

                With Amazon you have to have an account, perhaps with dodgy details but you do typically need to get stuff delivered somewhere (well except the digital stuff though I doubt crims would bother with stuff they couldn't fence). With Apple Pay you can walk into a store, buy real stuff and walk out without anyone the wiser about who you really are.

              2. jai

                Re: @Steve I: Well, actually old chap, now that you mention it................

                As it says in the article: It is lax customer verification controls by banks rather than any inherent security weaknesses with Apply Pay

      2. eSeM

        Re: thanks Apple, now I'm living the dream!

        "Just remember that the article does say the Google Wallet etc will also suffer from this problem"

        No it doesn't.

        HTH

    2. Anonymous Coward
      Anonymous Coward

      Re: thanks Apple, now I'm living the dream!

      @first AC post. Do something useful with your life. Go back to Russia and hold up a pro-democracy anti-Putin plackard. Preferably outside he Kremlin.

  2. Anonymous Coward
    Anonymous Coward

    Yawn...

    Easy fix - don't active NFC for a week until the bank can send a snail mail confirmation letter.

    ...or is this only a problem because banks really, really want it to be?

    1. Bronek Kozicki

      Re: Yawn...

      And how exactly that would protect you?

      1. returnmyjedi

        Re: Yawn...

        Yoda?

      2. This post has been deleted by its author

      3. DragonLord

        Re: Yawn...

        If the bank sent a snail mail letter to the account holders address with a code attached, then the owner of the card would a) know it was stolen and b) be able to prevent the card been added to apple pay. If the hacker wants to get round this then they need to intercept the letter. At which point it's no longer a remote attack.

  3. Stevie

    Bah!

    Goddammit! The social security number is not to be used for identification purposes other than by the social security administration. How many times do the witless f*ckers in banking IT need to have that screamed at them? And then, having decided to ignore that stricture, to only use less than half the digits?

    Jesus f*cking Christ on a bike.

    How in f*ck's name could this level of stupid be deployed in this day and age in light of what we as an industry have learned regarding electronic banking and the methods to subvert them?

    To paraphrase the short guy from Game of Thrones:

    Hands. Coal hammers.

    1. PacketPusher
      Megaphone

      Re: Bah!

      It seems to me that the problem, in the US at least, is that the banks are not financially responsible for fraud. If fraud is claimed, the money is taken back from the vendor. The banks do not have an incentive to do a good job of verifying the user.

      1. P. Lee

        Re: Bah!

        Surely this is the same as a "cardholder not present" transaction.

        If you accept that kind of transaction, the vendor takes the extra risk.

        Not recommended if you can avoid it.

      2. Bob Dole (tm)

        Re: Bah!

        Banks everywhere have proven to "not be financially responsible". Period.

      3. Sam Liddicott

        Re: Bah!

        Maybe that is the scam! A way for apple to bring those billions back into the USA and avoid tax?

        Apple agents would also be the "scamming party" that scams Apple. The foreign fund holding division would make a loss as it refunds fraudulent payments in the USA from foreign held funds.

        Someone else work out the detail for me.

    2. hypernovasoftware

      Re: Bah!

      The reason so many companies use the ssn as the key to their databases is that they know they are guaranteed to be unique and the IT departments are too damn lazy to create their own indexes using some other data.

      1. jonathanb Silver badge

        Re: Bah!

        That's fine, but the Social Security Number should be treated as a name, not a password.

      2. wikkity

        Re: Bah!

        Sure use an ssn for identification but not _proof_ of identity, that's hardly any different to asking them to confirm their name.

      3. Stevie

        Re: SSN Guaranteed Unique

        In what alternate universe are Social Security Numbers "guaranteed to be unique"?

        Not in this one they ain't. I work at the sharp end of this and can state from actual knowledge gained at the expense of much pain, suffering and cries of "why me?" that the SSN is far from being guaranteed unique.

        Even if you discount the possibility of fraudulent SSN coinage, latency in the SSA's system can cause perfectly legitimate applications to be granted the same number, or could, 15 years ago. To design systems that use SSN as a unique identifier is to be shown to be the sort of IT professional who should be forced to wear very large shoes on their feet and a red rubber ball on their nose.

        I would hope that the latency issues have been addressed in the 15 years since I last investigated this, but nowhere will you find a statement to the effect that the SSN may be used by every Tom, Dick and Harry as a unique identifier without let or hindrance.

    3. JayKay

      Re: Bah!

      Precisely! These banks take the piss. I worked for an investment bank a few years ago... 2 days after starting I recievied an email from my manager telling me to put all my passwords in the Macro enabled Excel spreadsheet that was attached and upload to an SMB Share for "backup purposes". No S/MIME, nothing.

      I resigned the following week. Pathetic.

      1. jzlondon

        Re: Bah!

        You resigned? That was mature and productive and really showed them how to fix their issues. Well done you.

  4. Mark 85

    I see some poetic justice in this...

    The implantation has, shall we say, issues. So the crooks are using the iPhone to rip-off Apple in order to rip-off banks, private citizens, etc. The poetic is using a product to rip off the maker.

    The problem still boils down to the banks. IF they were serious, you'd take your phone and proper ID into the bank for verification. But that might inconvenience some users, right. It also, wouldn't let the bank off the hook when it's bailout time. Once again, users/taxpayers/honest citizens are screwed by the few and the mighty.

  5. hypernovasoftware

    Nice click-bait headline.

    It should read Banks lax security.

    It has nothing to do in particular with Apple Pay.

    Haters gonna hate as they say and the Reg has plenty.

    1. MrDamage Silver badge

      Apple deserves it share of the blame

      In the past, they have not been afraid to dictate to both users and companies alike, exactly how they are to do business with Apple.

      If Apple release this form of payment method, without demanding a high threshold of identification and verification parameters to be able to use this service, they they are just as much to blame as the banks.

      And yes, I would say the exact same thing about google wallet if they allow such lax measures to be used for verification.

    2. phuzz Silver badge
      Joke

      The crook still has to buy an iPhone for this to work. Just saying ;)

      1. 080

        Cook Scamms The Crook

        "The crook still has to buy an iPhone for this to work"

        You really have to admire Apple, they don't miss a single opportunity. But why use an expensive smartphone instead of a very small and conveniently carried piece of plastic with no need for charging?

  6. Ian Joyner Bronze badge

    ApplePay is very secure

    ApplePay is far more secure than carrying your credit card around in your wallet. It is far less likely for fraud due to the inbuilt security mechanisms.

    However, fraudsters will always try different ways - and these apply to any contactless payment, not just ApplePay (just Apple is so visible, putting Apple in a headline makes for a good headline).

    If fraudsters access a retail vendor's server database it is the fault of the vendor who are in turn a victim of the fraudsters.

    However, loading it on to a smart phone is a risk to the fraudster since it is more likely to be tracked (as in Find My iPhone). Maybe those anti-fraud measures are not in place at the moment, but it is easy to see that the backend could be tightened up in this way. No need for FUD against ApplePay, thanks.

    1. Mr.Mischief

      Re: ApplePay is very secure

      I dont get how Apple Pay is more secure than carrying your credit card in your pocket.

      With my card, its a physical card, it has my signature, chip and a PIN number to verify that it is in fact me using a physical card.

      With Apple Pay, the physical card is not present. It looks like all you need is a PHOTO of the card to load it into Apple Pay, and the SSN's last four digits.

      To compare, that would be like me giving the card to a friend along with the PIN number and telling them to go buy something for me.

      I'm sure all contactless payment systems may have the same problem, although it seems that Paypal and Google Wallet may not have had it to this extent. This could be either due to Google's registration process or through low usage. I dont know how rampant fraud was with GW.

      I guess "ease of use" and "ease of fraud" go hand in hand

      1. Ian Joyner Bronze badge

        Re: ApplePay is very secure

        "I dont get how Apple Pay is more secure than carrying your credit card in your pocket.

        With my card, its a physical card, it has my signature, chip and a PIN number to verify that it is in fact me using a physical card."

        The physical card can easily be stolen. If they steal your iPhone, they need your finger print to access the credit information. ApplePay is more secure than physical cards.

        "I guess "ease of use" and "ease of fraud" go hand in hand"

        No that is absolutely not true.

        1. PassiveSmoking

          Re: ApplePay is very secure

          It can also easily be cloned. All that data in the magnetic strip and onboard chip is very poorly protected and duplicating it all onto a blank card is child's play once you've got a copy of the data. The only bit that's not easily copied is the signature, and any competent fraudster should know how to forge a signature too. Not that anyone ever looks at the signature on the card any more, even when it's not a CNP transaction.

          1. Anonymous Coward
            Anonymous Coward

            Cloning the "chip"

            Got any references to this? You can't just read it via NFC, the chip is a tiny CPU and contains a private key you can't access. OK, you can probably use an electron microscope to read the chip if you know what you're doing and, you know, have an electron microscope, but if you're able to do that you can probably commit some more lucrative crimes instead of wasting your talents on card cloning.

      2. Ian Joyner Bronze badge

        Re: ApplePay is very secure

        "I guess "ease of use" and "ease of fraud" go hand in hand"

        I'll address that another way - making systems hard to use is security by obscurity and that is known not to be a good security strategy. Excellent security systems are also simple and provide ease of use. Apple has really excelled on that count with ApplePay.

      3. Anonymous Coward
        Anonymous Coward

        @Mr.Mischief

        Since Apple Pay is only in the US, you need to realize that in the US there is no "chip" and no "PIN" on a credit card number. It is processed with your signature alone. They'll take ANY scribble at all, they don't look at it and never check the signature on your card - I can say that for sure since I've never signed my cards! When you sign for a charge in person, it is considered "card present". If you phone in or web in an order there isn't a signature, so they ask for the three digit "security" code that's on the back of your card but not encoded in the mag stripe. That's "card not present" and the retailer pays a bigger cut for that type of transaction since fraud is more prevalent.

        What the article is talking about is that getting someone's card number is enough to enter it into Apple Pay, and those transactions are considered "card present". I suppose they could bump up the security a tiny bit making you enter the three digit code so you have to actually have the card (in theory) but that's not going to help much since such info is readily available from all the online retailers that have their databases cracked and contain millions of customer card numbers & codes.

        The best solution is what someone suggested above. In order to activate Apple Pay, the credit card company has to send you a snail mail letter to your billing address with a code that needs to be entered to activate the card in Apple Pay. That would make it less convenient and get rid of the instant gratification, but it would avoid the possibility of card numbers stolen online being used in this manner.

      4. OllyL

        Re: ApplePay is very secure

        I disagree somewhat with your conclusion there...

        I'd be interested in a quick straw-poll of the commentators on here to see how many have actually used Apple Pay.

        I'd be willing to wager I'm one of the few. I use Wells Fargo for my main credit/debit cards. When I got an iPhone 6 (in the UK incidentally), part of the setup noticed that the cards were iPay compatible, and would I like to use them. Once I'd done that I got an email from Wells Fargo telling me that someone had asked to add them to an Apple ID for use with iPay (I forget if it included the account details/phone #, but I'm due a new credit card soon, so I'll report back if I remember). I had to sign into the online banking, and run through additional security procedures before Wells Fargo would authorize the cards to be used with my iPhone (more than just the username/password to get into the online banking). Because the wife hadn't used her online banking in a long time, the bank actually insisted that she called up

        Another thought too, they'd have to be a fairly well heeled criminal to do this, as I'm sure if the transactions were flagged as suspect, then you'd lose the apple account and (one would assume) the iPhone attached to it...

      5. Mike Bell

        Re: ApplePay is very secure

        I dont get how Apple Pay is more secure than carrying your credit card in your pocket

        But you don't just carry the card in your pocket, do you. You get it out and, typically, stick it into a reader where you start typing your PIN. Your PIN can easily be sniffed by someone watching over your shoulder, or putting the card in a compromised reader. Your card/PIN can be cloned and used quite happily in parts of the world where they don't use Chip & PIN yet.

        Apple Pay uses secure tokens to ensure that your credentials are never divulged to anyone. Ergo: more secure.

        1. Michael Wojcik Silver badge

          Re: ApplePay is very secure

          "More secure" is a meaningless phrase outside the context of a threat model; ergo the posters making these claims don't know what they're talking about.

          1. Ian Joyner Bronze badge

            Re: ApplePay is very secure

            Did you just say anything? No just the spurious and wrong claim that I don't know what I'm talking about.

        2. Ian Joyner Bronze badge

          Re: ApplePay is very secure

          "Apple Pay uses secure tokens to ensure that your credentials are never divulged to anyone. Ergo: more secure."

          That's exactly right Mike. When you put a credit card in a reader, your numbers can be skimmed. With ApplePay, the iPhone does the job of the reader, validates you by your finger print, only unique numbers to do with the transaction are passed to the bank encrypted.

          Much safer than using your credit card. These stories really are FUD against ApplePay (and by that I could probably say Google Wallet and others).

          In the US they still use magnetic stripes and not even on-card chips, which are much harder to copy than mag stripes. So the US is way behind in security.

    2. Richard Jones 1
      FAIL

      Re: ApplePay is very secure

      Some years ago back in the mid 1990s I met with credit card companies on a project that was being developed. There were two issues then, limited imagination and the huge cost and near impossibility of adding security functionality to the streaming processes then used. I am pretty sure that number two still exists and we can see (1) being exhibited now. I am amazed that people were not aware that all this talk of 'very secure', is frankly hog wash - it is with all systems. Make a more secure anything and people will look for the easy way round the security. This is no exception. I suspect that the first error was to major all efforts on one device/method of initial verification. After that it was to allow a basically insecure method to 'verify' the voracity of the set up. If you do not employ a bit of lateral thinking and periodic re-verification your security will be breached. This is a consumer product so one perceived need is an easy ride for the user, but easy rides always come with costs.- The CVC code is pretty weak, and even the secondary card not present checks are not hugely strong but at least they are better and can be updated if/when needed via an established route.

      Frankly I do not care who allowed this to come about, the banks, apple, the man in the moon, or whoever, it makes no difference. It is still like making a secure vault with thick walls and armoured locks and having an unsecured air-conditioning duct or a plywood roof (it's safe at 10 feet off the ground). The product is end to end and the weakness is where ever and when ever it is found.

      The risk to the well organised fraudster is zero, phone cost is a few units of currency, (probably paid for with a stolen card), load it, use it for a few days make money, dump phone, bingo.

  7. JayKay

    As always the banks are the weakest link. You only need the last 4 digits of a widely available and insecure number to register a card.

    Blame the banks, this is an absolutely outrageous flaw in their registration process.

  8. Bob Dole (tm)

    Yawn...

    An article about bankers and lax controls around money. Who'd have thought the very people entrusted with our hard earned dough would overlook things like proper security. Only a few million in losses you say? Lol. Let us know when it's reached billions. That'll be a story and likely when bankers actually do something.

  9. a_milan

    Banks (and Apple) must be accountable for fraud

    As nicely pointed out by Bruce Schneier a while ago (https://www.schneier.com/crypto-gram/archives/2005/0415.html#2), until the financial institutions are held accountable for fraud, there won't be an incentive for them to build proper user data protection and identity verification.

    In this case Apple should take some share of responsibility but it seems their mechanism is reasonably safe, and far above what banks are doing.

    1. Mike Bell

      Re: Banks (and Apple) must be accountable for fraud

      Apple should take some share of responsibility

      They do. In return for their tiny cut on the transaction fee, Apple do take on partial liability, so it has been reported.

  10. Steve I

    Who's to blame..

    The Bank of England have been slammed that their new banknotes allow rampant fraud, banking experts are claiming.

    The problem is that whilst the notes themselves contain various security measures and are hard to copy, banks are being lazy and not checking the notes presented to them carefully enough and consequently are allowing people to deposit Monopoly money.

  11. Anonymous Coward
    Anonymous Coward

    Haha! People get sad when Apple have bad publicity, and Apple have bad publicity often. Haha!

    1. Anonymous Coward
      Anonymous Coward

      El Reg readers get sad when trolls lack anything interesting in their posting.

  12. hoola Silver badge

    Surprise?

    What is surprising is that it has taken this long for the issue to come to light. As with M&S in the NFC fiasco with double charging, the transfer of any form of payment to NFC, registered cards on devices and so on is always going to be a magnet for fraud. It is simply too easy to bypass the control with the information that the criminals can access. This is squarely at Apple's door or any other outfit that uses this technology. The banks are part of the loop but the end point has to be where the buck stops. Many of the problems surrounding this is that "While Coller crime" is not unacceptable in the way traditional crime is. The offer problem is that the individual amounts are small. The total may be large but the spread of small transaction simply makes it far too difficult for the Police to do anything about it.

    At the end of the day we all end up paying in back charges.

    1. hypernovasoftware

      Re: Surprise?

      The problem is with the bank's lax security when setting up/verifying the account.

      This is certainly NOT a problem with Apple Pay.

  13. jzlondon

    I don't understand why people are so worried about card fraud. When your card gets cloned, the bank is liable, not you. It's alarming to see large lumps of money leaving your account, I agree, but you'll get it back from the bank.

    I know, I know, we all pay for it ultimately. But still.

    1. returnmyjedi

      People are worried because even though you get the money back eventually it can be a right royal pain in the Harris to identify the frauds, get a new card, claim the money back etc. My housemate a few years ago ended up having his credit rating adversely affected by a credit card fraud that cleared out his bank account and resulted in several missed payments. Even though the back refunded him the money after a week or so, it took him a few months to get his credit rating back to normal which was jolly inconvenient at the time as it meant his mortgage application was rejected, he lost the house he wanted and - worse of all - he had to live we me an extra month.

  14. Anonymous Coward
    Anonymous Coward

    Poor registration process

    Reading the article, it seems that, in order to register a card with Apply Pay, all you need is the card number, and poor security by the bank allows the card to be used without any further checks.

    Whenever I use by debit or credit card online, I am redirected to the Verified By Visa or Mastercard Securecode verification site to enter digits from my password.

    Why is this not part of the Apple Pay registration? Seems to me that a card number and SSN are available from the darker corners of the internet. Have Visa and Mastercard also had lists of passwords stolen too? I don't remember reading about that.

    It may not be the smoothest of processes but, surely this would be better:

    You type in your card number and 3-digit code off the back

    You enter your Visa/Mastercard verification details

    Your bank then calls you on the number they have for your account, that you provided

    They confirm some details that are not easily accessible

    They post a registration code to your registered postal address

    You enter that code into ApplePay

    Now you can use it to buy things.

    Not 100% foolproof, but, having access to your card, phone and home are all required. A card number and SSN are useless on their own. Yes it's a little more inconvenient and may take a week to get it all sorted, but, is that really such a big problem?

  15. maffski

    2 factor authentication - 'Are you you?', 'Really?'

    The only way I can see this working is if the second factor authentication (e.g. the SSN) is requested via the iTunes account that is registering - via a call to the associated iphone, rather than calling the number that the bank has on record.

    This means all it can validate is that the person registering knows the information in question, it can't validate that the card holder is aware of or authorising the cards addition. This is made of stupid.

    1. Lee D Silver badge

      Re: 2 factor authentication - 'Are you you?', 'Really?'

      Or, you know, those Visa and MasterCard SecureCode things where only the cardholder you reasonably can provide the second factor? But ApplePay / Amazon choose not to use them and absorb the liability.

      Or, you know, texting you when a transaction occurs on your card like EVERY BANK IN EVERY OTHER EU COUNTRY DOES, for free.

      Hell, I was able to tell the woman in B&Q that they'd double-swiped my Italian relative's card because he got two text messages from the bank before we'd even finished bagging up. And that's across international borders.

  16. KLane
    Childcatcher

    Merchant liability

    In the US, at some major chain retailers (Fry's Food, Ross Stores, Home Depot, to name a few) and other minor chains, it is sufficient to swipe the card thru the reader as a credit transaction, and if the amount is under 50 dollars, no further check is done, not even requiring a signature on the reader screen, or the cashier to even look at the card. This is security?

  17. recovering grinch
    Stop

    Credit cards suck...but there are alternatives

    The problem here is the credit card, or rather the use of an easily stolen credential across multiple transactions.

    Alternatives do exist, but are successfully avoided by charging the merchant (and ultimately the consumer) to insure the fraudulent transactions, and always reversing the transactions at the expense of the merchant (who then loads the price even further to self-insure much as they do for "shrinkage"). Banks are rewarded for this with termination fees creating a cartel.

    Until the greedy bankers/schemes are removed from the equation this will always be so. For those in the industry, PSD2 is coming, and that will change things for the better, assuming our politicians can stomach the loss in income.

  18. Anonymous Coward
    Anonymous Coward

    LOL.

    Apple is known for making things easier to use, even for fraudsters.

    1. Ian Joyner Bronze badge

      "Apple is known for making things easier to use, even for fraudsters."

      Wong making things easier for your legitimate users does not necessarily make things easier for fraudsters. In fact, most often it makes it harder for fraudsters. Fraudsters in fact love complicated systems because they have more holes in them.

      The phrase is that "security by obscurity" is not good security.

  19. gpx

    Google Wallet FUD

    Amazing how the comments went straight to assuming that a problem with Apple Pay == a problem with Google Wallet. Know why Google Wallet doesn't suffer from this? After all it's been around for years, Android devices are plenty available and if it allowed this type of attack, why would it be just now that we have this issue?

    I've used Wallet for years, the only way you can add a card requires 2 factor authentication. https://support.google.com/wallet/answer/3230760?hl=en

    Just because you're a fan of Apple, please stop assuming that they are the only way of doing things and thus every issue found in an Apple device is an issue found elsewhere. It gets old and annoying.

    1. Ian Joyner Bronze badge

      Re: Google Wallet FUD

      Google uses the same banking systems. The problem is with the banking systems. Google could also be subject to this attack if someone steals you credit card numbers from a site and sets up wallet on their own Android.

      Misinformation and attacking Apple gets old and annoying.

  20. Alan Denman

    Bare naked...

    ...and now skint

  21. NBCanuck

    Liability?

    So who takes the dive on this one?

    Apple? No, I think they have probably done a good job protecting themselves. Their system is not broken.

    The Bank? Hopefully since it is their shoddy verification process that is causing the issue.

    The Consumer? Hopefully not but possible. The poor guy gets the bill and when he claims fraud:

    Cons.: "I didn't buy anything from XStore."

    Bank: "Yes, sir....the charge is from XStore in XTown. You do live in XTown don't you?

    Cons.: "Well, yes....but I don't shop there."

    Bank: "I'm sorry sir, but that appears to be a valid charge."

    Cons.: "That's not possible....I have my credit card right here."

    Bank: "Indeed, sir. The transaction was authorized by ApplePay."

    Cons.: "But I don't use ApplePay."

    Bank: "We have your validated request to add your credit card to ApplePay.

    Cons.: "But....but....I don't have an iPhone."

    Bank: "Ooh...you should use ApplePay when you purchase one."

    Cons.: "But....but....but...."

    and SCENE.

    Cons.: "That's not possible....I have my credit card right here."

    But I didn't buy anything that cost that much."

    But I didn't buy a new TV." the bank comes back and says it is is valid charge. Yep....transaction properly authorized Much worse if the fraud happens in the same local area where the consumer lives.

    1. Lee D Silver badge

      Re: Liability?

      As I've had to say to people several times: You are not liable for fraudulent charges on your card. Ever.

      When the bank question it, you tell them it was fraudulent.

      It is then up to them to prove otherwise. If you're lying, and caught on CCTV buying those goods, or whatever, they can charge you with intentional fraud, etc. as well as theft of the money/goods.

      But once you've said "I did not authorise this transaction number 12854738", that's the end of it. Refund me (and all incurred charges because of it) or take me to court and prove otherwise.

      Sure, it's hassle. But never pay a charge that you didn't authorise, not even for a second. Doing so could even be taken as an admission of your part in a fraud, or even that you were present at a certain place at a certain time when you weren't.

  22. Anonymous Coward
    Anonymous Coward

    It's all on the banks, I think

    I registered a card with AP - it required the card number, exp date and security code. If all this information AND the SSN is already compromised, they could be minting all kinds of copies of your cards and dozens of bad guys could be using those. How is Apple supposed to do anything about that?

    Banks needs to come up with some serious verification steps that really work (good suggestions above). Also sounds like a really great idea to make banks liable for at least some of these losses (as also stated above) to give them real incentive to stop allowing crims to piss away the money of hardworking citizens.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like