Apple Pay provisioning fraud was a huge story in early 2015 (see here, here and here and this Washington Post article that claimed 6% of Apple Pay sales were on stolen cards). Mercator’s May 2015 report “Defining a Strategic Path for Banks Regarding EMV, Tokens, Apple Pay, and Mobile Apps” documented the provisioning process and identified the weakness in the Apple Pay provisioning model. And yet this Forbes article indicates that financial institutions continue to provision cards without performing sufficient ID&V procedures and as a result have lost millions – which is very disheartening:
“Millions of dollars have been lost to fraudsters exploiting Apple Pay loopholes left open by banks. Will the new Apple Card close the door on credit card fraud?
In December, the Department of Justice quietly announced the four-year sentence of a 23-year-old Miami resident who the government claimed was involved in a gang that loaded stolen Capital One credit cards onto their iPhones. Between 2015 and 2016, they spent more than $1.5 million on fraudulent purchases via Apple Pay.
More recently, according to a criminal complaint unearthed by Forbes, the U.S. government alleged that a group of 30-year-old friends loaded Apple Pay accounts and other digital wallets with stolen JPMorgan credit cards purchased from dark Web trading sites. They then made $600,000 in fraudulent purposes, splurging on a range of expensive gadgets—from a Rolex watch costing $35,000 to MacBook Pros and iPhones costing thousands of dollars—in stores in Washington State, according to the government. They then resold their purchases, the complaint noted. Alongside the Florida case, it’s one of the most financially damaging crimes yet documented in which Apple Pay was abused.
Assistant United States attorney Marie Dalton, who’s leading the prosecution of the Washington case, explained why the suspects chose to use Apple Pay and other popular wallets rather than just buy items online with the stolen credit card data. “When using a mobile wallet, the fraudster can instantly receive their stolen goods from the store without providing additional identification or delivery address,” she told Forbes. “Online, many retailers use verification applications, such as Verified by Visa or other mechanisms, to ensure the person making the purchase is the person whose credit card is used.” Crooks can also sidestep cloning cards, copying signatures and chip and pin technology by using Apple Pay to make in-store purchases in person.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group