Cybercriminals Invent Better Mouse to Foil Apple Pay

Posted February 5, 2015

Thieves Defeat Apple Pay TouchID by Using Stolen Credit Card Numbers

There’s an old saying that when somebody invents a better mousetrap, somebody else is going to invent a better mouse. If that old saw doesn’t quite make it for you, how about if you can’t raise the bridge, lower the river?

Both pretty well explain what cybercriminals have done to get around Apple Pay’s TouchID. Instead of breaking TouchID by using high def pix of fingerprints or getting their hands on actual fingers (just joking — we hope), cybercriminals simply bought credit card numbers online and loaded the fake numbers into Apple Pay. That way, they didn’t even have to go to the trouble (or expense) of making a fake credit card.

Citing a Drop Labs Blog, Gawker Media’s Chris Mills’ article on gizmodo.in describes flaws in the system that leave consumers and retailers using Apple Pay vulnerable and the effects of this new wrinkle on fraud levels. The following has been excerpted from his story and edited to fit our format. You may find the full article by clicking on this link.

Two flaws

[One. It’s] easy for hackers to steal credit card numbers from stores, and then sell those numbers online. That’s a fundamental problem with the credit-card system…and something that Apple Pay is just an unwitting victim of.

The second issue, however, is specific to Apple Pay. In short, banks aren’t taking the proper measures to ensure that the credit card owner is the one using the credit card in Apple Pay. According to Drop Labs, most banks use a phone call to authenticate when a card is loaded into Apple Pay, a method that’s woefully inadequate.

Rates of fraud through the roof

Drop Labs claims that for some issuers, fraud levels are as high as 6% (meaning $6 of every $100 spent is fraudulent). That’s bad even when compared to regular credit cards, whose fraud rate averages out at under 1%.

Mills takes a swipe (pardon the pun) at strips

But what this data really tells us is that while credit cards and their stupid unencrypted magnetic strips continue to exist, no system – not even one that uses fingerprints and special super-secure chips – can prevent nefarious hackers buying hookers with your credit card.

ThreatMetrix

ThreatMetrix

close btn