Apple Pay has gotten a bad rap lately following news that cyber thieves loaded stolen credit-card data onto phones and made fraudulent purchases through the mobile-payment system. Apple Pay, which launched shortly after the iPhone 6 and iPhone 6 Plus, is designed as an easy way for customers to pay for purchases on their iPhone. But now some banks, in response to recent fraud, are ramping up their security when customers try to set up an account.
The good news: In today's day and age of increasing security breaches and hacking, a few extra verification steps when trying to set up your Apple Pay account is certainly not a bad thing. In fact, should your credit card data get compromised by a major breach and passed on to a cyber thief, you would hope these steps would stop a criminal in his or her tracks.
According to the Wall Street Journal, some banks are “making customers jump through more hoops because they want to make sure that card really belongs to the person who is loading it into the phone."
This includes banks sending a one-time authorization code to the customer's email or mobile phone that must be entered into the Apply Pay set-up or asking customers to call a toll-free number where a customer-service rep will try to verify the person's identity. A few banks are also requiring that customers authorize their Apple Pay request by logging into their online bank account.
Those who have an Apple iTunes account could have an easier time, since there are more points of verification available for the bank if the customer's card is already on file with Apple.
Recent cases of Apple Pay-enabled fraud, which used stolen credit card information that has been traced back to Target's massive data breach at the end of 2013 and the Home Depot breach last year, has also opened up the door for more accusations about the mobile-payment system.
According to Brian Krebs of the blog KrebsonSecurity, “Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud."
The article explains that crooks can purchase “dumps" — which are data stolen straight off the magnetic stripe on the backs of cards — taken from main-street merchants and intended to be used at main-street merchants. When fraudsters want to make fraudulent purchases online, they typically turn to “CVVs" — which is card data stolen from hacked online stores and includes the three-digit code on the back of cards that is required for most online transactions.
Apple Pay allegedly blurs the lines of these two types of fraud by erasing the limitation of CVVs by enabling customers to buy fraudulent purchases at main-street merchants with data stolen from online breaches.
Apple Pay “allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs. That's because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession," Brian Krebs writes.
This brings us back to what banks are doing to help combat this situation: toughening up their verification requirements.
"Apple Pay is designed to be extremely secure and protect a user's personal information," says an Apple spokesperson. “During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank."
Moral of the story: If you're met with some resistance when trying to set up your Apple Pay account, know that the bank's intentions are for the best, and hopefully their efforts will thwart some cyber criminals in the process.