Millions of dollars have been lost to fraudsters exploiting Apple Pay loopholes left open by banks. Will the new Apple Card close the door on credit card fraud?
In December, the Department of Justice quietly announced the four-year sentence of a 23-year-old Miami resident who the government claimed was involved in a gang that loaded stolen Capital One credit cards onto their iPhones. Between 2015 and 2016, they spent more than $1.5 million on fraudulent purchases via Apple Pay.
More recently, according to a criminal complaint unearthed by Forbes, the U.S. government alleged that a group of 30-year-old friends loaded Apple Pay accounts and other digital wallets with stolen JPMorgan credit cards purchased from dark Web trading sites. They then made $600,000 in fraudulent purposes, splurging on a range of expensive gadgets—from a Rolex watch costing $35,000 to MacBook Pros and iPhones costing thousands of dollars—in stores in Washington State, according to the government. They then resold their purchases, the complaint noted. Alongside the Florida case, it’s one of the most financially damaging crimes yet documented in which Apple Pay was abused.
Assistant United States attorney Marie Dalton, who’s leading the prosecution of the Washington case, explained why the suspects chose to use Apple Pay and other popular wallets rather than just buy items online with the stolen credit card data. “When using a mobile wallet, the fraudster can instantly receive their stolen goods from the store without providing additional identification or delivery address,” she told Forbes. “Online, many retailers use verification applications, such as Verified by Visa or other mechanisms, to ensure the person making the purchase is the person whose credit card is used.” Crooks can also sidestep cloning cards, copying signatures and chip and pin technology by using Apple Pay to make in-store purchases in person.
Banks to blame?
But Apple isn’t the one at fault. Experts have previously warned that banks should be taking more responsibility to prevent such criminality. In 2016, researchers from the anti-fraud company PinDrop warned that crooks could benefit from Apple Pay by adding stolen credit cards from so-called “carding” sites where such information is sold for as little as $2 per card.
As PinDrop warned, the issue lay not with Apple but with the level of verification happening at the banks. Some institutions were calling customers and asking for more identifying information before they uploaded their bank cards to Apple Pay. Others were sending one-time codes to be entered upon upload. But some weren’t doing any additional checks.
“Apple Pay security is only as strong as its weakest link, i.e., the consumer credit card issuer which owns the relationship with the credit card holder and is—in most cases—ultimately responsible for detecting credit card fraud,” said Gartner analyst Avivah Litan, who’s long warned of the possible fraud threat around the Cupertino company’s software. “The credit card issuer has access to the details of all card transactions initiated by the consumer and is thus able to observe patterns of suspect and fraudulent behavior.”
Apple, JPMorgan Chase and Capital One had not responded to requests for comment at the time of publication.
Taking an illegal bite out of Apple
The cases unearthed by Forbes laid out in detail just how criminals can abuse Apple Pay. In Miami, the gang had acquired access to unspecified personal information belonging to Capital One customers. One of the fraudsters would then call Capital One, pretend to be a legitimate customer and convince the bank to hand over control of the account. Their next move was to link the credit cards with Apple Pay apps, which would be used to buy prepaid cards from stores like Walgreens. A member of the gang, 23-year-old Max Wesley, was arrested in February 2018 and sentenced to four years last December. Another defendant pled guilty to assisting the crime and is awaiting sentencing.
In Washington, the accused criminals are Aaron Laws, Denison Ellis and Jeffrey Mayfield from the state. The trio were arrested in December 2018. All three have been charged with a count of conspiracy to commit bank fraud, while Laws faces additional counts of aggravated identity theft, money laundering and possession of stolen credit card information. Their trial is scheduled to go ahead in October this year. Lawyers for the suspects had not responded to requests for comment at the time of publication.
The defendants are accused of working together to target a number of Apple and Microsoft stores. In one alleged crime from April 2017, a stolen card was uploaded to an Apple Pay account to fraudulently acquire two MacBook Pros from an Apple Store in Lynnwood, Washington, costing $7,725. Later that month, the same Apple Pay wallet was used to buy $4,940 worth of kit from the Microsoft Store in Seattle, the tech giant’s hometown. The government claimed banks cumulatively lost more than $600,000 as a result of the crimes.
Laws is accused of going beyond Apple Pay abuse and being a prolific credit card thief, acquiring at least 500 account numbers that belonged to others. And in August 2017, investigators said they had evidence indicating Laws used an unnamed wallet on a Samsung Galaxy S8+ device to make a fraudulent $4,158 purchase at the Microsoft Store in Portland, Oregon. Prosecutors also claim Laws used the funds acquired by selling the stolen gadgets to buy bitcoin and store them in a Coinme account using the name “Justin Zipperer.”
Don’t upset the Apple Card
The arrival of Apple Card could well help stymie the particular kind of fraud Laws and his alleged co-conspirators are accused of perpetrating. Crucially, there’s no card number, CVV security code, expiration date or signature to steal with Apple Card. Each Apple Card user gets a unique card number, which is stored on the iPhone’s Secure Element, a difficult-to-hack chip that stores information like encryption keys.
As Litan noted, Apple’s control over the payment ecosystem should mean it has greater oversight over potential frauds. “This should be beneficial for consumers in terms of fraud mitigation, since Apple will control the entire user experience and will have all the data from the card history to the iPhone history upon which to make intelligence fraud mitigation decisions,” she added. With other Apple Card benefits, like zero card fees and lower interest rates than competitors, rival banks and card issuers “should be very nervous,” Litan said.
But Neira Jones, a cybersecurity and payments consultant, said that Apple Card won’t be a panacea. When fraud happens, it might be down to failures of any organization or individual in the process, whether that’s the bank, the retailer or the mobile wallet provider, Jones said. Weak links can be found anywhere along the payment chain.
https://www.forbes.com/sites/thomasbrewster/2019/03/27/millions-are-being-lost-to-apple-pay-fraudwill-apple-card-come-to-the-rescue/
2019-03-27 17:10:00Z
52780251991421
Tidak ada komentar:
Posting Komentar