Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Apple Pay stung in transactions using data stolen from retailers

Apple_Robert

Apple_Robert

Contributor
Original poster
Sep 21, 2012
36,288
54,242
In a van down by the river
It will be interesting to see how Apple responds to this.


"Apple Inc's mobile payment system Apple Pay has been hit by a wave of fraudulent transactions using stolen credit-card data from a spate of breaches at retailers, the Wall Street Journal reported, citing people familiar with the matter.

The transactions stemmed from breaches at retail giants including Home Depot Inc and Target Corp, the Journal reported on Thursday."

https://www.yahoo.com/tech/s/apple-...data-stolen-retailers-012956015--finance.html
 
Whine inconvenient, having to call the bank in order to allow activation for Apple Pay is a good idea for banks to do.
 
It's not an apple problem. The credit cards numbers have already been stolen. They're just using iPhones instead of fake credit cards. There's really nothing to see here except if the headline says Apple, then they get clicks.

Here's a quick thought. Using Apple pay with stolen cc numbers is kinda risky for the thief. After all, if they are able to track down the iPhone that made the purchase, then they'll have the thief's fingerprint connected with the iPhone. With a regular bogus credit card, they'd have to have proof, meaning video evidence or the physical stolen goods.
 
ftaok said:
Here's a quick thought. Using Apple pay with stolen cc numbers is kinda risky for the thief. After all, if they are able to track down the iPhone that made the purchase, then they'll have the thief's fingerprint connected with the iPhone.
Click to expand...

Apple Pay can also be used with just a passcode. No TouchID necessary.

However, you bring up a good point about being device specific:

A device account number (token) is provisioned per device. In other words, for the same real account number, each registered device has its own unique account token. So they need only match up the token from the criminal purchases with the token provisioned on that device.
 
ftaok said:
Here's a quick thought. Using Apple pay with stolen cc numbers is kinda risky for the thief. After all, if they are able to track down the iPhone that made the purchase, then they'll have the thief's fingerprint connected with the iPhone. With a regular bogus credit card, they'd have to have proof, meaning video evidence or the physical stolen goods.
Click to expand...

While it's device specific, they won't be able to get the thief's fingerprint.

Touch ID doesn't store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn't possible for someone to reverse engineer your actual fingerprint image from this mathematical representation.
Click to expand...

https://support.apple.com/en-gb/HT5949
 
OllyW said:
While it's device specific, they won't be able to get the thief's fingerprint.
Click to expand...

I'm guessing that they could tie a thief back to the iPhone used with the stolen cc info. If the thief used Touch ID, they could determine that for if he used Apple pay, then he would have had to use his fingerprint. That was my thinking anyway.

But as kdarling pointed out, you can used the iPhone passcode instead of your thumbprint. Also something else I thought of is that you can have multiple people's prints, so my thought was moot anyway.
 
Apple Pay stung in transactions using data stolen from retailers: WSJ

(Reuters) - Apple Inc's (AAPL.O) mobile payment system Apple Pay has been hit by a wave of fraudulent transactions using stolen credit-card data from a spate of breaches at retailers, the Wall Street Journal reported, citing people familiar with the matter.

The transactions stemmed from breaches at retail giants including Home Depot Inc (HD.N) and Target Corp ,(TGT.N) the Journal reported on Thursday.

The majority of unauthorized purchases have been for big-ticket items bought with smartphones at Apple's own stores, the Journal said.
Apple could not be reached immediately for comment.
(Reporting By Darshana Sankararaman in Bengaluru; Editing by Ken Wills)
 
I was able to add my Citi Dividend card to Apple Pay without any verification whatsoever (both of my Amex cards did require verification via email). I'd imagine any thief can do the same with a stolen card used physically from a breach so it's a problem that the bank rather than Apple will need to fix.
 
ftaok said:
I'm guessing that they could tie a thief back to the iPhone used with the stolen cc info. If the thief used Touch ID, they could determine that for if he used Apple pay, then he would have had to use his fingerprint. That was my thinking anyway.

But as kdarling pointed out, you can used the iPhone passcode instead of your thumbprint. Also something else I thought of is that you can have multiple people's prints, so my thought was moot anyway.
Click to expand...

TouchID information is stored locally in a secure chip on the phone, cannot be remotely accessed no matter what. And also, it does not store an image of the fingerprint, rather, it stores certain unique points.
 
The Banks should allow credit/debit card users the option to turn on two-factor authentication to load a card onto Apple Pay or any other payment service ---- or something similar to what Google and Yahoo have done with their email service. You can limit what mobile devices can access the email.
 
myztikal47 said:
TouchID information is stored locally in a secure chip on the phone, cannot be remotely accessed no matter what. And also, it does not store an image of the fingerprint, rather, it stores certain unique points.
Click to expand...

I understand that. My thought was that is the cops could trace the stolen credit card number with an iPhone, which is plausible, they could tie tithe owner of the phone to the illegal transaction. They wouldn't need to have the fingerprint, only need to link the phone to the owner.

But as was previously pointed out, apple pay doesnt require touchid. Also, another user could put their fingerprint on the iPhone.

But it's still seems kinda risky to use applepay this way since they could still link the illegal purchase to a specific iPhone.
 
ftaok said:
It's not an apple problem. The credit cards numbers have already been stolen. They're just using iPhones instead of fake credit cards. There's really nothing to see here except if the headline says Apple, then they get clicks.

Here's a quick thought. Using Apple pay with stolen cc numbers is kinda risky for the thief. After all, if they are able to track down the iPhone that made the purchase, then they'll have the thief's fingerprint connected with the iPhone. With a regular bogus credit card, they'd have to have proof, meaning video evidence or the physical stolen goods.
Click to expand...

Actually, it could be a significant problem for Apple. Even though Apple Pay itself wasn't breached, if it makes it easier for thieves to commit fraud with stolen credit card info then the process of entering that info will need to be changed. Also, a lot people aren't going to be able to understand what really happened here, and will *perceive* that the system was breached.

As other posters have stated, the police don't have access to fingerprint data--but I can easily see more incidents like this forcing Apple to save and turn over fingerprint data -- which would be an enormous privacy issue for the majority of us who aren't thieves.
 
barkomatic said:
Actually, it could be a significant problem for Apple. Even though Apple Pay itself wasn't breached, if it makes it easier for thieves to commit fraud with stolen credit card info then the process of entering that info will need to be changed. Also, a lot people aren't going to be able to understand what really happened here, and will *perceive* that the system was breached.

As other posters have stated, the police don't have access to fingerprint data--but I can easily see more incidents like this forcing Apple to save and turn over fingerprint data -- which would be an enormous privacy issue for the majority of us who aren't thieves.
Click to expand...

But they don't have anything that saves the fingerprint data that could be used by someone to actually create or match a fingerprint.
 
andyw715 said:
Whine inconvenient, having to call the bank in order to allow activation for Apple Pay is a good idea for banks to do.
Click to expand...

This is true. I needed to do this for my BoA cards.

Now if Discover would jump on Apple Pay...
 
C DM said:
But they don't have anything that saves the fingerprint data that could be used by someone to actually create or match a fingerprint.
Click to expand...

I thought the idea was that they could have suspects put their fingers on the iPhone that was used for fraudulent payments.

Whoever's finger unlocks the phone, is the criminal :)

Kind of a TouchID police lineup. (Identity parade to you Brits.)
 
Ouch. Bit of an oversight. On the bank's part that is. Seriously, this isn't Apple's issue.
 
sigh its the banks fault, move along nothing to see here. Apple still should ask for id though even with apple pay.
 
Apple merely provide a platform that is targeted for abuse.

It isn't the first time.

The Apple Store app is notorious for this, as it allows people to purchase accessories straight from the shelves using the "EasyPay" function.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back