Apple Pay stung in transactions using data stolen from retailers

Discussion in 'iPhone' started by BasicGreatGuy, Mar 5, 2015.

  1. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #1
    It will be interesting to see how Apple responds to this.


    "Apple Inc's mobile payment system Apple Pay has been hit by a wave of fraudulent transactions using stolen credit-card data from a spate of breaches at retailers, the Wall Street Journal reported, citing people familiar with the matter.

    The transactions stemmed from breaches at retail giants including Home Depot Inc and Target Corp, the Journal reported on Thursday."

    https://www.yahoo.com/tech/s/apple-...data-stolen-retailers-012956015--finance.html
     
  2. andyw715 macrumors 6502a

    Joined:
    Oct 25, 2013
    #2
    Whine inconvenient, having to call the bank in order to allow activation for Apple Pay is a good idea for banks to do.
     
  3. BasicGreatGuy thread starter Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #3
    That is true. However, it is not very practical in many businesses that deal in volume, where speed is at the forefront.
     
  4. ftaok macrumors 601

    ftaok

    Joined:
    Jan 23, 2002
    Location:
    East Coast
    #4
    It's not an apple problem. The credit cards numbers have already been stolen. They're just using iPhones instead of fake credit cards. There's really nothing to see here except if the headline says Apple, then they get clicks.

    Here's a quick thought. Using Apple pay with stolen cc numbers is kinda risky for the thief. After all, if they are able to track down the iPhone that made the purchase, then they'll have the thief's fingerprint connected with the iPhone. With a regular bogus credit card, they'd have to have proof, meaning video evidence or the physical stolen goods.
     
  5. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    Cabin by a lake
    #5
    Apple Pay can also be used with just a passcode. No TouchID necessary.

    However, you bring up a good point about being device specific:

    A device account number (token) is provisioned per device. In other words, for the same real account number, each registered device has its own unique account token. So they need only match up the token from the criminal purchases with the token provisioned on that device.
     
  6. MCSN macrumors regular

    MCSN

    Joined:
    Feb 7, 2012
    Location:
    Kayenta
    #6
    maybe they'll rob banks with jailbroken apple pay?
     
  7. ftaok macrumors 601

    ftaok

    Joined:
    Jan 23, 2002
    Location:
    East Coast
    #7
    That's right. I forgot about that.
     
  8. OllyW Moderator

    OllyW

    Staff Member

    Joined:
    Oct 11, 2005
    Location:
    The Black Country, England
    #8
    While it's device specific, they won't be able to get the thief's fingerprint.

    https://support.apple.com/en-gb/HT5949
     
  9. ftaok macrumors 601

    ftaok

    Joined:
    Jan 23, 2002
    Location:
    East Coast
    #9
    I'm guessing that they could tie a thief back to the iPhone used with the stolen cc info. If the thief used Touch ID, they could determine that for if he used Apple pay, then he would have had to use his fingerprint. That was my thinking anyway.

    But as kdarling pointed out, you can used the iPhone passcode instead of your thumbprint. Also something else I thought of is that you can have multiple people's prints, so my thought was moot anyway.
     
  10. UAV macrumors regular

    Joined:
    Jan 11, 2015
    #10
    Apple Pay stung in transactions using data stolen from retailers: WSJ

    (Reuters) - Apple Inc's (AAPL.O) mobile payment system Apple Pay has been hit by a wave of fraudulent transactions using stolen credit-card data from a spate of breaches at retailers, the Wall Street Journal reported, citing people familiar with the matter.

    The transactions stemmed from breaches at retail giants including Home Depot Inc (HD.N) and Target Corp ,(TGT.N) the Journal reported on Thursday.

    The majority of unauthorized purchases have been for big-ticket items bought with smartphones at Apple's own stores, the Journal said.
    Apple could not be reached immediately for comment.
    (Reporting By Darshana Sankararaman in Bengaluru; Editing by Ken Wills)
     
  11. JayLenochiniMac macrumors G5

    Joined:
    Nov 7, 2007
    Location:
    New Sanfrakota
    #11
    I was able to add my Citi Dividend card to Apple Pay without any verification whatsoever (both of my Amex cards did require verification via email). I'd imagine any thief can do the same with a stolen card used physically from a breach so it's a problem that the bank rather than Apple will need to fix.
     
  12. myztikal47 macrumors regular

    Joined:
    Dec 4, 2007
    #12
    TouchID information is stored locally in a secure chip on the phone, cannot be remotely accessed no matter what. And also, it does not store an image of the fingerprint, rather, it stores certain unique points.
     
  13. MasterRyu2011 macrumors 65816

    Joined:
    Aug 22, 2014
    #13
    The Banks should allow credit/debit card users the option to turn on two-factor authentication to load a card onto Apple Pay or any other payment service ---- or something similar to what Google and Yahoo have done with their email service. You can limit what mobile devices can access the email.
     
  14. ftaok macrumors 601

    ftaok

    Joined:
    Jan 23, 2002
    Location:
    East Coast
    #14
    I understand that. My thought was that is the cops could trace the stolen credit card number with an iPhone, which is plausible, they could tie tithe owner of the phone to the illegal transaction. They wouldn't need to have the fingerprint, only need to link the phone to the owner.

    But as was previously pointed out, apple pay doesnt require touchid. Also, another user could put their fingerprint on the iPhone.

    But it's still seems kinda risky to use applepay this way since they could still link the illegal purchase to a specific iPhone.
     
  15. barkomatic macrumors 68040

    Joined:
    Aug 8, 2008
    Location:
    Manhattan
    #15
    Actually, it could be a significant problem for Apple. Even though Apple Pay itself wasn't breached, if it makes it easier for thieves to commit fraud with stolen credit card info then the process of entering that info will need to be changed. Also, a lot people aren't going to be able to understand what really happened here, and will *perceive* that the system was breached.

    As other posters have stated, the police don't have access to fingerprint data--but I can easily see more incidents like this forcing Apple to save and turn over fingerprint data -- which would be an enormous privacy issue for the majority of us who aren't thieves.
     
  16. C DM macrumors Westmere

    Joined:
    Oct 17, 2011
    #16
    But they don't have anything that saves the fingerprint data that could be used by someone to actually create or match a fingerprint.
     
  17. AutoUnion39 macrumors 601

    AutoUnion39

    Joined:
    Jun 21, 2010
    #17
    This is true. I needed to do this for my BoA cards.

    Now if Discover would jump on Apple Pay...
     
  18. kdarling macrumors demi-god

    kdarling

    Joined:
    Jun 9, 2007
    Location:
    Cabin by a lake
    #18
    I thought the idea was that they could have suspects put their fingers on the iPhone that was used for fraudulent payments.

    Whoever's finger unlocks the phone, is the criminal :)

    Kind of a TouchID police lineup. (Identity parade to you Brits.)
     
  19. roadbloc macrumors G3

    roadbloc

    Joined:
    Aug 24, 2009
    Location:
    UK
    #19
    Ouch. Bit of an oversight. On the bank's part that is. Seriously, this isn't Apple's issue.
     
  20. zyr123 macrumors 6502

    Joined:
    May 31, 2009
    #20
    sigh its the banks fault, move along nothing to see here. Apple still should ask for id though even with apple pay.
     
  21. newellj macrumors 601

    Joined:
    Oct 15, 2014
    Location:
    Boston, MA, US
    #21
    Nonsense. This is exactly what I have do every time Citi sends me a new card. :rolleyes:
     
  22. Tsuchiya macrumors 68020

    Tsuchiya

    Joined:
    Jun 7, 2008
    #22
    Apple merely provide a platform that is targeted for abuse.

    It isn't the first time.

    The Apple Store app is notorious for this, as it allows people to purchase accessories straight from the shelves using the "EasyPay" function.
     

Share This Page