When it came out, Apple Pay fixed a lot of the problems that the average consumer has been facing with existing monetary systems. However, there still are a few chinks in Apple’s armor. Drop Labs, a mobile commerce thinktank, has published a comprehensive and detailed analyisis of Apple’s security measures, and the gist of it is that there still needs some details to be ironed out.
To give it its due, the hardcore tech stuff for Apple Pay works just fine: no-one is breaking TouchID, stealing iPhones to pay for stuff, or hacking the NFC transmission protocol. Rather, the flaw lies in credit cards themselves.
Thing is people are buying credit card numbers online, then loading those same numbers into Apple Pay, in essence making themselves a handy fake credit card, without going to the trouble of making a physical fake. And it’s not a small problem: Drop Labs claims that for some issuers, fraud levels are as high as 6% (meaning $6 of every $100 spent is fraudulent). That’s bad even when compared to regular credit cards, whose fraud rate averages out at under 1%.
This is possible because of two flaws with the system. Most problematically, it’s easy for hackers to steal credit card numbers from stores, and then sell those numbers online. That’s a fundamental problem with the credit-card system (and especially the stupid dumb magnetic stripes they all use), and something that Apple Pay is just an unwitting victim of.
Then there’s another issue that is specific to Apple Pay. In short, banks aren’t taking the proper measures to ensure that the credit card owner is the one using the credit card in Apple Pay. According to Drop Labs, most banks use a phone call to authenticate when a card is loaded into Apple Pay, a method that’s woefully inadequate.
Drop Lab’s contention is that while credit cards and their archaic unencrypted magnetic strips continue to exist, no system — not even one that uses fingerprints and special super-secure chips — can prevent nefarious hackers buying hookers with your credit card.