The new mobile payment system, Apple Pay, is being used by criminal gangs to buy high-value goods, often from Apple Stores, with identities and credit card details that have been stolen. With around two million Americans already using the system, this is a big security issue.

Apple Pay was introduced in October 2014 and is only available on the iPhone 6 and iPhone 6 Plus models that were released last year. The system lets users pay by holding their phone near an NFC-equipped terminal and then confirm their identity with the iPhone’s fingerprint sensor.

Criminal gangs have not broken the encryption surrounding Apple Pay’s fingerprint-activated wireless payment system. They are, however, setting up new iPhones with stolen personal information, and then telephoning banks to ‘provision’ the victim’s card details on the iPhone and then use it to buy goods.

The criminal gangs that are using the stolen IDs are targeting Apple retail stores in particular, because they accept Apple Pay and also they market high-value items that can then be re-sold for cash.

A debit card/credit card can only be added to Apple Pay when its issuing bank sends an encrypted digital version of the card details to store on the phone. It should only do this when they are certain the real owner is using it.

Banks in the US are using a ‘green path’ for card details which they approve immediately on such data, and a ‘yellow path’ for cards that are required to have more checks. It appears as though some banks have simply asked the caller to verify their identity using the last four digits of their social security number (SSN). A person’s SSN is meant to be secret, but SSNs are commonly stolen in identity theft. According to the latest US data, 11.5 million Americans, on average, are victims of identity fraud, with the average incident costing $4,930.

Apple’s support pages gives the following information about the service, “When you add a credit or debit card to Apple Pay… Apple sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.”

[Image via thegenius]

SOURCE: The Guardian