Apple Inc.'s new mobile-payment system has been hit by a wave of
fraudulent transactions using credit-card data stolen in recent
breaches of big retailers, including Home Depot Inc. and Target
Corp., people familiar with the matter said.
About 80% of the unauthorized purchases have been for big-ticket
items purchased with smartphones at Apple's own stores, one person
with knowledge of the situation said. Those Apple products have a
higher resale value than most of those available through other
merchants that have signed on to the Apple Pay system, such as
Whole Foods Market Inc. and Panera Bread Co.
The Apple Pay system itself hasn't been penetrated by hackers.
Rather, fraudsters are entering stolen card data into phones, which
can then be used to make purchases without a physical card being
present.
An Apple spokesman said, "Apple Pay is designed to be extremely
secure and protect a user's personal information."
The bogus purchases are a setback for Apple's high-profile foray
into electronic payments, even though banks are responsible for
verifying customer information before cards can be used with
phones.
Apple hasn't provided data on the number of Apple Pay users but
says that the service accounted for two of every three dollars
spent in the U.S. via mobile payments on the three major
credit-card networks.
Banks that are using the Apple Pay platform are in some cases
making changes to their security procedures, the people familiar
with the matter said.
The fraud highlights how compromised card data can be valuable
to cybercriminals long after merchants secure holes in their
payment systems.
"There is a trail of fraudulent activity as a result of these
larger breaches and our job is to catch that in the process," said
Jeff Siekman, director of payments and commerce solutions products
at Fifth Third Bancorp, a large regional bank that is based in
Cincinnati.
U.S. consumers have been walloped by a string of high-profile
merchant breaches in recent years that exposed their
credit-and-debit card information to criminals. Home Depot said in
September that 56 million cards may have been compromised in a
five-month attack on its terminals, topping the 40 million cards
affected by the Target breach at the end of 2013.
The effects of those incidents are being felt for some time
after the breaches in large part because financial institutions
that issue cards typically don't launch broad-scale replacements of
the affected plastic after a merchant is hacked.
The card companies figure that the cost of potential fraud is
often less than giving each customer a new card, according to
payment experts and bank executives, and customers sometimes
complain about the inconvenience of having to switch to new
cards.
The costs of such fraud are borne by the banks because
cardholders aren't responsible for unauthorized purchases.
Apple has earned a reputation for holding suppliers and partners
to its exacting standards. In this instance, Apple left the process
of verifying questionable cards to the banks" discretion.
Credit accounts can be added to Apple Pay by taking a picture of
a physical card, or by manually entering card information.
Different banks then take different additional steps to verify
account details, and that the person who entered the information is
the true account owner.
Some ask customers to enter additional data to confirm their
identities. A few banks require customers to log into their online
accounts to authorize the Apple Pay service. Sometimes, customers
are asked to call customer-service representative to set up
cards.
Criminals are employing relatively low-tech means to find
vulnerabilities in those verification systems.
Banks are trying to stem the Apple Pay fraud by tightening their
verification procedures to load card data into Apple Pay, said
people familiar with the bank policies.
"Our member banks are reacting as quickly as possible to ensure
their verification processes are adequate to thwart this new kind
of fraud," said David Pommerehn, vice president and senior counsel
at the Consumer Bankers Association, which represents lenders that
issue credit and debit cards.
Several bank representatives declined to comment on the Apple
Pay vulnerabilities or their efforts to quash the fraudsters.
PNC Financial Services Group Inc. has seen 35 cases of fraud out
of thousands of all Apple Pay customers, said a spokesman for the
Pittsburgh-based bank. "We have looked at our processes and we
believe we have very strong know-your-customer processes in place
to prevent any additional cases," he said.
Apple introduced the mobile-payments system with great fanfare
last fall as a way for consumers to pay for purchases with phones.
Although such technology had been available for several years in
other mobile phones, the iPhone's popularity--combined with
technology embedded in the system to make payments secure--helped
to fuel enthusiasm.
Hundreds of banks have since jumped aboard, paying Apple 0.15%
of every transaction made on the system. Many banks were eager to
partner with Apple on the project, even though it required
developing new security measures.
"They had a limited amount of time to execute and some of them
were just caught by surprise by the challenges associated with
doing it," said Tim Sloane, vice president for payments innovation
at Mercator Advisory Group, a payments-industry consulting
firm.
Apple aimed to solve the issue of stolen credit cards by working
with the card networks to mask the user's information by issuing a
one-time code for each purchase. But this doesn't prevent thieves
from loading already stolen cards into the service.
"Apple Pay is formidable, but it still sits on a loose
foundation," said Richard Crone, chief executive of Crone
Consulting, a payments-advisory firm.
Banks are using an assortment of methods to authenticate
cardholder identity on Apple Pay, including sending a verification
text to the customer. That is considered a fairly secure method
because a fraudster who has stolen card information likely doesn't
have possession of the victim's phone.
Last month, Chase said more than one million customers have set
up their credit and debit cards for Apple Pay. In January, Bank of
America said 800,000 customers had activated 1.1 million cards on
Apple Pay.
Neither bank has disclosed transaction volume. One credit-union
executive said that while many customers signed up for Apple Pay, a
small percentage have used it so far.
Access Investor Kit for Apple, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US0378331005
Access Investor Kit for The Home Depot, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US4370761029
Access Investor Kit for Panera Bread Co.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US69840W1080
Access Investor Kit for Target Corp.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US87612E1064
Access Investor Kit for Whole Foods Market, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US9668371068
Subscribe to WSJ: http://online.wsj.com?mod=djnwires