Scam of the day – March 6, 2015 – Security problems with Apple Pay

In the wake the massive data breaches in recent years from Target, Home Depot and others in which credit card numbers of millions of consumers were stolen, many people were very enthusiastic about the launch of Apple Pay in October of 2014.  Apple Pay was represented to be a safer and simpler way to make credit card purchases and it is.   The Apple Pay system permits you to tie your credit card to your iPhone and make payments using your phone and a fingerprint activated payment mechanism.   But nothing is fool proof and we should never underestimate the power of a fool or a hacker.  Lately, there have been increased reports of credit card fraud involving credit cards that are used through the Apple Pay system.  What is occurring is that identity thieves are stealing credit card information and then connecting those stolen credit cards to the identity thieves’ own phones.  They then use the cards through the Apple Pay system to purchase expensive goods that they can then sell for cash.  Ironically, much of the fraudulent credit card use is going on at Apple stores.

The flaw is in the process by which a credit card is tied to the Apple Pay system.  Credit cards are added to Apple Pay when the credit card issuing bank electronically sends to the customer’s smartphone an encrypted version of the credit card.  The bank does this only after confirming that the person requesting their card be added to their phone is the legitimate card owner and this is where the problem is found.  Some banks are merely approving the request to add a credit card to a particular phone without confirming the identity of the person making the request while other banks require that the customer confirm his or her identity merely by providing the final four digits of the customer’s Social Security number.  Identity thieves who are able to obtain both the Social Security number and credit card number of their victims, which is not particularly difficult in many instances, are then able to get the stolen cards tied to the identity thief’s phone and the fraud begins.


There is not much that we as consumers can do to totally stop this kind of fraud, but there definitely are steps you can take to reduce your chances of becoming a victim of this type of fraud.  First and foremost, we should all do our best to protect the physical security of our credit cards.  You should also not leave your credit card on record when shopping online at a store which you regularly frequent because this makes you susceptible to identity theft in the event of a data breach at that vendor.  In addition, you should limit, as much as possible, the places that have your Social Security number because you are only as secure as the places with the worst security that hold your personal information.  Many companies still ask for your Social Security number as an identifier and you should refuse to provide this whenever possible.  Finally, if you are going to use Apple Pay, you should confirm with your card issuing bank that they use strong verification procedures when authorizing your cards use through Apple Pay.

Scam of the day – October 22, 2014 – Staples becomes the latest data breach victim

Staples, the  popular office supply store is the latest major retailer to be hacked and suffer a data breach.  As I have written many times before, including in a column for USA Today in which I wrote about the data breaches following the same pattern each time, the news about the Staples data breach is in the early stage where the company announces that it is investigating what it calls a “potential” credit and debit card breach.  As I indicated in my USA Today column, this is because the retailer generally does not discover that it has been hacked until banks monitoring fraudulent credit card use notice a pattern of fraudulent card use that lead back to the source of the stolen credit card and debit cards, which in this case was some Staples stores.  Ironically, earlier in the day before it announced the “potential” data breach, Staples announced that the Staples App would work with Apple Pay, the new pay by phone App in the iPhone 6.  Greater use of pay by phone and smart credit cards with chips would dramatically reduce the problems caused by the epidemic of data breaches targeting magnetic strip credit card and debit cards used throughout the United States.


At the moment, we don’t yet know how long the Staples data breach, which initially appears to have been limited to stores in the Northeastern United States has been going on.  Certainly if you have shopped at a Staples store in the last six months you should carefully review your credit card statements and monitor your account carefully.  As always, I urge you not to use your debit card for retail purchases because of the greater risk of serious financial harm when compared to using a debit card which provides greater consumer protection.  As more information about this data breach becomes known, I will let you know.