NEW YORK (TheStreet) -- Apple Pay has come under scrutiny because of apparent credit card fraud, but multiple sources say a fix is in the works in the aftermath of a flood of news stories on an apparent security flaw.
The problem is simple. With stashes of millions of stolen credit cards details harvested in the recent breaches at Target (TGT) , Home Depot (HD) and the others, thieves have realized that an iPhone can, in effect, be transformed into a credit card substitute by loading it with a stolen number. Before, those criminals could only shop at online retailers. Now, with an iPhone, they can walk out of retail stores with merchandise they can sell.
"Criminals may not be able to manufacture a plastic credit card that they can use, but if they have the card number and a few other details they can enroll it in Apple Pay and their iPhone, in effect, becomes a credit card," said Patrick Nielsen, a senior security expert at Kaspersky Lab.
Since its inception, Apple Pay’s purportedly stronger security has been touted by Apple (AAPL) CEO Tim Cook, who pointed to fingerprint biometrics, including TouchID, and turning the transaction data into something non-sensitive, a process known as tokenization.
But at least some experts think Apple Pay may not be as safe as advertised.
Cherian Abraham, who heads mobile commerce & payments at Experian Global Consulting, blogged in early January on DropLabs.net, that one credit card issuer -- which he couldn't name -- said Apple Pay fraud is running a rate of $6 per $100 in transactions, some 60 times higher than normal.
Gartner analyst Avivah Litan said in an email that "every bank issuer has been impacted by it, according to my bank sources." She believes all mobile payments solutions are likely to have problems similar to what appears to be plaguing Apple Pay.
That's because the security issue revolves around card enrollment, said Nielsen.
No one claims that the volumes of fraud in Apple Pay are enormous. Indeed, the overall volume of transactions on Apple Pay are relatively small even if the device is currently accounting for two-thirds of all contactless payments in the U.S. "I doubt the volume of fraud is out of control since [Apple Pay] still constitutes a fraction of the transactions out there," Litan said.
What’s more, nobody is suggesting that significant vulnerabilities have emerged with Apple Pay's fingerprint biometric, or the tokenization of transaction details. Chris Schweigert, security director at EiQ Networks, said: "To date, no one is subverting the biometric authentications in your iPhone or cracking the NFC protocols."
If a criminal has a card number, an expiration date and a security code, they can begin the enrollment. It's then up to the bank what happens next, Nielsen said. It can green light the card, immediately enrolling it. It can red light it, denying it access, or it can yellow light it, which knocks the procedure up a level, typically involving a call to a call center.
One source close to the banks said that many banks now are moving to adopt stepped up security. Others said that card networks, Apple, and issuing banks are newly serious about ending enrollment fraud. The card networks and banks declined comment.
"During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay," an Apple spokesperson said. "Banks are always reviewing and improving their approval process, which varies by bank."
Tim Sloane, an Apple Pay expert at Mercator Advisory, agreed that solutions are coming. He believes “many banks took a bath in the early weeks of Apple Pay,” but they had toughened up the card enrollment process, with some requiring users to log into their online banking account to activate Apple Pay. Other banks are asking questions that hackers are unlikely to know the answers to, such as what purchases were made yesterday on the card.
Experts said they expected the fraud problems to be largely solved at most banks very soon. Sloane said that at banks that run their own cardholder call centers - that is mainly the biggest banks - fixes likely are already in place or soon will be. At institutions that outsource cardholder call center operations, there may be a delay, said Sloane, but likely not for long, because everybody now knows the matter requires a quick fix.
Nick Holland, a payments expert at Javelin Strategy + Research, agreed. "This is teething pains for Apple Pay. It will pass.”