The elaborate con described by Charles Arthur in Monday’s The Guardian — Apple Pay: A new frontier for scammers — may be the most Apple-centric fraud yet.
Organized crime rings, he reports, are using stolen social security numbers to buy the latest iPhones, “provisioning” them with stolen credit cards, and distributing them to low-level couriers (“mules”) who use the new Apple Pay system accepted at all Apple Stores to buy pricy Apple products that can be quickly resold.
Arthur is careful to point out that the crooks have not broken Apple Pay’s fingerprint-activated wireless payment mechanism. Rather, they have exploited lax security at banks and other financial institutions that issue credit cards
“The soft underbelly [in Apple Pay] proved to be provisioning of cards,” writes Cherian Abraham, a mobile-payments specialist, on his Drop Labs blog.
Abraham’s Feb. 22 post — Rampant: Explaining the current state of Apple Pay fraud — was The Guardian’s main source for Monday’s story, and it’s got some critical details about how Apple interacts with credit card issuers that I hadn’t seen before.
It seems Apple Pay sends requests to authorize a credit card down one of two paths: green or yellow, depending.
Green is for recognized customers with a long history. Not much fraud happening there, according to Abraham.
Requests get kicked to the yellow path if:
- The Apple ID and card were paired past a specific date threshold
- The Apple account was recently modified
- The Apple account has not had any activity for over a year
- The Apple ID is too new, relative to the Apple Pay launch and to the provisioning request.
.
Some yellow path requests go to the banks’ own apps, which aren’t easy to fool. Others get sent to call centers staffed by notoriously easy targets. As Abraham puts it: “Fraudsters are better at social engineering than call center reps are at sniffing out fraud.”
Abraham faults Apple for not pushing banks harder to shore up their yellow path procedures, as apparently they were advised to do.
And he sees more trouble ahead, as mobile payment systems proliferate.
“Remember folks,” he writes. “Fraud scales. Call centers do not.”
See also: The iPhone, the carriers and the credit mules
Follow Philip Elmer-DeWitt on Twitter at @philiped. Read his Apple AAPL coverage at fortune.com/ped or subscribe via his RSS feed.
