When Apple introduced their mobile payment option Apple Pay, one of the first questions to arise was "how secure is it?" The announcement occurred after hackers stole a series of celebrity nude photos from Apple servers. If hackers can get access to photos on the server, then what is stopping them from stealing my credit card information?
This fear has hovered above Apple Pay for a while, making many suspicious of it. That fear was almost validated when The Guardian reported that scammers were using Apple Pay to scam companies and banks out of funding. According to The Guardian, the scammers are "setting up new iPhones with stolen personal information, and then calling banks to 'provision' the victim's card on the phone to use it to buy goods." Internal sources believe that these scams have cost banks and customers millions of dollars.
While banks do their best to respond to the scammers, the next question to ask is "did the scammers technically hack Apple Pay?" The Verge doesn't think so. According to the site's report, Banks left a loophole open that allows scammers to copy cards while banks verify that same card before entering it into Apple Pay. When a user tries to add a new credit card to their Apple Pay account, their bank may ask them to verify the card via text, email or a customer service call. Scammers often use the customer service call to get a copy of the card. Most customer service card calls only require the user's social security number, which most scammers already have access to if they've stolen a user's identity.
In other words, all a scammer needs to create a copy of a credit card on Apple Pay without a customer knowing is the owner's credit card info and social security number.
While this is certainly a dangerous risk, sources inside Apple told The Verge that the incidents of Apple-Pay based fraud are isolated. But if banks want to help, they will need to update their verification processes in order to minimize the potential for these hacks.