Recently the lay press has reported that in practice Apple Pay is not as secure as Apple would like us all to believe. In fact there appears to be a higher rate of credit card fraud associated with the new service.
Rich Mogull, TidBITS’ security expert took a closer look at the issue. To make a long story short the issue appears to be in the process banks follow when linking your card to your iPhone, a process the banks call “onboarding”. During the process, Apple provides the bank with the last four digits of the phone number, the device name, and the latitude and longitude of the device at the time of provisioning, rounded to whole numbers among other things. Using this information, the issuing bank will determine whether to approve adding the card to Apple Pay. The problem appears to be that if the bank does not use all the supplied information, your card could be associated with a thief’s iPhone and then they could proceed to spend your money until caught. In any case, when you register your card on your iPhone, you should receive an email notification from your bank at the email address they have on file saying your card has been registered with Apple Pay. If you receive such an email and you didn’t register you card, or don’t have an iPhone 6 or 6 plus, act fast because a thief has your number.
To understand the issue in greater depth, check out Rich’s article over at TidBITS.com.