Apple Pay Associated with Unusually High Credit Card Fraud: Fact or Fiction?

Recently the lay press has reported that in practice Apple Pay is not as secure as Apple would like us all to believe. In fact there appears to be a higher rate of credit card fraud associated with the new service.

Rich Mogull, TidBITS’ security expert took a closer look at the issue. To make a long story short the issue appears to be in the process banks follow when linking your card to your iPhone, a process the banks call “onboarding”. During the process, Apple provides the bank with the last four digits of the phone number, the device name, and the latitude and longitude of the device at the time of provisioning, rounded to whole numbers among other things. Using this information, the issuing bank will determine whether to approve adding the card to Apple Pay. The problem appears to be that if the bank does not use all the supplied information, your card could be associated with a thief’s iPhone and then they could proceed to spend your money until caught. In any case, when you register your card on your iPhone, you should receive an email notification from your bank at the email address they have on file saying your card has been registered with Apple Pay. If you receive such an email and you didn’t register you card, or don’t have an iPhone 6 or 6 plus, act fast because a thief has your number.

To understand the issue in greater depth, check out Rich’s article over at

FREAK Attack

The blogoshphere is ablaze again today with the disclosure of yet another security vulnerability in Mac OSX and iOS. To be fair this attack can also affect nearly any browser currently being used. It involves the SSL/TLS system that allows secure connections using https:// and dates back to when US Export law only allowed 512-bit encryption systems or less to be exported outside the US. That law was lifted in the late 1990’s and nearly all secure connections nowadays use 1024-bit encryption. However, most browsers kept the capability to use the less secure encryption system if the server they were connecting with requested it. The security attack dubbed FREAK uses a way to fool the browser to use the less secure 512-bit encryption system. The significance is that 512-bit encryption can be broken with as little as $100 of rentable computing power.

A patch from Apple for both Mac OSX and iOS is being prepared and should be available next week.

To read more definitive discussions of the topic follow these links: