When Apple announce Apple Pay last October the security of it was made a huge point for its use. After the huge iButt breach last year that was wildly publicized and eaten up by the media, Apples reputation for security has been shaken up. The whole idea behind Apple Pay is that credit card information does not pass between the retailer and consumer but that Apple Pay acts as a middle man trusted by both parties. The intention is to avoid breaches like the ones we have seen at Target and Home Depot where the weakness was in the POS systems at the retailer. In short, if the retailer never sees the sensitive information then the retailer can never leak the information.
The new vector lies in how new cards are set up. Apple Pay is now being used later on in the fraud process. Attackers are using stolen identifying information to add new credit cards to Apple Pay and then using Apple Pay to commit the fraudulent transactions. This has three main advantages to the attacker. One, the retailer can not verify the credit card information on their end because Apple has taken this burden. Two, they do not need to only stick to online transactions because they can use Apple Pay to directly purchase from retailers. Lastly, It is much harder to trace back to a person. Once a card is added to Apple Pay it can be used at any retailer that accepts it to spend as much money as possible before the card is flagged or deactivated. Interestingly enough it is estimated that 75% of the fraudulent transaction happen at Apple store themselves because to the valuable items sold and the integration with their own system.
The actual flaw in the system is low tech. There are 3 different paths that adding a new card can take, the Green Path (accepted), the Red Path (rejected) or the Yellow Path (requiring additional cooperation with the bank). Most of the fraudulent cards have been activated through the Yellow Path with banks that do not have good security practices.
Overall it is hard to pin the blame on someone with this issue. Is it the banks, Apple, or the people who got their identities stolen to begin with? What can be said for sure is that this story hurts Apples reputation for security. As with the iButt breach Apple has been more vulnerable to low tech hackers than actual holes in their code.