Remember the massive iCloud breach last year that resulted in hundreds of nude photos of celebrities being leaked? The same methods that hackers used to breach iCloud are being used for Apple Pay fraud. Apple’s response to this has been something along the lines of “Not our fault and not our problem.” While the first part is technically true, the second is not, and Apple really needs to step up if it wants to retain consumer trust.
To convince consumers to make purchases with their phones, Apple has touted the state-of-the-art security features of its mobile payment system Apple Pay. Those include tokenization (which provides merchants with one-time use tokens instead of credit card numbers), storage of sensitive information on the device’s secure element, fingerprint verification, and encrypted data transfer. But it appears Apple didn’t account for one major vulnerability: social engineering, a term for the tactics hackers use to gain access to personal accounts by posing as the people whose identities they’ve stolen. This was the very weakness that led to last fall’s high-profile iCloud breach, when hackers leaked nude photos of celebrities online. The company insisted then there wasn’t “any breach in any of Apple’s systems.” While technically that may have been true—hackers gained access to accounts not through Apple’s infrastructure but likely by using widely known details about celebrities to answer security questions—customers felt stung from the experience.