Man gets four years in prison for $1.5M Apple Pay fraud
A U.S. district judge has sentenced a 30-year-old Miami resident to over four years in federal prison for his part in a criminal enterprise that leveraged Apple Pay to make more than $1.5 million in purchases using victims' credit cards.
Daniel Butler and three accomplices obtained at least 477 credit card accounts, later linking them to Apple Pay on their iPhones, according to a statement released by the U.S. Attorney's Office on Friday.
According to a separate indictment of co-conspirator Max Johnny Wesley, filed with the U.S. District Court for the Middle District of Florida in 2018, members of the group would call credit card issuers and pose legitimate card holders, enabling access to and control over the credit card accounts in question. This method was likely used to provision each card in Apple Pay.
Starting in 2015, Butler and other members of the group began to make purchases via Apple Pay, skirting the need to present a physical card to retail staff for inspection. Whether the scheme was implemented to purchase goods online is unknown.
In total, the group made over $1.5 million in fraudulent purchases, according to the announcement.
U.S. District Judge Brian J. Davis sentenced Butler to 54 months in federal prison for conspiracy to commit wire fraud and identity theft. In December 2018, Wesley was sentenced to four years in federal prison. Rachel Bishop and Laurent Pierre Louis, also implicated in the plot, are scheduled for sentencing in December.
The group's activities match closely with a string of fraudulent purchases first reported in March 2015, some two months after Butler, Wesley, Bishop and Louis began their illicit venture. At the time, reports claimed criminals were purchasing big-ticket items at Apple Stores and other retailers using fraudulent Apple Pay accounts created in part with credit card data stolen from Home Depot and Target. Credit card information was subsequently added to Apple Pay on iPhone 6 devices and used to complete purchases at NFC point of sale terminals.
Shortly after Apple Pay launched, Apple's bank partners were sent "scrambling" to quash a rash fraudulent activity stemming from overly lax cardholder verification procedures. While Apple Pay is designed for a secure user experience, Apple itself is not in charge of credit card verification, a task that falls on the shoulders of issuing banks.
When the service debuted, financial partners sent customers down two verification paths: a so-called "green path" that immediately provisioned a card without further inspection or a "yellow path" that required additional steps to verify a user's identity. Though the yellow path was intended to provide additional safeguards against fraud, a study in 2015 found it to be somewhat lenient, with banks asking for information that was relatively easy to attain.
Many issuing banks have amended their respective guidelines to default to a more stringent user verification process. For example, some issuers mandate Apple Pay customers call banking staff to answer a panel of questions before a credit or debit card is provisioned for use.
Daniel Butler and three accomplices obtained at least 477 credit card accounts, later linking them to Apple Pay on their iPhones, according to a statement released by the U.S. Attorney's Office on Friday.
According to a separate indictment of co-conspirator Max Johnny Wesley, filed with the U.S. District Court for the Middle District of Florida in 2018, members of the group would call credit card issuers and pose legitimate card holders, enabling access to and control over the credit card accounts in question. This method was likely used to provision each card in Apple Pay.
Starting in 2015, Butler and other members of the group began to make purchases via Apple Pay, skirting the need to present a physical card to retail staff for inspection. Whether the scheme was implemented to purchase goods online is unknown.
In total, the group made over $1.5 million in fraudulent purchases, according to the announcement.
U.S. District Judge Brian J. Davis sentenced Butler to 54 months in federal prison for conspiracy to commit wire fraud and identity theft. In December 2018, Wesley was sentenced to four years in federal prison. Rachel Bishop and Laurent Pierre Louis, also implicated in the plot, are scheduled for sentencing in December.
The group's activities match closely with a string of fraudulent purchases first reported in March 2015, some two months after Butler, Wesley, Bishop and Louis began their illicit venture. At the time, reports claimed criminals were purchasing big-ticket items at Apple Stores and other retailers using fraudulent Apple Pay accounts created in part with credit card data stolen from Home Depot and Target. Credit card information was subsequently added to Apple Pay on iPhone 6 devices and used to complete purchases at NFC point of sale terminals.
Shortly after Apple Pay launched, Apple's bank partners were sent "scrambling" to quash a rash fraudulent activity stemming from overly lax cardholder verification procedures. While Apple Pay is designed for a secure user experience, Apple itself is not in charge of credit card verification, a task that falls on the shoulders of issuing banks.
When the service debuted, financial partners sent customers down two verification paths: a so-called "green path" that immediately provisioned a card without further inspection or a "yellow path" that required additional steps to verify a user's identity. Though the yellow path was intended to provide additional safeguards against fraud, a study in 2015 found it to be somewhat lenient, with banks asking for information that was relatively easy to attain.
Many issuing banks have amended their respective guidelines to default to a more stringent user verification process. For example, some issuers mandate Apple Pay customers call banking staff to answer a panel of questions before a credit or debit card is provisioned for use.
Comments
I appreciate it.
they demand you sign anything physical or in branch but never check the signature. even with two to sign accounts. though this is human.
phone banking in branch, where you can simply record the tones and have full account access.
it seems like banks are actively clueless about fraud prevention or security and have been as long as i have used them.
Won't stop sites and their army of idiots with their anti-Apple propaganda.
I can't find the info -- is there a list of issuers that these criminals were able to use?
When I contacted Goldman / AppleCard asking why they were forcing me to link my bank account to their bank instead of letting me use Apple Cash to pay, they were dismissive. When I pointed out that my account could be drained if their system was hacked, he acted all offended and insulted.
The point is: when it comes to money the advice from my auditing course stands: "Trust nobody. Check everything".
@sflocal if you really mean what you say then you don't use a bank.
But, since switching to only using those organizations who accept Apple Pay whenever possible (even going so far as to favor Sheetz for gas because they take it at the pump) I (knock on wood) have not had a problem.
If you have an iPhone and use Apple Pay you should add all of your credit and debit cards that support it. This protects you from anyone else adding your cards onto their iPhones. There was a thread recommendIng this soon after Apple Pay rolled out.