Man gets four years in prison for $1.5M Apple Pay fraud

Posted:
in General Discussion edited December 2019
A U.S. district judge has sentenced a 30-year-old Miami resident to over four years in federal prison for his part in a criminal enterprise that leveraged Apple Pay to make more than $1.5 million in purchases using victims' credit cards.




Daniel Butler and three accomplices obtained at least 477 credit card accounts, later linking them to Apple Pay on their iPhones, according to a statement released by the U.S. Attorney's Office on Friday.

According to a separate indictment of co-conspirator Max Johnny Wesley, filed with the U.S. District Court for the Middle District of Florida in 2018, members of the group would call credit card issuers and pose legitimate card holders, enabling access to and control over the credit card accounts in question. This method was likely used to provision each card in Apple Pay.

Starting in 2015, Butler and other members of the group began to make purchases via Apple Pay, skirting the need to present a physical card to retail staff for inspection. Whether the scheme was implemented to purchase goods online is unknown.

In total, the group made over $1.5 million in fraudulent purchases, according to the announcement.

U.S. District Judge Brian J. Davis sentenced Butler to 54 months in federal prison for conspiracy to commit wire fraud and identity theft. In December 2018, Wesley was sentenced to four years in federal prison. Rachel Bishop and Laurent Pierre Louis, also implicated in the plot, are scheduled for sentencing in December.

The group's activities match closely with a string of fraudulent purchases first reported in March 2015, some two months after Butler, Wesley, Bishop and Louis began their illicit venture. At the time, reports claimed criminals were purchasing big-ticket items at Apple Stores and other retailers using fraudulent Apple Pay accounts created in part with credit card data stolen from Home Depot and Target. Credit card information was subsequently added to Apple Pay on iPhone 6 devices and used to complete purchases at NFC point of sale terminals.

Shortly after Apple Pay launched, Apple's bank partners were sent "scrambling" to quash a rash fraudulent activity stemming from overly lax cardholder verification procedures. While Apple Pay is designed for a secure user experience, Apple itself is not in charge of credit card verification, a task that falls on the shoulders of issuing banks.

When the service debuted, financial partners sent customers down two verification paths: a so-called "green path" that immediately provisioned a card without further inspection or a "yellow path" that required additional steps to verify a user's identity. Though the yellow path was intended to provide additional safeguards against fraud, a study in 2015 found it to be somewhat lenient, with banks asking for information that was relatively easy to attain.

Many issuing banks have amended their respective guidelines to default to a more stringent user verification process. For example, some issuers mandate Apple Pay customers call banking staff to answer a panel of questions before a credit or debit card is provisioned for use.
«1

Comments

  • Reply 1 of 21
    sflocalsflocal Posts: 6,092member
    I think the headline implies that there was a security flaw with ApplePay when there was not.  The credit card issues - as usual - are the ones at fault. 

    This is why I will never, ever trust anything a bank can do when it comes to security no matter how much they say they do.  So long as there is a person involved somewhere in the chain, the opportunity to exploit that weakness is very real.
    vtvitastompycy_starkmanMisterKitchiawatto_cobra
  • Reply 2 of 21
    Sflocal > Your remark is insightful. Good for you.
    I appreciate it.
    watto_cobra
  • Reply 3 of 21
    sflocal said:
    I think the headline implies that there was a security flaw with ApplePay when there was not.  The credit card issues - as usual - are the ones at fault. 

    This is why I will never, ever trust anything a bank can do when it comes to security no matter how much they say they do.  So long as there is a person involved somewhere in the chain, the opportunity to exploit that weakness is very real.
    You are absolutely correct, say 110 percent. Thank u for your inputs 
    watto_cobra
  • Reply 4 of 21
    sflocal said:
    I think the headline implies that there was a security flaw with ApplePay when there was not.  The credit card issues - as usual - are the ones at fault. 

    This is why I will never, ever trust anything a bank can do when it comes to security no matter how much they say they do.  So long as there is a person involved somewhere in the chain, the opportunity to exploit that weakness is very real.
    banks mess it up without a human in the chain. they are still one of the few online logins that i find will demand fixed length passcodes and have fixed length account identifiers; and allow only numbers, or sometimes letters but no symbols.

    they demand you sign anything physical or in branch but never check the signature. even with two to sign accounts. though this is human.

    phone banking in branch, where you can simply record the tones and have full account access.

    it seems like banks are actively clueless about fraud prevention or security and have been as long as i have used them.
  • Reply 5 of 21
    jimh2jimh2 Posts: 611member
    Unfortunately the costs of fraud like this are built in to the interest charged by the banks.
    watto_cobra
  • Reply 6 of 21
    AppleExposedAppleExposed Posts: 1,805unconfirmed, member
    sflocal said:
    I think the headline implies that there was a security flaw with ApplePay when there was not.  The credit card issues - as usual - are the ones at fault. 

    This is why I will never, ever trust anything a bank can do when it comes to security no matter how much they say they do.  So long as there is a person involved somewhere in the chain, the opportunity to exploit that weakness is very real.


    Won't stop sites and their army of idiots with their anti-Apple propaganda.
    lkruppwatto_cobra
  • Reply 7 of 21
    lkrupplkrupp Posts: 10,557member
    sflocal said:
    I think the headline implies that there was a security flaw with ApplePay when there was not.  The credit card issues - as usual - are the ones at fault. 

    This is why I will never, ever trust anything a bank can do when it comes to security no matter how much they say they do.  So long as there is a person involved somewhere in the chain, the opportunity to exploit that weakness is very real.


    Won't stop sites and their army of idiots with their anti-Apple propaganda.
    Does that include AI these days?
  • Reply 8 of 21
    linkmanlinkman Posts: 1,035member
    I remember setting up Apple Pay with my CC account in 2016 (Citibank) and it required some extra steps to authorize it (can't remember exactly, but it was either a code to my already-authorized phone number or confirm using my online banking credentials). It's very unlikely that a criminal like this who obtained only my card info would be able to add that account on AP to their phone.

    I can't find the info -- is there a list of issuers that these criminals were able to use?
    watto_cobra
  • Reply 9 of 21
    SoliSoli Posts: 10,035member
    linkman said:
    I remember setting up Apple Pay with my CC account in 2016 (Citibank) and it required some extra steps to authorize it (can't remember exactly, but it was either a code to my already-authorized phone number or confirm using my online banking credentials). It's very unlikely that a criminal like this who obtained only my card info would be able to add that account on AP to their phone.

    I can't find the info -- is there a list of issuers that these criminals were able to use?
    I've had cards that required no additional step(s) to activate. I don't think they were always like that and I wondered if they used my phone number.
    edited October 2019 watto_cobra
  • Reply 10 of 21
    flydogflydog Posts: 1,123member
    sflocal said:
    I think the headline implies that there was a security flaw with ApplePay when there was not.  The credit card issues - as usual - are the ones at fault. 

    This is why I will never, ever trust anything a bank can do when it comes to security no matter how much they say they do.  So long as there is a person involved somewhere in the chain, the opportunity to exploit that weakness is very real.
    It doesn’t imply that at all. 
    gatorguy
  • Reply 11 of 21
    Apple should have required additional security precautions be enabled when they launched ApplePay.  Apple claimed it was the most secure, and obviously it is not since many cards required no additional verification to be added to ApplePay.
  • Reply 12 of 21
    GeorgeBMacGeorgeBMac Posts: 11,421member
    sflocal said:
    I think the headline implies that there was a security flaw with ApplePay when there was not.  The credit card issues - as usual - are the ones at fault. 

    This is why I will never, ever trust anything a bank can do when it comes to security no matter how much they say they do.  So long as there is a person involved somewhere in the chain, the opportunity to exploit that weakness is very real.
    Yeh, chuckle...   Me too -- absolutely...   Unfortunately, typically you have little choice.
    When I contacted Goldman / AppleCard asking why they were forcing me to link my bank account to their bank instead of letting me use Apple Cash to pay, they were dismissive.  When I pointed out that my account could be drained if their system was hacked, he acted all offended and insulted.

    The point is:  when it comes to money the advice from my auditing course stands:  "Trust nobody.  Check everything".
    muthuk_vanalingamwatto_cobra
  • Reply 13 of 21
    RhythmagicRhythmagic Posts: 63unconfirmed, member
    Bam!
  • Reply 14 of 21
    SoliSoli Posts: 10,035member
    Apple should have required additional security precautions be enabled when they launched ApplePay.  Apple claimed it was the most secure, and obviously it is not since many cards required no additional verification to be added to ApplePay.
    Even if a card issuer chooses not to use additional verification to setup a card in Apple Pay it's still more secure than simply using the physical card number to make a purchase.
    GeorgeBMac
  • Reply 15 of 21
    linkmanlinkman Posts: 1,035member
    sflocal said:
    I think the headline implies that there was a security flaw with ApplePay when there was not.  The credit card issues - as usual - are the ones at fault. 

    This is why I will never, ever trust anything a bank can do when it comes to security no matter how much they say they do.  So long as there is a person involved somewhere in the chain, the opportunity to exploit that weakness is very real.

    @sflocal if you really mean what you say then you don't use a bank.
  • Reply 16 of 21
    YP101YP101 Posts: 159member
    Well, these days bank account, credit card has limit notification so if you set up limit notification to $20 transaction then anything someone buying with your stolen card or bank debit card will notify you via text message and/or e-mail.
    I guess above victim did not set that.

    Anyway $1.5M for only 4 year prison time? Another 4 years of worthless person(s) life continue by tax payer's money..

    watto_cobra
  • Reply 17 of 21
    GeorgeBMacGeorgeBMac Posts: 11,421member
    linkman said:
    sflocal said:
    I think the headline implies that there was a security flaw with ApplePay when there was not.  The credit card issues - as usual - are the ones at fault. 

    This is why I will never, ever trust anything a bank can do when it comes to security no matter how much they say they do.  So long as there is a person involved somewhere in the chain, the opportunity to exploit that weakness is very real.

    @sflocal if you really mean what you say then you don't use a bank.
    He didn't say he didn't use them.  He said he didn't trust them. 
    Solimuthuk_vanalingamwatto_cobra
  • Reply 18 of 21
    GeorgeBMacGeorgeBMac Posts: 11,421member
    YP101 said:
    Well, these days bank account, credit card has limit notification so if you set up limit notification to $20 transaction then anything someone buying with your stolen card or bank debit card will notify you via text message and/or e-mail.
    I guess above victim did not set that.

    Anyway $1.5M for only 4 year prison time? Another 4 years of worthless person(s) life continue by tax payer's money..

    I have my notification level set to $1.00   And, I have caught 2 fraudulent uses of my card -- both for around $25.   I suspect the criminal may be trying to keep the amount low so, for most people, they will just gloss right over it when reviewing their monthly statement and the card remains usable.

    But, since switching to only using those organizations who accept Apple Pay whenever possible (even going so far as to favor Sheetz for gas because they take it at the pump) I (knock on wood) have not had a problem.
    watto_cobra
  • Reply 19 of 21
    Here is the real takeaway from this article:

    If you have an iPhone and use Apple Pay you should add all of your credit and debit cards that support it. This protects you from anyone else adding your cards onto their iPhones. There was a thread recommendIng this soon after Apple Pay rolled out. 
    watto_cobra
  • Reply 20 of 21
    croprcropr Posts: 1,122member
    I work a few days a month as an external fraud analyst for a European bank that has Apple Pay.   As all European banks, the bank is very strict on security, resulting in low fraud figures.   (This cannot be said of all US banks)

    The last few months the bank has seen an important rise of fraud cases due to phishing attacks targeted at Apple Pay users.  After investigation,  we detected that a lot of Apple Pay users are convinced that Apple Pay is 100% secure and that they as a consequence are quite sloppy when receiving phishing emails.

    Of course Appe Pay is secure.  In fact it is a virtual chip based credit card and inherits the security characteristics of the latter.  But this does not mean that phishing fraud cannot happen.  So one still has to be vigilant, even with Apple Pay.
    muthuk_vanalingamwatto_cobra
Sign In or Register to comment.