Retail security breaches come back to haunt Apple Pay

Credit cards stolen from retailers like Target and Home Depot being used for fraud on Apple Pay

Remember all of those security breaches suffered by retail outlet from Target to Home Depot and Dairy Queen? The ones that affected millions of customers and cost those companies millions of dollars?

Yeah, we're not quite done with that yet. And now its starting to expose a big weakness in mobile payments as well.

Apple Pay, the mobile-wallet payment system launched by Apple last year, has been seeing a large number of fraudulent transactions recently, from customers using credit cards stolen in those security breaches, according to a report out from the Wall Street Journal on Thursday.

And the majority of those fraudulent purchases have been made at Apple Store, because of the higher price of those goods, as opposed to other retailers, like Whole Foods and Panera Bread, which don't offer anywhere near the same retail value.

To be clear: the Apple Pay system itself has not been breached, but rather used by hackers who are taking advantage of the fact that it allows them to make purchases without having to provide a physical credit card. 

“Apple Pay is designed to be extremely secure and protect a user’s personal information," an Apple spokesman told the Journal.

What these hackers have exposed is a glaring weakness in mobile payments: the lack of two-factor authentication makes it that much easier to spread credit card numbers around the Internet. Websites at least will ask for CVV on the back of the card for proof.

It is unclear what, if anything, Apple is doing to protect its uses from fraud, but the banks that are using the platform are already said to upping their security in order to stem the tide.

VatorNews has reached out to Apple for confirmation and comment on this report. We will update this story if we learn more. 

Security breaches

A significant number of large retail stores were hit by a wave of hackings in 2013 and 2014.

The cyber attack on Target occurred between November and December of 2013, affecting up to an astounding 70 million customers who shopped there, as well as 40 million credit cards.

Michael's was hacked in 2014, putting 3 million cards at risk and a Neiman Marcus breach in January of 2014 put 1.1 million cards at risk.

In October, Dairy Queen revealed that it too was breached, though the exact size and scope was not revealed. A Kmart breach the same month also did not come with any numbers.

The other really large retail hacking  was of the Home Depot in September. That one may have been even bigger than Target, potentially affecting 56 million credit cards and 53 million e-mail addresses.

And yet none of these other breaches have, so far, cost as much as Target's has. Neiman Marcus saw a net loss of $147.2 million in 2014, compared with net income of $163.7 million in 2013, and attributed that lost to expenses, including legal fees and the cost of credit monitoring services, from the hacking. 

In an recent SEC filing, Home Depot stated that the data breach cost the company $43 million in the third quarter of 2014 alone, though that was partially offset by a $15 million receivable, getting the number down to $28 million. 

So far, though, Target has still taken the biggest hit. 

In the fourth quarter of 2013, Target said it saw $61 million in expenses relating to the breach, but ultimately only claimed a loss of $17 million, due to $44 million being offset by insurance receivables. Much more money was lost in 2014: a total of $191 million was spent, though it came down to $145 million due to $46 million insurance receivable.

Add all of that up, it comes to a total of $162 million over the span of the two years.

(Image source: cynic.org.uk)