A 30-year-old Miami man – Daniel Butler – was sentenced to more than four years in federal prison for putting 477 stolen credit cards on Apple Pay and iPhones and then racking up more than $1.5 million in purchases.
Since there is no limit for Apple Pay transactions on the iPhone, Butler was able to charge many of the cards right to their limit and steal large amounts on each one.
He didn’t act alone. In fact, he coordinated the whole scheme with 3 other co-conspirators who also plead guilty to participating in the fraud. Butler’s sentencing follows the pleas of his three co-conspirators. In December 2018, Johnny Max Wesley (24, Miami) was sentenced to four years in federal prison. Rachel Bishop (27, Miami) and Laurent Pierre Louis (31, Miami) are scheduled to be sentenced on December 2019.
Sophisticated Account Takeover Scheme
Court documents said Butler and the others tricked credit card companies into giving them access to account information.
As part of the conspiracy Butler and his group would repeatedly telephone credit card issuers, including Capital One Bank, falsely represent that they were credit cardholders and trick the card issuer into giving the defendants or their co-conspirators access to, and control over, the legitimate cardholders’ accounts.
After they were able to get access to the legitimate cardholder accounts, the group would drive from store to store making fraudulent purchases with their iPhones.
Many of the purchases were for prepaid debit cards, a technique they used to drain the credit cards and get cash.
Apple Pay’s Weakest Link
It should come as no surprise that Apple Pay and Apple Cards are not immune to fraud. I wrote earlier this week about the Apple Card’s first reported fraud.
For consumers, Apple Pay is a relatively safe option, thanks to the use of touch id and facial recognition which is used to verify the identity of the user priority to each card use.
The problem with Apple Pay is during the loading and registration process of cards to the phone. In many cases, partner banks do not have sufficient controls to prevent fraudsters from gaining access to customer accounts.
According to 9TO5MAC When you add a card to Apple Pay, the bank is supposed to verify that you are the card’s owner, preventing an unauthorized user from adding your card to another phone. While some banks make these checks via secure mobile apps, others are simply asking customers to phone a call center. With access to breached details, such as those from high-profile breaches at major retailers like Target, a fraudster may have sufficient information to pass this phone check.
In this case, it appears that Capital One was fooled into letting Butler and his crew get access to legitimate customer accounts which they were then able to load on Apple Pay – Over 477 Times!
This is the largest case of Apple Pay fraud recorded.