The reality that attackers may have made millions of dollars in fraudulent Apple Pay purchases is just another example of how poor execution renders worthless even the top security technology.

Only last week, payment security specialists told Black Reading that Apple’s secure mobile payment technology released in September — is not inferior to some of the other payment tech out there. Since that time, nevertheless, they became conscious of “wild” Apple Pay fraud, detailed nicely by The Guardian.

While specialists were surprised by the quickness of the attackers and extent of the fraud, they maintain the technology is powerful.

“Apple Pay is very good,” says Gartner prominent analyst Avivah Litan. “It is the bank procedures for identity-proofing which are poor.”

“More needs to be carried out to make sure the apparatus to which information is provisioned belongs to the valid accountholder.”

Acceptance is given by some banks on such advice and others add an additional process of authority. Oftentimes that additional check is just to phone inquire to confirm the past four digits of their Social Security number and the man claiming to be the accountholder. If so, fraudsters do not need to attempt to decipher into Apple’s token vault — they can get private information or into the issue bank, including SSNs, by breaking third parties’ databases or by just purchasing it on the black market.

SSNs overlap two types of authentication variables — “something you know” and “something you are” — and offer simply the worst features of both. A last-four-digit combination is not as difficult to brute force as any 4-digit PIN. SSNs are hopeless to change, unless you’ve joined the Witness Protection Program already had wide-ranging identity theft issues, or shown you’ve got extreme spiritual objections to your unique number. Plus, it’s impossible to check an SSN is actually “you,” because the Social Security Administration will neither affirm nor deny that a particular SSN fits using a specific name.

Luckily, we’ve better alternatives for call center authentication, including biometrics or through telephone print authentication.”

Litan advocates that financial institutions reduce their reliance on static information (such as SSNs), increase use of dynamic information (such as behaviour evaluation), and layer multiple authentication procedures upon one another. For instance, analyzing linkages between name, email address, telephone number, mailing address, and a device; and analyzing behaviour, like navigation and network customs; and analyzing endpoint-centric variables like apparatus and geolocation fingerprinting. She also urges that for high risk situations, financial institutions contemplate impeding the authorization procedure or implementing biometrics tools down by using snail mail or needing in-person interactions.

“As for tying the apparatus to the accountholder,” says Pascual, “there are a few technologies out there which authenticate the mobile apparatus by leveraging the relationship. We can expect these options to eventually become more popular, maybe essential to addressing this problem.”