Apple's new mobile payment system is being used by low-tech criminals to buy big-ticket items using fraudulent credit card information.

As first reported by The Guardian, Apple Pay itself, which launched with much fanfare touting high-level security, has not been hacked. However, fraudsters located in the U.S. are using credit card information stolen during the high-profile breaches of Target and Home Depot last year to purchase expensive items, around 80 percent of which come from Apple's own stores, and then sell them for cash.

Apple Pay uses tokenization to generate a one-time code to be used for a single transaction in place of the card holder's credit card information, which is placed in a secure element not accessible to hackers. This method remains secure for consumers. However, the weakness lies in the identity verification process, which is handled by the banks issuing the credit cards.

To add a credit or debit card to Apple Pay, one can simply take a picture of the card and Apple Pay uses a "green path" authentication process where it sends the user's encrypted information, along with other data such as the device's name and whether one has a history of using iTunes with the bank.

"Apple Pay is designed to be extremely secure and protect a user's personal information," says an Apple spokesperson. "During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank."

Some banks take customers through an additional "yellow path" authentication process that involves a variety of measures to verify a card holder's identity. For instance, some banks require customers to call customer support to set up their credit cards but only ask for the card holder's social security number (SSN), which is useless because SSNs are often stolen with the credit card information. Every year, some 11.5 million Americans have their SSNs stolen every year, according to data from the U.S. Department of Justice. You  can protect your credit card in your transactions by having a credit card tokenization.

Cherian Abraham, a mobile payments specialist and consultant to mobile payments startup Simply Tapp, says "every issuer in Apple Pay has seen significant 'ongoing' provisioning fraud via customer account takeover." Abraham attributes the fraudulent activity to organized gangs located around Miami, Florida and Dallas, Texas.

Banks, for their part, are said to be stepping up their game when it comes to verifying customer identity. David Pommerehn, vice president and senior counsel at the Consumer Bankers Association, tells The Wall Street Journal that "banks are reacting as quickly as possible to ensure their verification processes are adequate to thwart this new kind of fraud."

Photo: Håkan Dahlström | Flickr