By Robin Sidel And Daisuke Wakabayashi

Apple Inc.'s new mobile-payment system has been hit by a wave of fraudulent transactions using credit-card data stolen in recent breaches of big retailers, including Home Depot Inc. and Target Corp., people familiar with the matter said.

About 80% of the unauthorized purchases have been for big-ticket items purchased with smartphones at Apple's own stores, one person with knowledge of the situation said. Those Apple products have a higher resale value than most of those available through other merchants that have signed on to the Apple Pay system, such as Whole Foods Market Inc. and Panera Bread Co.

The Apple Pay system itself hasn't been penetrated by hackers. Rather, fraudsters are entering stolen card data into phones, which can then be used to make purchases without a physical card being present.

An Apple spokesman said, "Apple Pay is designed to be extremely secure and protect a user's personal information."

The bogus purchases are a setback for Apple's high-profile foray into electronic payments, even though banks are responsible for verifying customer information before cards can be used with phones.

Apple hasn't provided data on the number of Apple Pay users but says that the service accounted for two of every three dollars spent in the U.S. via mobile payments on the three major credit-card networks.

Banks that are using the Apple Pay platform are in some cases making changes to their security procedures, the people familiar with the matter said.

The fraud highlights how compromised card data can be valuable to cybercriminals long after merchants secure holes in their payment systems.

"There is a trail of fraudulent activity as a result of these larger breaches and our job is to catch that in the process," said Jeff Siekman, director of payments and commerce solutions products at Fifth Third Bancorp, a large regional bank that is based in Cincinnati.

U.S. consumers have been walloped by a string of high-profile merchant breaches in recent years that exposed their credit-and-debit card information to criminals. Home Depot said in September that 56 million cards may have been compromised in a five-month attack on its terminals, topping the 40 million cards affected by the Target breach at the end of 2013.

The effects of those incidents are being felt for some time after the breaches in large part because financial institutions that issue cards typically don't launch broad-scale replacements of the affected plastic after a merchant is hacked.

The card companies figure that the cost of potential fraud is often less than giving each customer a new card, according to payment experts and bank executives, and customers sometimes complain about the inconvenience of having to switch to new cards.

The costs of such fraud are borne by the banks because cardholders aren't responsible for unauthorized purchases.

Apple has earned a reputation for holding suppliers and partners to its exacting standards. In this instance, Apple left the process of verifying questionable cards to the banks' discretion.

Credit accounts can be added to Apple Pay by taking a picture of a physical card, or by manually entering card information. Different banks then take different additional steps to verify account details, and that the person who entered the information is the true account owner.

Some ask customers to enter additional data to confirm their identities. A few banks require customers to log into their online accounts to authorize the Apple Pay service. Sometimes, customers are asked to call customer-service representative to set up cards.

Criminals are employing relatively low-tech means to find vulnerabilities in those verification systems.

Banks are trying to stem the Apple Pay fraud by tightening their verification procedures to load card data into Apple Pay, said people familiar with the bank policies.

"Our member banks are reacting as quickly as possible to ensure their verification processes are adequate to thwart this new kind of fraud," said David Pommerehn, vice president and senior counsel at the Consumer Bankers Association, which represents lenders that issue credit and debit cards.

Several bank representatives declined to comment on the Apple Pay vulnerabilities or their efforts to quash the fraudsters.

PNC Financial Services Group Inc. has seen 35 cases of fraud out of thousands of all Apple Pay customers, said a spokesman for the Pittsburgh-based bank. "We have looked at our processes and we believe we have very strong know-your-customer processes in place to prevent any additional cases," he said.

Apple introduced the mobile-payments system with great fanfare last fall as a way for consumers to pay for purchases with phones. Although such technology had been available for several years in other mobile phones, the iPhone's popularity--combined with technology embedded in the system to make payments secure--helped to fuel enthusiasm.

Hundreds of banks have since jumped aboard, paying Apple 0.15% of every transaction made on the system. Many banks were eager to partner with Apple on the project, even though it required developing new security measures.

"They had a limited amount of time to execute and some of them were just caught by surprise by the challenges associated with doing it," said Tim Sloane, vice president for payments innovation at Mercator Advisory Group, a payments-industry consulting firm.

Apple aimed to solve the issue of stolen credit cards by working with the card networks to mask the user's information by issuing a one-time code for each purchase. But this doesn't prevent thieves from loading already stolen cards into the service.

"Apple Pay is formidable, but it still sits on a loose foundation," said Richard Crone, chief executive of Crone Consulting, a payments-advisory firm.

Banks are using an assortment of methods to authenticate cardholder identity on Apple Pay, including sending a verification text to the customer. That is considered a fairly secure method because a fraudster who has stolen card information likely doesn't have possession of the victim's phone.

Last month, Chase said more than one million customers have set up their credit and debit cards for Apple Pay. In January, Bank of America said 800,000 customers had activated 1.1 million cards on Apple Pay.

Neither bank has disclosed transaction volume. One credit-union executive said that while many customers signed up for Apple Pay, a small percentage have used it so far.

Access Investor Kit for Apple, Inc.

Visit http://www.companyspotlight.com/partner?cp_code=P479&isin=US0378331005

Access Investor Kit for The Home Depot, Inc.

Visit http://www.companyspotlight.com/partner?cp_code=P479&isin=US4370761029

Access Investor Kit for Panera Bread Co.

Visit http://www.companyspotlight.com/partner?cp_code=P479&isin=US69840W1080

Access Investor Kit for Target Corp.

Visit http://www.companyspotlight.com/partner?cp_code=P479&isin=US87612E1064

Access Investor Kit for Whole Foods Market, Inc.

Visit http://www.companyspotlight.com/partner?cp_code=P479&isin=US9668371068

Subscribe to WSJ: http://online.wsj.com?mod=djnwires

Apple (NASDAQ:AAPL)
Historical Stock Chart
From Mar 2024 to Apr 2024 Click Here for more Apple Charts.
Apple (NASDAQ:AAPL)
Historical Stock Chart
From Apr 2023 to Apr 2024 Click Here for more Apple Charts.