The whole US credit card security system is deeply flawed – that’s the problem. A mobile commerce advisory firm Drop Labs has a good post on how Apple Pay security does and doesn't work.
In essence, the hardcore tech stuff for Apple Pay works just fine: no one is breaking TouchID, stealing iPhones to pay for stuff, or hacking the NFC transmission protocol. The problem isn’t with Apple Pay as the company created a safe environment for mobile payments, but the flaw lies in credit cards themselves.
People are buying credit-card numbers online, then loading those same numbers into Apple Pay, in essence making themselves a handy fake credit card, without going to the trouble of making a physical fake. And it's not a small problem: for some issuers, fraud levels are as high as 6% (meaning $6 of every $100 is being spent fraudulently in the US). That's bad even when compared to regular credit cards, whose fraud rate averages out at under 1%.
This is possible because of two flaws with the system. Most problematically, it's easy for hackers to steal credit-card numbers from shops and then sell those numbers online. That's a fundamental problem with the credit-card system and something that Apple Pay is just an unwitting victim of. The second issue, however, is specific to Apple Pay. In short, banks aren't taking the proper measures to ensure that the credit-card owner is the one using the credit card in Apple Pay. Most banks use a phone call to authenticate when a card is loaded into Apple Pay, a method that's woefully inadequate.
While there's obviously not a lot that can be done about stolen credit-card numbers, banks should be able to fix their authentication system to make Apple Pay less fraud-ridden in the short run. But what this data really tells us is that while credit cards and their unencrypted magnetic strips continue to exist, no systems (even with fingerprints and special secure chips) can prevent attacks on your credit card.
