After familiarizing himself with the scanning and verification process by uploading a couple of cards that actually belonged to him, Derene then attempted to add two of his CR co-workers’ cards (presumably with their knowledge).
“[A]t first it looked as if those cards were going to be approved,” he writes, but the attempt to scan other people’s cards hit a roadblock when the issuing banks requested additional verification via text message, e-mail, or over the phone.
This is the typical sort of two-factor authentication that most financial institutions employ for people logging onto their websites or mobile apps for the first time. Without being able to provide the requested security info, Derene was unable to add his colleagues’ cards to his Apple Pay.
But when he scanned in his wife’s Citibank MasterCard (with her knowledge but without any verification info that would give him access to her account), Derene says there were no additional steps required to authorize the card.
“That was unexpected, since it is my wife’s private card, and she has never authorized me as a user,” he explains. “Also, that card isn’t associated with our family iTunes account. In fact, I have no current financial relationship with Citibank at all.”
But that didn’t stop Derene from going on a wild spending spree with his wife’s card at McDonald’s, where he used Apple Pay to purchase five (5) cheeseburgers and fries; none of which he shared with his wife (or with any Consumerist staffers).
The spree continued at Walgreens, where he purchased cleaning supplies using Apple Pay.
“All the transactions were quick and seamless with the Apple Pay system,” writes Derene.
Just in case this was some sort of glitch, Derene convinced one of his married co-workers to see if he could use Apple Pay to get the same unfettered access to his wife’s Citi MasterCard.
“He was able to add her card to his account with no additional verification, and he bought several items using Apple Pay with her card,” writes Derene, adding that the co-worker’s wife did receive an e-mail from Citi welcoming her to Apple Pay and letting her know that she could remove the card from the system if she had concerns.
When contacted for comment on the ease of scanning and using their spouses’ cards, Apple pointed to the card-issuing banks, saying it is up to these institutions to decide how to authorize their customers’ cards for use on Apple Pay.
A rep for Citi shed a little light on the issue, saying that since Derene was able to provide all the relevant info from the card — number, expiration date, CVV code — and since the address on the family’s iTunes account is the same as the address for his wife’s card, the account was verified.
The rep also pointed out that, as part of the authorization process, Derene had agreed to the terms and conditions, certifying that the card was his.
Derene points out that easy access to a spouse’s credit card is nothing new, and that he could have just as easily added her card info to his Amazon account before going on a spending spree, all without an iPhone of Apple Pay.
But that doesn’t change the fact that the Apple Pay system of adding cards could be improved to prevent this sort of unauthorized access.
“Since the system already has the ability to do two-step verification, why didn’t the banks and Apple make it the only way to authorize a card for use?” asks Derene, who says it only takes a few seconds to legitimately verify a card.
“Sure, it’s not as convenient as simply pointing a iPhone camera at your credit card and instantly authorizing it for use,” he concludes, “but I know that my wife would have appreciated the extra verification step—and she also wishes I had brought her home at least one of those cheeseburgers she paid for.”