Apple Pay onboarding fraud is both a bank *and* an Apple problem. It is a flaw in how the banks onboard customers: they don’t ask for enough information to determine if the person adding the account to Apple Pay is who they say they are. That process is a bank process. But since Apple controls the platform, they can dictate the onboarding best practices and only allow banks on the platform who take the best security measures. These security measures are well known since there have been numerous mobile payment schemes over the past few years, from Google Wallet to Softcard to PayPal to LevelUp to merchant-specific apps. Apple clearly did not compel the banks that initially joined Apple Pay to put the most robust account check and provisioning processes in place. So both Apple and the banks share blame. That being said, the customer should be able to trust the bank to safeguard their account information, so I place more of the blame on them.
It is also an Apple “branding” problem in the sense that one of their largest value propositions is that they *don’t* collect customer data and they provide the highest level of security. The security story is certainly true once the account token has been properly provisioned to the actual account holder’s device. But it is not true in the end to end sense given the onboarding loophole.
Finally, there was a March 6 story in the WSJ implying that this security hole has been plugged. If that is true, the story is less about ongoing security issues and more about, “how the heck did the banks and Apple allow this problem to go unchecked for 6 months?”