Apple has gone to great lengths to secure Apple Pay:
It uses a “secure element” within the latest iPhones to store the encrypted payment data separate from the rest of phone. It uses a fingerprint reader to assure that the phone’s owner is making the purchase and issues a one-time code so merchants don’t see customers’ credit card information.
However, the weakness identified by Abraham occurs at an earlier stage, when a user is adding a credit card to Apple Pay. When a user adds a card, Apple says it sends information such as the type of phone, the last four digits of the user’s phone number and the user’s general location to the issuing bank, which decides whether to provision the card for Apple Pay.
Banks can ask for additional information if its information doesn’t match Apple’s. In those cases, a bank may ask a user to call in to answer additional security questions. Abraham says that some banks made it too easy for such customers to be approved, because they wanted to reduce the friction of adding their cards to Apple Pay. For example, he said some banks asked for the last four digits of a customer’s Social Security number, which is easy to answer if the fraudster knows that person’s credit history or personal information.