The transactions came from breaches at retail giants such as Home Depot (HD) and Target (TGT), the Journal said. These scammers are using stolen credit card information to create unauthorized Apple Pay accounts, and they’re using them, ironically, to make big purchases at Apple stores, reports The Guardian. They then resell the items for cash. (Apple did not respond to a request for comment.)

Although the identity swindlers have not, it seems, broken the security and strong encryption protecting Apple’s transaction technology, which has quickly become one of the most popular forms of mobile payment with more than two million Americans using it, they are taking advantage of weaknesses in the authentication schemes employed by participating banks. In other words, when checking to make sure a new Apple Pay registree is who she says she is, some banks are getting duped.

Here’s how it’s done. Typically, when a user begins to create an account — by snapping a picture of a card, or entering information by hand — that data is encrypted and sent to Apple’s servers “along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes),” as Apple’s security and privacy overview states. That data, in turn, is decrypted, checked, re-encrypted and passed to banks to verify a cardholder’s identity. This is the so-called green path authentication protocol, and it seems to work fine.

The “yellow path” is where things get problematic. In this alternate process, some banks perform backup checks that have loopholes. For instance, they will ask a user to confirm his or her identity via e-mail, text message or phone call, and scammers have had an easier time circumventing some of these security measures. Sometimes, for example, a bank’s call center may ask for the last four digits of a user’s social security number — a popular target in identity theft schemes — and if they have the right information, potentially obtained in one of the many recent data breaches, or purchased in underground markets where such information is sold, the fraudster is set.
[fortune-brightcove videoid=4080084565001]

Since Apple Pay precludes the use of a physical card, scammers don’t have to bother forging a plastic copy with a magnetic stripe (or EMV chip, for that matter). According to the Guardian, banks have already lost millions in such ID fraud.

Apple, reached for comment by the newspaper, seems to be passing the blame on to its banking partners:

“Apple Pay is designed to be extremely secure and protect a user’s personal information,” a spokesman told the Guardian. “During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”