“Over the past two days I’ve received four or five different emails advising me that ‘Fraud is Running Rampant on Apple Pay.’ This is a pretty provocative statement and I felt obligated to research the particulars,” Paula Rosenblum writes for Forbes. “It’s important to say right up front that this is a tempest in a teapot, especially given that the payment method is only available in the United States. The primary affected parties at this point are banks; not retailers, and not consumers.”
“No one doubts that Apple Pay’s security methods are adequate. In fact, they are about as state of the art as you can get,” Rosenblum writes. “The problem instead is ostensibly with fraudulent credit cards, or stolen credit cards being entered as an Apple Pay method of payment. Certainly this is not Apple’s problem. If it is a problem at all, it lies with the banks and the way they verify the credit cards.”
Much more in the full article here.
MacDailyNews Take: Banks tightening up their verification processes now before Apple Pay rolls out globally is a good thing. Apple Pay is secure. Stolen credit cards are not.
[Thanks to MacDailyNews Reader “Bill” for the heads up.]
Related article:
Banks rush to stem tide of fraudsters using stolen credit cards with Apple Pay – March 3, 2015
This is a problem of social engineering again. Is like giving you the most secure password in the world and you keep it in a postit right besides your keyboard.
the problem relies on how the bank allows a client to use its credit card with Apple pay. Just figure it out how to have the client come to the bank for verification or something before allowing the use of the system or something like that. The state of the art security is there, just make sure it’s being use correctly.
News reports about a perceived issue about an Apple service are over-hyped ? Surely not. Who would ever imagine such a thing happening ?
Ultimately, if the payment system is just working on the back of needing a physical card in the first place it’s still going to have vulnerabilities.
Here are a couple more in depth article about what’s going on at the silly banks:
Banks ‘scrambling’ to combat Apple Pay identity fraud – report
Banks to take on fraud liability in Apple Pay deal, USAA announces Nov. 7 availability
In brief: Apple made an agreement with banks that they would be responsible for fraud liability, requiring the banks to verify the identity of each user adding a credit card to Apple Pay. The banks had a month to implement a system before Apple Pay went live. Many banks have:
1) Not kept up with the published lists of stolen credit cards. – Oops.
2) Asked for anything more than the last 4 digits of the users social security number.
3) Not kept up with the published lists of stolen Social Security numbers.
According to The Register, it is frequently possible to match up stolen SS#s with stolen CC#s and spoof the banks.
The solution is to more diligently verify the users attempting to apply credit cards to Apple Pay. As per usual, the general business world is significantly oblivious to security and have to climb the learning curve to catch up with the hackers.
Here is the link to The Register’s article, which goes into more depth about the Social Security number situation:
Apple Pay a haven for ‘rampant’ credit card fraud, say experts
Lax security controls fingered
In the country where I live, the Banks seems to be saying that when 🍎Pay finally arrives we will have to present in person at the bank with our CCs to have it activated on the iPhone. In other words, the banks will be validating the bona fides of the card holder.
That’s a great idea.. However in the U.S. I don’t think that will be widely possible unless the banks have some policy on allowing verification of credit cards from other banks.
It does sound a bit drastic, but at least it’s solid security. The report I read indicated that the lax banks have in total lost ‘millions of dollars’ from these scams. (See The Register article I linked).
“The primary affected parties at this point are banks; not retailers, and not consumers.”
I would think fraud will gravely affect retailers if the card is branded for that retailer, and consumers who have had their card numbers stolen are still affected in their credit reports. Making light of the secondary effects of stolen card info is callous of the author. Since Apple Pay works (as another mentioned above) on the existing credit card system there are bound to be weaknesses from that area, but I don’t think Apple should turn a blind eye considering it still affects the image of their system in a significant way.
The source of all these stories seems to be a single source: a blogger by the name of Cherian Abraham. Not one of the banks involved has confirmed any of the levels of fraud loss he seems to have pulled out of his nether regions.
Considering that Apple added 17 more banks just yesterday, I find an an absurd 6000% increase in fraud levels Abrahams claims to be completely unbelievable. He first published his claims on January 5, 2015, just one month after the roll out. . . and since then over 500 banks have adopted ApplePay. If the levels of fraud were what Abraham clams, that simply would not happen as banks are very paranoid about fraud (is it really paranoid if they really are out to get you?).
Frankly, on consideration of the timing, the sourcing of the information, and looking at what was announced in Barcelona on Monday about the rumors about Samsung’s releasing their newly acquired LoopPay being true with the Samsung Galaxy S6 smartphone in the first part of April, one month from now, what I suspect is happening here is that Samsung is spreading money around to denigrate ApplePay. This has all the hallmarks of a FUD campaign . . . a kernel of truth with a huge load of exaggeration.
Paid by Samsung?
Except, he also wrote this on the same post:
First Loop’s acquisition. I worry that this relays a scattered strategy on Samsung’s part, that stands in stark contrast to the military discipline exhibited by Apple’s own. Via Loop – Samsung is investing more on grabbing upfront a larger share of a shrinking pie vs Apple’s dominance of a growing one. And Loop’s share inevitably will shrink, and unless if Samsung balances it with a broader identity and commerce strategy it risks getting a short term boost and little else.
Chase is rumored to be the largest issuer to sign-on with Samsung/Loop Pay – and that issuer partnership is necessary beyond tokenization reasons alone. Loop has to “downgrade” a card when presented to a EMV terminal by altering the magstripe service code (more on that here, and Will Graylin’s comment on it here) so that the terminal does not challenge the swipe and force a dip. Between that, and the general unwillingness to fork over your brand to be wrapped by a much lesser known entity, will keep some issuers on the bench.
Whether you agree that it should or not, TouchID has become the de facto authentication approach, Passbook is becoming the choice off-property transaction and loyalty store, and Secure Enclave/SE has all the making of a secure identity store. All the interesting bits around payments are being solved by Apple without having to be burdened by becoming regulated or being a bank. This is one trait Samsung should not hesitate to copy.