Surprise! Apple Pay has some fraud, too

Posted by Ian Kar on January 6, 2015

slack_for_ios_upload


As experts in payments know, there's a weakness in any transaction -- and it looks like there's one in Apple Pay as well. Cunning fraudsters have figured out that you can add a stolen credit or debit card to Apple Pay with minimal interference from the financial institutions.

To be fair, it's not really on Apple's side and the issue seems to be a short-term one. However, the fact that Apple Pay is suffering from fraud just goes to show that every payment scheme has some faults, and merchants need to be aware of them. 

Security expert Cherian Abraham wrote in a blog post yesterday that he's been hearing that Apple Pay has some fraud. In one (unnamed) issuer's case, as much as 600 basis points, or 6%!

Abraham wrote that card issuers were "required" to build a "Yellow Path" for adding cards onto Apple Pay, one that features some additional form of verification from the bank. However, the experience has been vastly different for customers depending on what card issuer they had. I had been hearing the same thing around the release of Apple Pay (someone singled out an issuer in particular, saying their provisioning process was poor). 

Some issuers authenticated new users through the mobile app, while others opted for a call center verification... or skipped the process altogether. Obviously, making a phone call and talking to an actual human is a lot of work, comparatively, so that process has been panned by users on Twitter and in the press. A mobile app verification is easily more secure than the alternatives. 

While provisioning has been an issue, fraud is most likely occurring because of provisioning problems and stolen identities. Finding personal identifying information for many of these fraudsters is a lot easier, since much of it is available publicly. And, since Apple asks users to add a card to Apple Pay during the setup process when starting up a new iPhone 6/6+, there might not be a corresponding mobile app for the issuer on the device yet -- making it even easier to commit fraud.

This is just another reason networks and issuers won't be quick to get rid of card-not-present rates, no matter how much retailers pressure them.

Even though the technology behind Apple Pay -- NFC, tokenization, TouchID -- seems to be working well, fraud is still possible by attacking a non-Apple-controlled point, the provisioning process. 

 

Topics: fraud, Apple Pay, banking