There’s an old saying, taken from a story in the Old Testament, that goes something like this – “Be ever cautious, every rich man’s house has a servant’s entrance.” The saying is meant as a warning to never feel too secure.
This week, it seems cybercriminals found the back entrance into the rich man’s house that is Apple Pay.
Cherian Abraham, a mobile-payments specialist who is a consultant to U.S. finance groups, weighed in on the issue on his Drop Labs blog, saying that Apple Pay fraud “has now graduated from an itch to a raging infection.”
“At this point, EVERY issuer in AP has seen significant *ongoing* provisioning fraud via customer account takeover. The levels of fraud have varied since launch, but 600bps is now seen as hardly an anomaly. Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked,” Cherian continued.
This news has come as quite a shock to mobile payments watchers; Apple Pay entered the field boasting the impressive security trifecta of tokenization, biometric authentication and on-device secure storage that was impressive to even skeptical watchers.
Apple, by all accounts, has done a very complete job of keeping payment data safe once it is legitimately loaded onto a phone.
Unfortunately guaranteeing that all the cards loaded into Apple Pay accounts are legitimate has not gone so well – with fraudsters able to load and use stolen cards into accounts – and, according to Cortex MCP founder and CEO Shaunt Sarkissian, it’s a problem that is much bigger than Apple Pay.
“I think we have to look at what the underlying source of this is. Apple Pay is just symptomatic of the fact that we have Band-Aided something together, but the weak spot is always going to be exposed in the system,” Sarkissian told MPD CEO Webster in a discussion of Apple Pay’s fraud situation.
And that weak spot, Sarkissian believes, is the 16-digit card number itself.
“If [the cybercriminals] obtain that card number in the physical world, at a restaurant for example, they can take that number and immediately set up fake accounts on iTunes and then take those iTunes accounts and provision them into an Apple Pay account on a phone,” Sarkissian explained. “It’s given somebody the ability to take card not present fraud and migrate that to the card present world and really turn that mobile device into a credit card manufacturing device. The weakest link is the card number itself that has really exposed the system.”
Sarkissian noted at the beginning of his conversation with Webster that “fraud never sleeps,” which means over and over again the payments ecosystem is going to run into its best ideas being thwarted by the obvious thing that wasn’t secured.
“Look at the Target breach,” he said. “It wasn’t because those guys were cracking heavy, heavy encryption, it was an HVAC contractor that they gave the codes to that they shouldn’t have. It was human error that caused it.”
And there is a human error element at work in the Apple Pay fraud as well – particularly when it comes to the onboarding process for the so-called “Yellow Lane.”
U.S. banks are using a “Green Lane” for cards approved immediately and a “Yellow Path” for cards requiring more of a check. According to most reports, “Yellow Path” verification is where fraud is rearing its head. In some cases, banks are not asking enough questions and in others, they are allowing callers to verify their identity with nothing more than the last four digits of their social, something that is easy for the bad guys to nab.
Sarkissian noted that in this case, the trade-off between ease of account activation and risk mitigation is a little off.
“There’s that pendulum between security and usability. But consumers are getting a little more willing to maybe jump through a few additional hoops if they know it is going to be actually be secure,” Sarkissian explained. “I guess the analogy is when you get your driver’s license. You have to go down to the DMV, they require you go in there and do certain things. We all hate that process because it is a huge pain, but it does create a gate that you have to go through to get that official ID issued to you.”
Not that Sarkissian is advocating that consumers who want digital accounts should appear in person to be photographed and verified before getting one. But rather that processes are created so that the right gates are in place.
“You have to have business rules and processes that are smart and ways to validate the customers,” Sarkissian advocated. “That will help us build gates and controls around how consumers are boarded, so that we don’t have an out of hand bonanza.”
Which, Sarkissian believes ultimately comes back to rethinking that 16-digit number that is just sitting out there as the weak link – and an easy and desirable target.
“Apple Pay made it easier to capture a card,” Sarkissian said.
“I think the industry needs to take a deeper look. Tokenization is going to be what will drive us going forward, and it’s certainly a big part of what we do at Cortex,” Sarkissian said. “But I think we have to think about getting farther away from the reliance on that card number as an account number and instead view it as nothing more than a set of routing instructions, which is more of what it is intended to be. We need to look at other ways to authenticate and board customers. We need to treat their core account numbers in a much different way.”
Cortex MCP is banking on their own scheme that leverages its RCD Host Token, which is meant to ride the existing network rails without relying on a card number.
“Rather than starting with a card number in a particular format,” Sarkissian told Webster, “we developed a whole different scheme so that even if someone has access to the [front part of the] card information, it is a scramble.”
A year ago at Innovation Project 2014, Sarkissian famously noted on his panel that EMV should be a swear word, because at the end of the day, he views it as a Band-Aid on what he considered the stab wound that is the 16-digit card number.
The Apple Pay fraud story has started a whole new conversation about how to mitigate the risk of cybercriminals who find those digital servant entrances and then wreak havoc throughout our mobile payments houses. Like most things in payments, it’s not a single solution nor a quick fix.