Criminals in the U.S. have found a way to use Apple Pay to push fraud, and they are doing so in increasing numbers.
"Apple Pay fraud has now graduated from an itch to a raging infection," wrote Cherian Abraham, a mobile-payments specialist who is a consultant to U.S. finance groups, on his blog. While Tokenization, biometric authentication and on-device secure storage are a fairly impressive security trifecta, it has turned out that provisioning cards into Apple Pay is the "soft underbelly" of the Apple system.
"At this point, EVERY issuer in AP has seen significant *ongoing* provisioning fraud via customer account takeover. The levels of fraud have varied since launch, but 600bps is now seen as hardly an anomaly. Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked," wrote Drop Labs.
The fraud works when criminals set up new iPhones with stolen personal information and then call banks to “provision” the victim’s card on the phone to use it to buy goods. In a particularly fun irony, Apple Stores are favorite locations to target because they take Apple Pay and sell high price goods with large resale values.
So why use Apple Pay at all when criminals could just be using their stolen cards to make online purchases? According to Drop Labs, Apple Pay is both more immediate and easier at this point.
"Further, online retailers who shoulder liability in the occurrence of fraud have become increasingly sophisticated in fighting it. The 24 hours or more delivery window offers them a sufficient window of opportunity to deploy a number of fraud fighting measures (velocity, device fingerprinting, category checks) – and that’s too much of a coin-toss for a fraudster. AP is proving to be a lot simpler."
A credit or debit card can only be added to Apple Pay when its issuing bank beams over an encrypted version of the card details to store on the phone – which it should only do when certain the real owner is using it. Identity theft fraud, however, has turned out to be the method de jour of breaking into the Apple Pay and has already led to losses in the millions.
Apple’s support pages for the service says: “When you add a credit or debit card to Apple Pay… Apple sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.”
U.S. banks are using a “green path” for cards approved immediately without concerns and a “yellow path” for cards requiring more checks. It is that "yellow path" verification that is causing a problem, since in some cases banks are not asking enough questions and in other cases they are allowing callers to verify their identity with nothing more than the last four digits of their social. And while the temptation might be to conclude this is a bank issue, not Apple's, Abraham disagrees.
"It is unconscionable that Apple did not, and was not strongly advised by its partners – to make the Yellow Path implementation (by an issuer) mandatory sooner than it did – which was 4 weeks before AP launch. By then, it was too late for any issuer who had been focused elsewhere to put up any effort of merit. The better Yellow Path approaches – such as having the customer login via the bank-app – require non-trivial effort and planning. No surprise that a number of the launch partners and subsequent ones relied on call centers – in one case having a team as large as 600. In the case of an issuer who saw 3,000 activations over a week, 600 of those generated a call to the call center. What happens when ten times more customers sign up?"
A spokesman for Apple reiterated for the Guardian that the secure mechanism for paying with card details stored on the phone had not been breached.
“Apple Pay is designed to be extremely secure and protect a user’s personal information,” the spokesman said. “During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”
Concerns about the uptick in provision fraud do not have all worried.
“These are probably just some teething problems. If the banks can nail down the authentication, they should see less fraud on Apple Pay. Battle plans always look great until you meet the enemy," noted Tim Sloane of Mercator.