Flaws in bank provisioning resulting in Apple Pay fraud

Apple Inc.’s Apple Pay mobile-payment system has taken some hits over rumors of rampant fraud. According to some reports, Apple Pay fraud is 60% higher than mag-stripe credit card fraud. And now, with the announcement two weeks ago of the Apple Watch and its support of Apple Pay, there is some concern that fraud could accelerate.

Should consumers be concerned about Apple Pay and Apple Watch?

I would argue the concern shouldn’t be about the Apple products, but rather about the banks and the processes that support them. Let me explain.

Let’s first take a look at what type of fraud is happening and then examine what it means for Apple Pay use and what it could mean for Apple-Fraud1Apple Watch use for payments. As we all know, there is an active black market for stolen credit card information. You can purchase card numbers, card-verification codes, email addresses, phone numbers, street addresses. Fraudsters use this information in two ways. First, they create duplicate physical credit cards for card-present transactions at retailers. Second, they use that information to make online purchases, and have the goods shipped to them.

Now, it turns out there is a third way. Thieves can load stolen credit card information into Apple Pay. Because the thief is in possession of the iPhone and the stolen credit card is added on that device, the thief is able to fingerprint-authenticate and stroll out of the store with the purchased goods. The merchant has no way of knowing anything unsavory has happened.

This third way has exposed an apparent weakness in the authentication process between Apple and the banks when users are adding cards into Apple Pay. How do you know if the credit card is being added to a device that is owned by the credit card holder?

Some have blamed Apple for this. They say the company is not providing the banks with enough information to properly authenticate. They also say Apple gave the banks too little time to get their processes in order.

Let’s be clear, however. It is the banks’ job to authenticate—or, in banking lingo, provision—a credit card. If they do not receive enough information from Apple to make that decision, they can certainly request more information from their cardholder.

According to the specs from Apple, the company is providing location, the last four digits of the cell-phone number, device name, and iTunes activity for that card. The bank is then responsible for taking this information and determining if the card is approved for use with Apple Pay.

Delving a little deeper, we know that the banks’ provisioning process has typically had two paths: green (good) or red (potential fraud). Apple introduced a third path, yellow, which is used to flag further checks to banks and card issuers.

What is turning out to be a big problem is that many banks took the yellow path as an enrollment issue. That is, they sent yellow requests to their call center instead of their fraud center. Call centers are trained to help consumers get a card. They typically will ask static validation questions like address or the last four digits of a Social Security number. This is information that a fraudster can easily obtain.

Fraud centers are trained to spot fraud. They will ask more dynamic questions like last couple of transactions or perhaps challenge questions like mother’s maiden name.

If the bank has a strong authentication process, fraud should not increase with Apple Pay. The key is reducing reliance on static data, which can be easily compromised by thieves, and either increasing reliance on dynamic data or employing the bank’s mobile app for authentication.

Now, what about the launch of the Apple Watch, scheduled for April 24? Some are predicting that this device will result in increased fraud. But the truth is the risk of fraud is actually no different with the Apple Watch than it is with an iPhone 6.

The same authentication process holds true for both. Adding a card still requires an iPhone. An Apple Watch will only work when paired with an iPhone 5 and above. According to reports, the Apple Watch has a near-field communication (NFC) chip that makes mobile payments possible, but it doesn’t have Touch ID like the iPhone 5 and 6. Instead, to unlock the watch, users have to either enter a password on the watch or touch their fingerprint sensor on their iPhone after they’ve put on the wearable.

Once the watch is unlocked, users won’t have to type a password every time they want to use Apple Pay, as long as they haven’t taken off the device after pairing it.

After unlocking the watch, you either select a card from Passbook in the watch interface or let it use the default card. Then you tap the wearable device against, or wave it over, an NFC-enabled payment terminal. The watch will emit a tone and give a vibration to show when the transaction has completed.

There is some thought that since Apple Watch works with an iPhone 5, which is considerably cheaper than an iPhone 6, more fraudsters may be encouraged to load counterfeit credit card information onto an iPhone 5. But, with Apple Watches starting at $350, this will be a negligible difference.

In the end, preventing fraud related to Apple Pay is really about banks having a solid authentication process. If that exists, then I would strongly argue that using Apple Pay for credit card transactions is more secure than continuing with plastic stripe and a signature.

The article was originally published on Digital Transactions on March 25, 2015. Copyright 2015 by Boland Hill Media LLC. All rights reserved. Reprinted with permission of the publisher. 

Bob Graham

Global Head Domain, Consulting and Industry Solutions,Virtusa. Bob Graham leads our cross domain and consulting practices and drives our industry solutions efforts. Bob leads a global team responsible for creating world class domain consulting offerings and targeted solutions for our industry verticals. Our domain consulting teams bring top notch industry experience and ability to help lead our clients through Change The Business (CTB) initiatives including customer acquisition and on-boarding, cost takeout and improved operational efficiency, digital transformation, regulatory change and payments disruption. Bob brings over 25 years of experience in financial services and insurance. Bob is a frequent speaker on digital banking and emerging trends such as robotics, digital payments, machine learning and AI. Prior to joining Virtusa Corporation, Bob spent four years at NetNumina Solutions in Cambridge, MA and six years at State Street Bank as a Vice President for Global Markets IT. Bob began his career at Bank of New England. Bob holds a BA from Hamilton College in Clinton, NY.

More Posts

One Comments

  • Himanshu Singh April 15, 2015

    Very well researched and brought forward in equally good manner.

Comments are closed.