Apple Pay is being used for fraudulent activities by criminals with stolen identities and credit cards, as first reported by The Guardian. While Apple Pay encryption has not been breached, the mobile payments system has seen an increase in fraud as criminals exploit a hole in the verification process when you add a new card to Apple Pay, allowing them to add stolen credit cards to their iPhones, according to sources familiar with the situation.
But the issue has more to do with the banks than with Apple itself. There is a loophole in the way some issuing banks verify credit cards before they are added to Apple Pay. Though the fraud appears not to be as widespread as early reports indicated, it raises questions about how banks should handle the growing number of mobile payment systems like Apple Pay.
The fraud has more to do with the banks than with Apple
To add a new card to Apple Pay, it must be provisioned, or verified by the issuing bank. The first step in this process is called "green path" authentication. With green path, Apple sends the encrypted data from your card, along with information like the name of your device, its current location, and whether or not you have an extensive transaction history with iTunes to your bank. All banks have the ability to add another verification step to the process, like a text message, email or using their app, but many do not.
A bank can decide whether a credit or debit card requires additional verification. Depending on what is offered by the card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved third-party app to complete the verification.
—Apple iOS Security Guide
Usually the information sent to the issuing bank in green path authentications is enough to get a card provisioned for Apple Pay, but if not, the next step is "yellow path" which requires one of those additional verification methods to get the card approved, and that’s where the back door lies. Many of the banks who chose a customer service call as their verification method have made the process too simple, asking only for the last four digits of a social security number — a detail that is often uncovered if your identity is stolen. If a criminal has stolen an identity and credit card information, they have everything they need to get that credit card verified by the banks who have chosen to use customer service calls as their yellow path verification method.
Issues stem from customer service call centers with lackluster verification methods
It was only a matter of time before Apple Pay became a vessel for criminals attempting fraud. Apple Pay — and any mobile payment solution for that matter — present less risk for criminals using stolen credit cards. They are incredibly convenient, there is no need to make a new credit card (which the government is making much more difficult), no card to hand over to a cashier, and cards can be quickly deleted from your phone. The simplicity and ease of use we praise mobile payments system for are the same reasons criminals will attempt to use them to exploit others.
It was only a matter of time before Apple Pay became a target for fraud
In a statement, Apple essentially says the onus is on the issuing banks to approve every card before it can be added to Apple Pay. "Apple Pay is designed to be extremely secure and protect a user’s personal information. During setup Apple Pay requires banks to verify each and every card, and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank," an Apple spokesperson said. Banks have began making changes and tightening up their provisioning protocols for Apple Pay, according to sources familiar with the situation. Apple Pay currently supports over 100 banks and credit unions across the US.
The situation was first reported by Cherian Abraham, a mobile payments specialist. Abraham is also an adviser for SimplyTapp, a startup whose mobile payment technology, host card emulation, has been included in Android since Android 4.4 (KitKat) was released in 2013. "At this point, every issuer in Apple Pay has seen significant ongoing provisioning fraud via customer account takeover," Abraham wrote last month. "Fraud in the yellow path is growing like a weed, and the bank is unable to tell friend from foe."
But according to multiple sources, while fraud has increased on Apple Pay, the incidents of fraud have been somewhat isolated (Abraham points to organized crime rings around Miami and Dallas as the main culprits) and haven’t reached every Apple Pay banking partner. I spoke with a few banks who said they haven’t seen any fraud issues related to Apple Pay, including PNC, who stated "this has not been an issue for PNC, and we are confident in the anti-fraud practices currently in place."
Some banks haven't seen any fraud issues related to Apple Pay
Bank of America noted that its customers are not liable for any fraud, and that it "updates and improves on existing controls as new fraud tactics and methods are identified." Wells Fargo also touted its zero-liability protection for its customers, and that it takes advantage of Apple Pay’s additional verification steps for some customers. "As a security measure, some customers will receive a "verification required" message when adding their card to Apple Pay," Jim Smith, head of Wells Fargo virtual channels, said. "When we review mobile wallet providers, we look for payment safety, quality of service, and ease of use for our customers. Security in payments has always been a top priority for Wells Fargo, and this verification is part of our multi-layered approach." Chase declined to comment, referring to its policy of not sharing any information on its fraud prevention measures.
"even though we realized this is an issue through Apple Pay, the fix has to be bigger than that."
With more and more mobile payments systems coming online in the near future, Abraham believes the customer center call as a verification method won’t be able to scale. "We should see Google, Samsung, PayPal, Amazon, and many others [offer mobile payment solutions] in the near future. If so, it quickly becomes clear that a call center-oriented approach does not scale, when I have a need to add my card to the latest ‘thing,’" Abraham told The Verge. "The preferred approach will be one that is scalable and secure, without being inconvenient. So even though we realized this is an issue through Apple Pay, the fix has to be bigger than that. The response has to be one that accounts for an exponential increase in entities like Apple Pay."
Abraham sees a layered approach with varying information as the best way to get credit and debit cards verified by the owner, and the owner only. "Some [methods] that may involve shared secrets known only to the bank and the consumer, some that may be known only to the consumer, some may require the device to be vetted for any anomalies, some that requires one-time use passwords and logins, and in some cases — even a call center, Abraham said. "The answer is not to default to the same process always, but to have the flexibility and the sophistication to pick the optimal approach that balances security and convenience."