No One Can Afford an Attack - Find the best Cybersecurity Pros to Protect Your Business Data
Welcome Guest | Sign In
ECommerceTimes.com

Apple Pay Cybercrime Burns Banks

By John P. Mello Jr.
Mar 4, 2015 12:30 PM PT
apple-pay-fraud

Identity thieves are using Apple Pay to defraud banks of what could amount to millions of dollars.

Armed with iPhones, the fraudsters are entering stolen payment card information into Apple Pay. Due to weak authentication procedures at the institutions issuing the cards, they are able to use the stolen cards to make purchases through Apple Pay.

Ironically, much of the purchasing is being done at Apple Stores, thanks to the high resale value of Apple products.

Before cards can be added to Apple Pay, they must be provisioned -- that is, approved -- by the card issuer. Criminals are finding that process easy to game.

"At this point, every issuer in [Apple Pay] has seen significant ongoing provisioning fraud via customer account takeover," wrote Cherian Abraham, a mobile-payments specialist, in a Drop Labs blog post.

"The levels of fraud has varied since launch," he continued, "but 600bps is now seen as hardly an anomaly."

The industry norm for credit card fraud is about 10bps -- or 10 US cents per $100 in transactions, he explained. At $6 per $100, Apple Pay fraud is far above that norm.

Naked Emperor

"Apple Pay is designed to be extremely secure and protect a user's personal information," the company said in a statement provided to the E-Commerce Times by Apple spokesperson Lisa Newell.

"During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank," Apple explained.

Blaming banks for the security gap in Apple Pay would be a mistake, said Drop Labs' Abraham.

Apple did not give the banks enough time to set up strong "yellow path" authentication procedures before they joined the program, he maintained.

"It is unconscionable that Apple did not, and was not strongly advised by its partners to make the Yellow Path implementation (by an issuer) mandatory sooner than it did, which was four weeks before [Apple Pay's] launch," Abraham wrote. "By then, it was too late for any issuer who had been focused elsewhere to put up any effort of merit."

As a result of the weak authentication procedures in place at the launch of Apple Pay, he continued, "fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked."

Achilles' Heel

Authentication as a chink in Apple Pay's armor has been a concern since the platform was introduced.

"Apple seems to have focused on security payment mechanisms such as tokenization and fingerprints, but payment can only be as secure as authentication, which starts with registering cards to an account," EasySolutions CTO Daniel Ingevaldson told the E-Commerce Times upon Apple Pay's launch.

Partnerships like those needed to make Apple Pay work are bound to have an Achilles' heel, observed David Robertson, publisher of The Nilson Report.

"In this case, the entities dropping the ball are the card issuers themselves," he told the E-Commerce Times.

"The Apple Pay system works seamlessly in terms of the consumer interface. It's the unseen part -- communication between the consumer and the card issuer -- where the problem is falling," Robertson observed.

"The credit card issuers are the weak link," he said. "There's always going to be a gap between stolen data and when the issuer is aware of that stolen data. If I don't report that my credit card has been stolen for 72 hours, that's a 72-hour window it can be used by a thief."

Just a Hiccup

Rather than showing the risks in Apple Pay, the security gap created by weak authentication exposes the flaws in the existing payment card system, maintained David Bozin, vice president of growth development at Bindo.

"A huge thing is being made about this because it's Apple Pay, but the fraud is predicated on the existing payment infrastructure, which has many opportunities for fraud," he told the E-Commerce Times.

Apple Pay's physical security isn't compromised by weak authentication, Bozin pointed out. "This isn't someone hacking into my Apple Pay account. It's someone taking my credit card and using it in their own Apple Pay account."

With the launch of any new payment technology like NFC -- the wireless technology enabling Apple Pay -- flaws will appear.

"These are the hiccups of NFC starting to take off," Bozin said, "and the learning costs of Apple Pay and NFC payments."


John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.


Facebook Twitter LinkedIn Google+ RSS
Which form of smartphone security do you rely on most?
Face ID or Fingerprint
Strong Password
App Locks
Storage Encryption
VPN with Public WiFi
I don't use any smartphone security tech.