Banks 'scrambling' to combat Apple Pay identity fraud - report
Apple Pay has proven to be a venue of convenience for criminals focusing on identity fraud, a new report suggests, with many fraudsters taking advantage of lax customer verification controls put in place by Apple's partner banks to make brick-and-mortar purchases using stolen credit cards via the growing mobile payment service.
Apple Pay itself has not been exploited, according to The Guardian, with issues instead arising at the issuing banks. The problem centers around the processes those banks use to verify customers' identity when adding a card to Apple Pay.
When adding a card, banks can reportedly choose to accept it immediately -- using a so-called "green path" -- or require additional verification, via a "yellow path." Apple provides the banks with contextual information, such as the name of the device Apple Pay is being configured on, the device's current location, and data about the length of iTunes transaction history, during setup to help identify cases where more stringent checks are required.
The yellow path processes have apparently been found lacking in some cases, with unnamed partner banks asking only for relatively easily-obtainable information, such as the last four digits of the customer's social security number. Once approved, criminals can then use Apple Pay to purchase products at retail, later selling them for cash -- with Apple retail stores apparently a particularly attractive target.
Apple is said to have initially made the yellow path optional for banks, changing its mind to require such a process less than one month before Apple Pay's debut. That left banks little time to sort out a solution, with many falling back to call center-based procedures.
As part of their Apple Pay agreements, issuing banks agreed to accept liability for fraud through the platform. Thus far, that amount is thought to have risen into the millions of U.S. dollars, and banks are working on fixes.
"These are probably just some teething problems," Tim Sloan, an executive at financial consultancy Mercator Group, told the paper. "If the banks can nail down the authentication, they should see less fraud on Apple Pay," he continued, adding that "battle plans always look great until you meet the enemy."
Apple Pay itself has not been exploited, according to The Guardian, with issues instead arising at the issuing banks. The problem centers around the processes those banks use to verify customers' identity when adding a card to Apple Pay.
When adding a card, banks can reportedly choose to accept it immediately -- using a so-called "green path" -- or require additional verification, via a "yellow path." Apple provides the banks with contextual information, such as the name of the device Apple Pay is being configured on, the device's current location, and data about the length of iTunes transaction history, during setup to help identify cases where more stringent checks are required.
The yellow path processes have apparently been found lacking in some cases, with unnamed partner banks asking only for relatively easily-obtainable information, such as the last four digits of the customer's social security number. Once approved, criminals can then use Apple Pay to purchase products at retail, later selling them for cash -- with Apple retail stores apparently a particularly attractive target.
Apple is said to have initially made the yellow path optional for banks, changing its mind to require such a process less than one month before Apple Pay's debut. That left banks little time to sort out a solution, with many falling back to call center-based procedures.
As part of their Apple Pay agreements, issuing banks agreed to accept liability for fraud through the platform. Thus far, that amount is thought to have risen into the millions of U.S. dollars, and banks are working on fixes.
"These are probably just some teething problems," Tim Sloan, an executive at financial consultancy Mercator Group, told the paper. "If the banks can nail down the authentication, they should see less fraud on Apple Pay," he continued, adding that "battle plans always look great until you meet the enemy."
Comments
Just don't be the first wave to become ashes. Stand with the general at the far far back.
Visa just announced a service they will be offering people a higher level of security who do not have ApplePay. You load an app, register you phone with visa they link you card to your phone in their system and any time you make a transaction at a physical location, they verify the cell phone is in the same location if not they will deny the transaction since they are assuming the phone and card should be in close proximity of one another. Also if you do an online order it has be done within in a certain range of the phone's home location.
When I register my cards I got an email from my banks asking me to verify that I added the card to apple paid. I guess these other banks are not doing that you could anyone's card to your phone if they are not verifying it.
As is usual in cases like this the tech media will pounce on Apple Pay as a failure of epic proportions. No matter that the issue is really with the banks, Apple will get all the blame just like the Chinese labor issues, Greenpeace tantrums, overseas tax havens, the list goes on. Wait for it.
I think the banks and Apple probably wanted to make the Yellow path less stringent in order to minimize any bad publicity from customers finding it difficult to get started. That was in the beginning. Now that Apple Pay has received high marks and general public acceptance, they need to get rid of the Yellow path.
They could easily require you to be at the address registered to the credit card or using a phone number that was associated with the account. Something like that shouldn't be too inconveniencing to customers.
As is usual in cases like this the tech media will pounce on Apple Pay as a failure of epic proportions. No matter that the issue is really with the banks, Apple will get all the blame just like the Chinese labor issues, Greenpeace tantrums, overseas tax havens, the list goes on. Wait for it.
And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.
Because Apple does no wrong.
Also if you do an online order it has be done within in a certain range of the phone's home location.
My card is registered to my home, but I make online purchases at work all the time, in fact most of the time. Many people commute 20-50km each way so what would the range be?
Okay, so this is somehow Apple’s fault. Good to know.
Bottom line; Why would anybody cite anything from The Guardian (or any UK rag)?
Pissed with investigative journalism and Edward Snowden, are we?
And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.
Because Apple does no wrong.
So you do put the blame on Apple for this. Man can I call ‘em or what.
Apple did no wrong this time.
It was the banks that screwed up.
Told ya. It’s already started. Doesn’t matter what actually happened. Apple is the fall guy. It will be a C|net front page article in no time.
what rubbish. Apple in this case has done no wrong -- they haven't been compromised. or can you post some actual facts to the contrary? if not, just more FUD from the usual suspects.
My card is registered to my home, but I make online purchases at work all the time, in fact most of the time. Many people commute 20-50km each way so what would the range be?
I assumed local to where their phone was currently located...
Apple did no wrong this time.
It was the banks that screwed up.
What, exactly, was stopping Apple from recommending to Apple Pay subscribers that applicants do not answer simple to obtain security questions during the registration and verification process?
Corrected headline...
Banks 'scrambling' to combat fraud because they failed to use the security features Apple implemented to ensure a high level of security
What, exactly, was stopping Apple from recommending to Apple Pay subscribers that applicants do not answer simple to obtain security questions during the registration and verification process?
So, Apple is now in charge of bank's security, and general stupidity of owners. If a person gives away his keys. Apple is responsible for that?
Also, how prevalent is this thing really. Or is this like the bendy phone thing, something that happened a few times and then was parotted for months.
You are right when you say that banks do wrong this time, but Apple did a poor job in blindly trusting banks and allowing that it could happen. It's not a technical/security failure, it's a management/PR failure.