Banks 'scrambling' to combat Apple Pay identity fraud - report

Posted:
in iPhone edited March 2015
Apple Pay has proven to be a venue of convenience for criminals focusing on identity fraud, a new report suggests, with many fraudsters taking advantage of lax customer verification controls put in place by Apple's partner banks to make brick-and-mortar purchases using stolen credit cards via the growing mobile payment service.




Apple Pay itself has not been exploited, according to The Guardian, with issues instead arising at the issuing banks. The problem centers around the processes those banks use to verify customers' identity when adding a card to Apple Pay.

When adding a card, banks can reportedly choose to accept it immediately -- using a so-called "green path" -- or require additional verification, via a "yellow path." Apple provides the banks with contextual information, such as the name of the device Apple Pay is being configured on, the device's current location, and data about the length of iTunes transaction history, during setup to help identify cases where more stringent checks are required.

The yellow path processes have apparently been found lacking in some cases, with unnamed partner banks asking only for relatively easily-obtainable information, such as the last four digits of the customer's social security number. Once approved, criminals can then use Apple Pay to purchase products at retail, later selling them for cash -- with Apple retail stores apparently a particularly attractive target.

Apple is said to have initially made the yellow path optional for banks, changing its mind to require such a process less than one month before Apple Pay's debut. That left banks little time to sort out a solution, with many falling back to call center-based procedures.

As part of their Apple Pay agreements, issuing banks agreed to accept liability for fraud through the platform. Thus far, that amount is thought to have risen into the millions of U.S. dollars, and banks are working on fixes.

"These are probably just some teething problems," Tim Sloan, an executive at financial consultancy Mercator Group, told the paper. "If the banks can nail down the authentication, they should see less fraud on Apple Pay," he continued, adding that "battle plans always look great until you meet the enemy."
«13456

Comments

  • Reply 1 of 109
    rogifanrogifan Posts: 10,669member
    So do they have examples of people that were actually targeted? One would assume if this was the case we would be hearing a lot more about it? Local news would be all over a story like this.
  • Reply 2 of 109
    ipenipen Posts: 410member
    "battle plans always look great until you meet the enemy."
    Just don't be the first wave to become ashes. Stand with the general at the far far back.
  • Reply 3 of 109
    paul94544paul94544 Posts: 1,027member
    They only have themselves to blame really (the banks), the problem is if someone's credit is ruined, I mean it sort of okay if only the card is compromised since its easy to find that out what is more difficult if someone uses my identity to open new cc accounts that I don't know about and run up a huge bill as a result and collection proceedings are started that is a real problem, but for that to happen my identity must be stolen including SS# etc and repairing that if its gone on for years is very very hard
  • Reply 4 of 109
    bobschlobbobschlob Posts: 1,074member
    Bottom line; Why would anybody cite anything from The Guardian (or any UK rag)?
  • Reply 5 of 109
    maestro64maestro64 Posts: 4,476member
    This is interesting this is happening, and I wonder how big of an issue it is or was it more in lines that someone attempted this and it did not go too far.

    Visa just announced a service they will be offering people a higher level of security who do not have ApplePay. You load an app, register you phone with visa they link you card to your phone in their system and any time you make a transaction at a physical location, they verify the cell phone is in the same location if not they will deny the transaction since they are assuming the phone and card should be in close proximity of one another. Also if you do an online order it has be done within in a certain range of the phone's home location.

    When I register my cards I got an email from my banks asking me to verify that I added the card to apple paid. I guess these other banks are not doing that you could anyone's card to your phone if they are not verifying it.
  • Reply 6 of 109
    lkrupplkrupp Posts: 6,783member

    As is usual in cases like this the tech media will pounce on Apple Pay as a failure of epic proportions. No matter that the issue is really with the banks, Apple will get all the blame just like the Chinese labor issues, Greenpeace tantrums, overseas tax havens, the list goes on. Wait for it.

  • Reply 7 of 109
    mstonemstone Posts: 11,510member

    I think the banks and Apple probably wanted to make the Yellow path less stringent in order to minimize any bad publicity from customers finding it difficult to get started. That was in the beginning. Now that Apple Pay has received high marks and general public acceptance, they need to get rid of the Yellow path.

     

    They could easily require you to be at the address registered to the credit card or using a phone number that was associated with the account. Something like that shouldn't be too inconveniencing to customers.

  • Reply 8 of 109
    pfisherpfisher Posts: 758member
    Quote:

    Originally Posted by lkrupp View Post

     

    As is usual in cases like this the tech media will pounce on Apple Pay as a failure of epic proportions. No matter that the issue is really with the banks, Apple will get all the blame just like the Chinese labor issues, Greenpeace tantrums, overseas tax havens, the list goes on. Wait for it.




    And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.

     

    Because Apple does no wrong.

  • Reply 9 of 109
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by Maestro64 View Post



     Also if you do an online order it has be done within in a certain range of the phone's home location.

    My card is registered to my home, but I make online purchases at work all the time, in fact most of the time. Many people commute 20-50km each way so what would the range be?

  • Reply 10 of 109
    tallest skiltallest skil Posts: 43,399member
    Originally Posted by AppleInsider View Post

    Apple Pay itself has not been exploited, according to The Guardian, with issues instead arising at the issuing banks. The problem centers around the processes those banks use

     

    Okay, so this is somehow Apple’s fault. Good to know.

  • Reply 11 of 109
    oh so the same questions the banks ask you when you call in and have a "new" card sent to a new address. Same type of social engineering vulnerability that has existed for decades.
  • Reply 12 of 109
    Quote:

    Originally Posted by BobSchlob View Post



    Bottom line; Why would anybody cite anything from The Guardian (or any UK rag)?



    Pissed with investigative journalism and Edward Snowden, are we?

  • Reply 13 of 109
    lkrupplkrupp Posts: 6,783member
    Quote:

    Originally Posted by pfisher View Post

     



    And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.

     

    Because Apple does no wrong.




    So you do put the blame on Apple for this. Man can I call ‘em or what.

  • Reply 14 of 109
    lkrupplkrupp Posts: 6,783member
    Quote:
    Originally Posted by sog35 View Post

     

     

    Apple did no wrong this time.

     

    It was the banks that screwed up.  




    Told ya. It’s already started. Doesn’t matter what actually happened. Apple is the fall guy. It will be a C|net front page article in no time.

  • Reply 15 of 109
    nolamacguynolamacguy Posts: 4,758member
    pfisher wrote: »

    And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.

    Because Apple does no wrong.

    what rubbish. Apple in this case has done no wrong -- they haven't been compromised. or can you post some actual facts to the contrary? if not, just more FUD from the usual suspects.
  • Reply 16 of 109
    icoco3icoco3 Posts: 1,458member
    Quote:

    Originally Posted by mstone View Post

     

    My card is registered to my home, but I make online purchases at work all the time, in fact most of the time. Many people commute 20-50km each way so what would the range be?


     

    I assumed local to where their phone was currently located...

  • Reply 17 of 109
    Quote:

    Originally Posted by sog35 View Post

     

     

    Apple did no wrong this time.

     

    It was the banks that screwed up.  




    What, exactly, was stopping Apple from recommending to Apple Pay subscribers that applicants do not answer simple to obtain security questions during the registration and verification process?

  • Reply 18 of 109
    icoco3icoco3 Posts: 1,458member

    Corrected headline...

     

    Banks 'scrambling' to combat fraud because they failed to use the security features Apple implemented to ensure a high level of security

  • Reply 19 of 109
    foggyhillfoggyhill Posts: 4,767member
    Quote:

    Originally Posted by Bloodshotrollin'red View Post

     



    What, exactly, was stopping Apple from recommending to Apple Pay subscribers that applicants do not answer simple to obtain security questions during the registration and verification process?


     

    So, Apple is now in charge of bank's security, and general stupidity of owners. If a person gives away his keys. Apple is responsible for that?

     

    Also, how prevalent is this thing really. Or is this like the bendy phone thing, something that happened a few times and then was parotted for months.

  • Reply 20 of 109
    bradipaobradipao Posts: 145member
    lkrupp wrote: »

    Told ya. It’s already started. Doesn’t matter what actually happened. Apple is the fall guy. It will be a C|net front page article in no time.

    You are right when you say that banks do wrong this time, but Apple did a poor job in blindly trusting banks and allowing that it could happen. It's not a technical/security failure, it's a management/PR failure.
Sign In or Register to comment.