I think the banks and Apple probably wanted to make the Yellow path less stringent in order to minimize any bad publicity from customers finding it difficult to get started. That was in the beginning. Now that Apple Pay has received high marks and general public acceptance, they need to get rid of the Yellow path.
They could easily require you to be at the address registered to the credit card or using a phone number that was associated with the account. Something like that shouldn't be too inconveniencing to customers.
You have that backwards. The Yellow Path requires _more_ verification than the Green Path, but some banks haven't yet implemented sufficient checks on the Yellow Path, so they are basically operating the Yellow Path as a semi-Green Path, making it easy for authentication to be completed with minimal verification.
Okay, so this is somehow Apple’s fault. Good to know.
Those banks with weaker security measures should immediately lose all access to Apple Pay. In fact, Apple should certify banks that use proper measures and provide a link on their site to the banks that have passed their certification requirements.
So do they have examples of people that were actually targeted? One would assume if this was the case we would be hearing a lot more about it? Local news would be all over a story like this.
It sounds like there are plenty of cases but I'm sure that the banks are not publicizing those cases. The headline was certainly open to misinterpretation, but the article makes it pretty clear that the fault lies with the banks, which have failed to foresee this issue and effectively made the authorization process the same as for activation of a physical card. In the card case, however, exploitation obviously required two failures - criminal interception of a new card and possession of the necessary (but insecure) data needed to activate it. This requires only the personal data. It is a slightly surprising lapse of security by those banks.
Okay, so this is somehow Apple’s fault. Good to know.
Those banks with weaker security measures should immediately lose all access to Apple Pay. In fact, Apple should certify banks that use proper measures and provide a link on their site to the banks that have passed their certification requirements.
I'm not sure that it should be Apple's responsibility to certify the banks - that might be taken to leave them with some liability if the bank screws up like this. It's the banks who lose out here - presumably both financially and in terms of their reputation - and that should be enough incentive for them to fix this.
I was able to activate Apple Pay with no extra verifcation or steps at all. It was very easy--but since you only activate a card ONCE, I think the bank should definitely require more verification. It's not that hard to answer a call or something.
Anyway, glad to finally have my little local bank (or at least, their credit card partner) on board with Apple Pay. Used it for the first time this weekend, and it's all it's cracked up to be!
You have that backwards. The Yellow Path requires _more_ verification than the Green Path, but some banks haven't yet implemented sufficient checks on the Yellow Path, so they are basically operating the Yellow Path as a semi-Green Path, making it easy for authentication to be completed with minimal verification.
Perhaps I may have misunderstood the process.
I was thinking that if the location matched up with the customer's home address, no further questions were necessary, however if there were discrepancies then they would require additional information.
I signed up with my AMEX while at home and being a long time iTunes account holder, it was approved immediately.
I was able to activate Apple Pay with no extra verifcation or steps at all. It was very easy--but since you only activate a card ONCE, I think the bank should definitely require more verification. It's not that hard to answer a call or something.
The bank immediately emailed and sent a text message after I set up my AMEX.
I was able to activate Apple Pay with no extra verifcation or steps at all. It was very easy--but since you only activate a card ONCE, I think the bank should definitely require more verification. It's not that hard to answer a call or something.
The bank immediately emailed and sent a text message after I set up my AMEX.
AMEX are very good with those kinds of notifications, but none of my other card issuers have that functionality as far as I can tell.
Apple Pay itself has not been exploited, according toThe Guardian, with issues instead arising at the issuing banks. The problem centers around the processes those banks use to verify customers' identity when adding a card to Apple Pay.
Some 3rd-party a$$hats decide to take the easy route, but hey... let's blame Apple.
Apple was smart to make sure the banks take responsibility for their ineptness.
One thing for certain, if banks can't get their security act together with Apple, they are going to implode when they have to figure stuff out with CurrentC and other half-a$$ed mobile payment "solutions".
Apple just keeps showing everyone how stupid the other players are.
AMEX are very good with those kinds of notifications, but none of my other card issuers have that functionality as far as I can tell.
BoA is excellent with those types of communications too. They have this feature called SafePass. They text you a code number that you have to enter before doing any bank to bank transactions. They email when your CC statement is ready, etc. I know a lot of people say BoA is terrible but I have used them for more than 25 years and they have been great. Especially helpful with international transfers.
Card verification security depends on the bank. Some of my cards immediately authenticated for Apple Pay with no other need for verification. But others like Bank of America required you to call them and go through a list of security questions that a thief probably wouldn't know. i suspect that going forward, more banks will follow that model. It's more labor intensive, but it will likely reduce fraud on the front end.
Bank of America required you to call them and go through a list of security questions that a thief probably wouldn't know.
And why couldn't these be entered into the iPhone during the setup process like any website account I visit requiring me to enter answers to my security questions? While this is not Apple's fault, per se, it seems like a very un-Apple-like process. Is it Apple that didn't make these kinds of steps available to banks in the setup process, or is it the banks not able to implement Apple's available software options?
1) I have added 5 cards to ?Pay. Of those 5, only 1 let me add it without requiring any additional verification of my identity. The other 4 had various methods, like sending an SMS/text to the cellphone I have on file, having me verify personal information, or having me call them to have me verified over the phone. If banks do any of these then those that steal card numbers aren't gong to be able to add cards to ?Pay without also having access to a customer's phone (which is still possible, but less common), or have access to their more sensitive personal data, like secret questions (which is also still possible, but even less common).
2) This coming right on the heals of Samsung and Google talking about their new payment systems as MWC. I'm not a conspiracy theorist but something sounds fishy.
And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.
Because Apple does no wrong.
If you understand how the fraud is being perpetrated, you'd know it isn't about Apple doing wrong, it's about the banks not offering the proper verification for their customer's accounts. It's has nothing to do with ?Pay's design and only the banks can fix resolve their own lack of foresight or laziness to correct this mistake.
And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.
Because Apple does no wrong.
...or because Apple isn't the primary culprit in this case. Yes, I'll blame Apple for changing their policy only one month from rollout. BUT, the only way this problem can be exploited is if the customer has already suffered identity theft. Thieves have to already have a compromised credit card in their possession in order to use Apple Pay. This is something the cardholder's bank should be on the lookout for and if they see a card being added to a phone not owned by the customer, they should be raising the red flag but apparently aren't. That is not Apple's fault and I'd be keen to hear your explanation as to how it is.
This is something the cardholder's bank should be on the lookout for and if they see a card being added to a phone not owned by the customer, they should be raising the red flag but apparently aren't. That is not Apple's fault and I'd be keen to hear your explanation as to how it is.
Which is why 80% (at least in my case) required additional authentication before allowing you to add the card to ?Pay. If they do that then it's the bank's fault.
Comments
I think the banks and Apple probably wanted to make the Yellow path less stringent in order to minimize any bad publicity from customers finding it difficult to get started. That was in the beginning. Now that Apple Pay has received high marks and general public acceptance, they need to get rid of the Yellow path.
They could easily require you to be at the address registered to the credit card or using a phone number that was associated with the account. Something like that shouldn't be too inconveniencing to customers.
You have that backwards. The Yellow Path requires _more_ verification than the Green Path, but some banks haven't yet implemented sufficient checks on the Yellow Path, so they are basically operating the Yellow Path as a semi-Green Path, making it easy for authentication to be completed with minimal verification.
Okay, so this is somehow Apple’s fault. Good to know.
Those banks with weaker security measures should immediately lose all access to Apple Pay. In fact, Apple should certify banks that use proper measures and provide a link on their site to the banks that have passed their certification requirements.
So do they have examples of people that were actually targeted? One would assume if this was the case we would be hearing a lot more about it? Local news would be all over a story like this.
It sounds like there are plenty of cases but I'm sure that the banks are not publicizing those cases. The headline was certainly open to misinterpretation, but the article makes it pretty clear that the fault lies with the banks, which have failed to foresee this issue and effectively made the authorization process the same as for activation of a physical card. In the card case, however, exploitation obviously required two failures - criminal interception of a new card and possession of the necessary (but insecure) data needed to activate it. This requires only the personal data. It is a slightly surprising lapse of security by those banks.
And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.
Because Apple does no wrong.
Apparently you were too optimistic, they didn't even wait for the messenger before they started shooting.
Nothing like Apple fans with an Apple victim-complex.
Okay, so this is somehow Apple’s fault. Good to know.
Those banks with weaker security measures should immediately lose all access to Apple Pay. In fact, Apple should certify banks that use proper measures and provide a link on their site to the banks that have passed their certification requirements.
I'm not sure that it should be Apple's responsibility to certify the banks - that might be taken to leave them with some liability if the bank screws up like this. It's the banks who lose out here - presumably both financially and in terms of their reputation - and that should be enough incentive for them to fix this.
Anyway, glad to finally have my little local bank (or at least, their credit card partner) on board with Apple Pay. Used it for the first time this weekend, and it's all it's cracked up to be!
You have that backwards. The Yellow Path requires _more_ verification than the Green Path, but some banks haven't yet implemented sufficient checks on the Yellow Path, so they are basically operating the Yellow Path as a semi-Green Path, making it easy for authentication to be completed with minimal verification.
Perhaps I may have misunderstood the process.
I was thinking that if the location matched up with the customer's home address, no further questions were necessary, however if there were discrepancies then they would require additional information.
I signed up with my AMEX while at home and being a long time iTunes account holder, it was approved immediately.
I was able to activate Apple Pay with no extra verifcation or steps at all. It was very easy--but since you only activate a card ONCE, I think the bank should definitely require more verification. It's not that hard to answer a call or something.
The bank immediately emailed and sent a text message after I set up my AMEX.
I was able to activate Apple Pay with no extra verifcation or steps at all. It was very easy--but since you only activate a card ONCE, I think the bank should definitely require more verification. It's not that hard to answer a call or something.
The bank immediately emailed and sent a text message after I set up my AMEX.
AMEX are very good with those kinds of notifications, but none of my other card issuers have that functionality as far as I can tell.
Apple Pay itself has not been exploited, according to The Guardian, with issues instead arising at the issuing banks. The problem centers around the processes those banks use to verify customers' identity when adding a card to Apple Pay.
Some 3rd-party a$$hats decide to take the easy route, but hey... let's blame Apple.
Apple was smart to make sure the banks take responsibility for their ineptness.
One thing for certain, if banks can't get their security act together with Apple, they are going to implode when they have to figure stuff out with CurrentC and other half-a$$ed mobile payment "solutions".
Apple just keeps showing everyone how stupid the other players are.
AMEX are very good with those kinds of notifications, but none of my other card issuers have that functionality as far as I can tell.
BoA is excellent with those types of communications too. They have this feature called SafePass. They text you a code number that you have to enter before doing any bank to bank transactions. They email when your CC statement is ready, etc. I know a lot of people say BoA is terrible but I have used them for more than 25 years and they have been great. Especially helpful with international transfers.
Bottom line; Why would anybody cite anything from The Guardian (or any UK rag)?
The Guardian is hardly a rag, it's actually a very reputable newspaper.
The Guardian is hardly a rag, it's actually a very reputable newspaper.
Agreed. I don't follow them for everything, but they certainly had the scoop with Snowden.
Card verification security depends on the bank. Some of my cards immediately authenticated for Apple Pay with no other need for verification. But others like Bank of America required you to call them and go through a list of security questions that a thief probably wouldn't know. i suspect that going forward, more banks will follow that model. It's more labor intensive, but it will likely reduce fraud on the front end.
And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.
Because Apple does no wrong.
Welcome to my ever-growing block list.
Apparently you were too optimistic, they didn't even wait for the messenger before they started shooting.
Nothing like Apple fans with an Apple victim-complex.
You too. Bienvenido!
yes, I realize I"m missing the other exclamation point.
Bank of America required you to call them and go through a list of security questions that a thief probably wouldn't know.
And why couldn't these be entered into the iPhone during the setup process like any website account I visit requiring me to enter answers to my security questions? While this is not Apple's fault, per se, it seems like a very un-Apple-like process. Is it Apple that didn't make these kinds of steps available to banks in the setup process, or is it the banks not able to implement Apple's available software options?
2) This coming right on the heals of Samsung and Google talking about their new payment systems as MWC. I'm not a conspiracy theorist but something sounds fishy.
If you understand how the fraud is being perpetrated, you'd know it isn't about Apple doing wrong, it's about the banks not offering the proper verification for their customer's accounts. It's has nothing to do with ?Pay's design and only the banks can fix resolve their own lack of foresight or laziness to correct this mistake.
And the Appleinsider "army" will deflect any criticism and/or shoot the messenger.
Because Apple does no wrong.
...or because Apple isn't the primary culprit in this case. Yes, I'll blame Apple for changing their policy only one month from rollout. BUT, the only way this problem can be exploited is if the customer has already suffered identity theft. Thieves have to already have a compromised credit card in their possession in order to use Apple Pay. This is something the cardholder's bank should be on the lookout for and if they see a card being added to a phone not owned by the customer, they should be raising the red flag but apparently aren't. That is not Apple's fault and I'd be keen to hear your explanation as to how it is.
Which is why 80% (at least in my case) required additional authentication before allowing you to add the card to ?Pay. If they do that then it's the bank's fault.