I've always wondered why I have to memorize a pin # to use my debit card, but on the credit side...the verification code is printed on the card. It would go a long way toward security to have a secret pin to authenticate Apple Pay when adding a card or whenever card is used online. Anyone who handles my debit/credit cards can capture both the account and expiration from the front and the verification code on the signature line. Once they have the extra 3 numbers it is usually accepted. At least gas stations ask for billing zip code that wouldn't be known by just handling or trying to use a lost/stolen card.
It's not known exactly how many numbers were taken. People get lulled into thinking that their card numbers are safe because they weren't used right away, so those numbers are never changed.
I verify my card usage pretty much every day. It only takes me a moment to check. I'm guessing others probably don't have all their accounts bookmarked in a single Bookmarks Bar folder where they can click Open in Tabs to have all the sites open, and then use 1Password to input your data for you, but I can't imagine it would take any very long to do even without 1Password. I check everyday because if I go several days the amounts and names start to become very cloudy. Identity theft is on the rise and will continue to be on the rise so I suggest everyone perform due diligence with their money and credit (which includes at least a once a year credit check of the 3 bureaus) and use a program like 1Password to make sure all their accounts are using complex and unique passwords.
According to a report on Thursday, fraudsters are using credit card information gleaned from recent high-profile retail chain data to create Apple Pay accounts, while Apple Stores themselves account for 80 percent of unauthorized transactions.
Citing sources familiar with the matter, The Wall Street Journal reports criminals are purchasing big-ticket items at Apple Stores using fraudulent Apple Pay accounts created in part with credit card data stolen from Home Depot and Target. With the iPhone 6's NFC capabilities, the physical card may not be required for such purchases.
Apple Pay itself has not been breached, meaning customers who have provisioned cards with Apple's service are safe. The bank-side systems on which Apple Pay security is partially reliant, however, is apparently being gamed.
When Apple Pay users first opt to add a credit or debit card, the issuing bank can use a "green path," which immediately provisions the card, or a "yellow path" that requires additional steps to verify a user's identity. A study found the yellow path to be somewhat lenient, with banks asking for information that in some cases are relatively easy to attain, such as the last four digits of a user's social security number.
Methods of authentication vary from bank-to-bank, but some institutions require cardholders verify account details, log into online accounts or speak to a customer service representative. The publication said some banks send out a confirmation text message to a customer's phone, a technique often used by Web-based two-step authentication services.
The report echoes previous claims that Apple Pay bank partners are "scrambling" to stem the tide of fraudulent activity related to supposedly lax cardholder verification procedures. It is unclear what changes are being made on the backend, but it can be assumed that cardholders will soon see more stringent authentication protocols.
All I read was : non related ID theft+ "insert Apple clickbait angle" + Blah blah blah
Unfortunately I expect it will be down to resale value and product size. If you robbed a store selling Android products, you'd make a fraction of the amount. Jewellery stores would be more valuable but likely aren't taking Apple Pay. They'll have to be careful with their gold Watch sales with Apple Pay. The criminals might target items below $2-3k in order to avoid hitting credit limits though so if the Watch is above that, they might avoid it.
Check the source of this story...and pretty much every other Apple Pay fraud story in the past 2 months. It's the same guy. He never names a single bank and claims that the fraud is exploding. Stop for a second and think about this - if it were true and fraud was happening at this scale, wouldn't there be multiple sources screaming about this like their hair was on fire? All of these articles that are being rehashed by the different news outlets point back to the same source: Cherian Abraham - a mobile payments consultant who's currently advising an Android-based payments system. He first reported this at Apple earnings time and now during MWC, where's he's most likely to get maximum reach. These blogs are simply giving him s platform to sell his services. Worry about Apple Pay fraud when it's actually being reported by numerous reputable sources.
The retailer breach tie-in is bunk too. Most card issuers replaced potentially affected cards many months ago. Most importantly, for this kind of fraud to be successful, it would require multiple pieces of personally identifiable information. You don't just call a bank's call center with a card number and maybe an address or phone number to verify a card. Go ahead and try it yourself and see how far you get.
Hopefully at some point, the banks speak up and shut this story down for good.
EDIT: This what happens when Apple partners with some other organization. They should have started their own bank and handled the transaction end to end.
Amen. And just like the Chinese labor issue, the Greenpeace tantrums, etc., Apple solely gets the blame. Trouble caused by third parties is blamed completely on Apple and no one else. This is the downside of being the world’s most valuable company.
I don't buy this story either. As far as I can tell when you add a card to apple pay you have to enter the security code number from the back of the card (every card I have added required it). So how are these thieves getting that number? If they got the credit card numbers from the Target/Home Depot hack all they would have is the card number, not the security code. The magnetic stripe doesn't have that security code included, and I don't remember any Target or Home Depot employees ever asking for my card to type in that code.
Does Apple Pay let you keep trying to add a credit card with the same card number, and just step through the security code numbers one by one? If so then that definitely should be fixed.
All of these articles that are being rehashed by the different news outlets point back to the same source: Cherian Abraham - a mobile payments consultant who's currently advising an Android-based payments system.
Well spotted, the person this story comes from is involved with two competing solutions:
He's a consultant and I know consultants well. I won't pretend to know him personally but in general, guys like this are always looking for ways to grow their client base. He's in the "mobile payments" consultative space so if I had to guess, I'd say that he's looking to create a problem to solve: banks needing a more astringent and automated AP card provisioning process. I'm sure he's ready with a solution to sell to as many spooked banks and credit unions as he can. Perhaps he's marketing to future AP partners so that he can get involved in the planning process. Save them from themselves, if you will. He can't possibly be trying to sell to existing partners though because they know their business and they know that these fraud numbers are wrong.
I am glad that this happened on the ApplePay and not something else. At least you have an industry leader known for their quality and their pursuit of perfection and I am sure that Apple (if there is really a problem) will step up and lead to find a solution.
Can you imagine if this happened on a non-iOS product?? who would have taken the lead on that, the banks or the phone manufacturer or the OS provider or the payment networks?
It would take forever to get all of these parties to even agree on what the problem is and how to solve.
Go Apple, you are doing the right thing. If you were not, no one would have cared to read or comment
I am glad that this happened on the ApplePay and not something else.
At least you have an industry leader known for their quality and their pursuit of perfection and I am sure that Apple (if there is really a problem) will step up and lead to find a solution.
Can you imagine if this happened on a non-iOS product?? who would have taken the lead on that, the banks or the phone manufacturer or the OS provider or the payment networks?
It would take forever to get all of these parties to even agree on what the problem is and how to solve.
Go Apple, you are doing the right thing. If you were not, no one would have cared to read or comment
He's a consultant and I know consultants well. I won't pretend to know him personally but in general, guys like this are always looking for ways to grow their client base. He's in the "mobile payments" consultative space so if I had to guess, I'd say that he's looking to create a problem to solve: banks needing a more astringent and automated AP card provisioning process. I'm sure he's ready with a solution to sell to as many spooked banks and credit unions as he can. Perhaps he's marketing to future AP partners so that he can get involved in the planning process. Save them from themselves, if you will. He can't possibly be trying to sell to existing partners though because they know their business and they know that these fraud numbers are wrong.
Comments
I verify my card usage pretty much every day. It only takes me a moment to check. I'm guessing others probably don't have all their accounts bookmarked in a single Bookmarks Bar folder where they can click Open in Tabs to have all the sites open, and then use 1Password to input your data for you, but I can't imagine it would take any very long to do even without 1Password. I check everyday because if I go several days the amounts and names start to become very cloudy. Identity theft is on the rise and will continue to be on the rise so I suggest everyone perform due diligence with their money and credit (which includes at least a once a year credit check of the 3 bureaus) and use a program like 1Password to make sure all their accounts are using complex and unique passwords.
According to a report on Thursday, fraudsters are using credit card information gleaned from recent high-profile retail chain data to create Apple Pay accounts, while Apple Stores themselves account for 80 percent of unauthorized transactions.
Citing sources familiar with the matter, The Wall Street Journal reports criminals are purchasing big-ticket items at Apple Stores using fraudulent Apple Pay accounts created in part with credit card data stolen from Home Depot and Target. With the iPhone 6's NFC capabilities, the physical card may not be required for such purchases.
Apple Pay itself has not been breached, meaning customers who have provisioned cards with Apple's service are safe. The bank-side systems on which Apple Pay security is partially reliant, however, is apparently being gamed.
When Apple Pay users first opt to add a credit or debit card, the issuing bank can use a "green path," which immediately provisions the card, or a "yellow path" that requires additional steps to verify a user's identity. A study found the yellow path to be somewhat lenient, with banks asking for information that in some cases are relatively easy to attain, such as the last four digits of a user's social security number.
Methods of authentication vary from bank-to-bank, but some institutions require cardholders verify account details, log into online accounts or speak to a customer service representative. The publication said some banks send out a confirmation text message to a customer's phone, a technique often used by Web-based two-step authentication services.
The report echoes previous claims that Apple Pay bank partners are "scrambling" to stem the tide of fraudulent activity related to supposedly lax cardholder verification procedures. It is unclear what changes are being made on the backend, but it can be assumed that cardholders will soon see more stringent authentication protocols.
All I read was : non related ID theft+ "insert Apple clickbait angle" + Blah blah blah
Going back to sleep now.
Unfortunately I expect it will be down to resale value and product size. If you robbed a store selling Android products, you'd make a fraction of the amount. Jewellery stores would be more valuable but likely aren't taking Apple Pay. They'll have to be careful with their gold Watch sales with Apple Pay. The criminals might target items below $2-3k in order to avoid hitting credit limits though so if the Watch is above that, they might avoid it.
Chase for one uses two-step verification when adding one of their cards.
The retailer breach tie-in is bunk too. Most card issuers replaced potentially affected cards many months ago. Most importantly, for this kind of fraud to be successful, it would require multiple pieces of personally identifiable information. You don't just call a bank's call center with a card number and maybe an address or phone number to verify a card. Go ahead and try it yourself and see how far you get.
Hopefully at some point, the banks speak up and shut this story down for good.
EDIT: This what happens when Apple partners with some other organization. They should have started their own bank and handled the transaction end to end.
Amen. And just like the Chinese labor issue, the Greenpeace tantrums, etc., Apple solely gets the blame. Trouble caused by third parties is blamed completely on Apple and no one else. This is the downside of being the world’s most valuable company.
Ditto. One of my cards was at risk from the Home Depot breach, and BofA proactively replaced it.
I don't buy this story either. As far as I can tell when you add a card to apple pay you have to enter the security code number from the back of the card (every card I have added required it). So how are these thieves getting that number? If they got the credit card numbers from the Target/Home Depot hack all they would have is the card number, not the security code. The magnetic stripe doesn't have that security code included, and I don't remember any Target or Home Depot employees ever asking for my card to type in that code.
Does Apple Pay let you keep trying to add a credit card with the same card number, and just step through the security code numbers one by one? If so then that definitely should be fixed.
Well spotted, the person this story comes from is involved with two competing solutions:
https://www.simplytapp.com
https://www.modopayments.com
It looks like he's defending Apple Pay here:
http://www.droplabs.co/?p=1157
"Apple Pay is not secure: Laughable and pure FUD."
but definitely suspect given his involvement with competitors.
He's a consultant and I know consultants well. I won't pretend to know him personally but in general, guys like this are always looking for ways to grow their client base. He's in the "mobile payments" consultative space so if I had to guess, I'd say that he's looking to create a problem to solve: banks needing a more astringent and automated AP card provisioning process. I'm sure he's ready with a solution to sell to as many spooked banks and credit unions as he can. Perhaps he's marketing to future AP partners so that he can get involved in the planning process. Save them from themselves, if you will. He can't possibly be trying to sell to existing partners though because they know their business and they know that these fraud numbers are wrong.
Well spotted, the person this story comes from is involved with two competing solutions:
https://www.simplytapp.com
https://www.modopayments.com
It looks like he's defending Apple Pay here:
http://www.droplabs.co/?p=1157
"Apple Pay is not secure: Laughable and pure FUD."
but definitely suspect given his involvement with competitors.
That the major "news" outlets have quoted this single source as reliable should be a clear indicator that these organizations are untrustworthy.
Ouch...
It's true that common criminals benefit in exactly these ways...
But, in this case, with so much at stake for Apple and ?Pay,
it might be fertile ground for white-collar and corporate crime, as well.
At least you have an industry leader known for their quality and their pursuit of perfection and I am sure that Apple (if there is really a problem) will step up and lead to find a solution.
Can you imagine if this happened on a non-iOS product?? who would have taken the lead on that, the banks or the phone manufacturer or the OS provider or the payment networks?
It would take forever to get all of these parties to even agree on what the problem is and how to solve.
Go Apple, you are doing the right thing. If you were not, no one would have cared to read or comment
I am glad that this happened on the ApplePay and not something else.
At least you have an industry leader known for their quality and their pursuit of perfection and I am sure that Apple (if there is really a problem) will step up and lead to find a solution.
Can you imagine if this happened on a non-iOS product?? who would have taken the lead on that, the banks or the phone manufacturer or the OS provider or the payment networks?
It would take forever to get all of these parties to even agree on what the problem is and how to solve.
Go Apple, you are doing the right thing. If you were not, no one would have cared to read or comment
Gartner's Avivah Litan seems to confirm it as well:
http://enterpriseinnovation.net/article/opinion-applepay-fraud-points-looming-problems-mobile-payments-227732165
Definitely doesn't seem to be just one.
Are you sure??
Gartner's Avivah Litan seems to confirm it as well:
http://enterpriseinnovation.net/article/opinion-applepay-fraud-points-looming-problems-mobile-payments-227732165
Definitely doesn't seem to be just one.
And her blog post refers to a Drop Labs blog post that appears to be written by........
Cherian Abraham
She also doesn't mention by name who the "banker" speaking about this fraud was. Seems like another suspect reporting job to me.