Banks reportedly clamp down on Apple Pay card provisioning in wake of fraud

2

Comments

  • Reply 21 of 50
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by SolipsismY View Post



    I couldn't believe that one of my cards had no authorization system in place when I added it to ?Pay. I hope their shortsightedness has been corrected, but I don't understand why they felt it was OK to announce their system was ready when they failed to have a basic system in place. They could have even made it as simple as calling their help desk to have a CSR verify your identity with challenge questions before authorizing the card for payments.

    The only card I added was AMEX and it went right through no questions asked. I did receive a text and an email immediately though.  If any organization would have their act together it would be AMEX.  I'm assuming they used some other means to verify me that was going on behind the scenes.

     0Likes 0Dislikes 0Informatives
  • Reply 22 of 50
    plovellplovell Posts: 826member
    Quote:

    Originally Posted by Misa View Post




    With ACH, the system has no way of verifying anything and will accept any name and number. So it's entirely possible for a phone representative to pay someone elses account with your ACH payment information because there is no verification. This is just how banks work.

    I'm not sure that this is quite true but I agree that ACH security is quite poor. 

     

    As an example, I believe that if there is an authorization for ACH transfers on your account (and Citi does have this) then it's bi-directional. There is no way to say "I permit transfers into my account but no transfers out". Which means that if your employer does direct-deposit (via ACH, as is standard) then they can drain your account.  WTF ?!?

     0Likes 0Dislikes 0Informatives
  • Reply 23 of 50
    plovellplovell Posts: 826member
    Quote:

    Originally Posted by mstone View Post

     
    The only card I added was AMEX and it went right through no questions asked. I did receive a text and an email immediately though.  If any organization would have their act together it would be AMEX.  I'm assuming they used some other means to verify me that was going on behind the scenes.


    The text and email will probably shut down most of the fraudulent "adds". I'm sure that if I got one for one of my cards that I didn't just add, then I'd be on the phone right away.

     

    But your comment about "other means" got me thinking: Apple does provide certain info to the bank as part of the "add" provisioning process - I think that your current location is included, for example. So I wonder if it also includes something about other cards you might have registered in Apple Pay? If you had, and the names were different, then that would be a big red flag. But if they were all the same then banks could be more confident that it really was you. I wonder ... ?

     0Likes 0Dislikes 0Informatives
  • Reply 24 of 50
    mac_128mac_128 Posts: 3,454member
    pfisher wrote: »
    It doesn't matter. Perception is everything.
    I agree. I'm giving you the benefit of the doubt that you mean this -- if ?Pay is being used for fraud, it will taint ?Pay whether It's Apple's fault or its partners. Who is the bigger name here, Apple or the numerous unnamed banks?

    But I will go one step further ... Apple can design the most secure system in the world, but if they allow their partners to leave the back door open, then they are culpable. Apple is notorious for dictating terms of use, all they had to say to their partner banks is they can't implement ?Pay until they can assure secure registration by their customers. No doubt this is the banks fault, but Apple shares some of the blame for allowing their system to be used in this way, especially since they know more than anyone the headline will read "?Pay security breach".
     0Likes 0Dislikes 0Informatives
  • Reply 25 of 50
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by plovell View Post

     

    But your comment about "other means" got me thinking: 


    Yes they send the mobile phone number, iTunes account and Apple ID information, all having my name listed. As you mentioned they also send the location, which in my case, was my home, where the address matched the AMEX account. In addition, they have the IP information, which is also close by, although that would be less reliable than the other information, however in conjunction, just further verification..

     0Likes 0Dislikes 0Informatives
  • Reply 26 of 50
    Quote:
    Originally Posted by Mac_128 View Post





    I agree. I'm giving you the benefit of the doubt that you mean this -- if ?Pay is being used for fraud, it will taint ?Pay whether It's Apple's fault or its partners. Who is the bigger name here, Apple or the numerous unnamed banks?



    But I will go one step further ... Apple can design the most secure system in the world, but if they allow their partners to leave the back door open, then they are culpable. Apple is notorious for dictating terms of use, all they had to say to their partner banks is they can't implement ?Pay until they can assure secure registration by their customers. No doubt this is the banks fault, but Apple shares some of the blame for allowing their system to be used in this way, especially since they know more than anyone the headline will read "?Pay security breach".

     

    We get it. The glass is 0.1% empty. Apple's shiny name must be soiled.



    You're not giving Apple any credit for securing transactions (no more CC theft from POS terminals or card skimming), and you are blaming Apple for some banks not validating credit cards registered with Apple Pay. This sounds suspiciously trollish. Like the people who wanted to pin all Foxconn factory labor violations on Apple, despite everything Apple does to combat the issue.

     

    Culpable? Only if you arbitrarily assign them responsibility for validating registered credit cards. If your bank isn't doing enough to protect its customers, consider demanding that they do, because, you are their customer. If it were my bank, I wouldn't let them off the hook for security. Unless you are just looking for a reason to blame Apple for something.

     0Likes 0Dislikes 0Informatives
  • Reply 27 of 50
    mac_128mac_128 Posts: 3,454member
    We get it. The glass is 0.1% empty. Apple's shiny name must be soiled. You're not giving Apple any credit for securing transactions
    Apple knows anything attached to ?Pay however remotely is going to reflect on them. I'd prefer this story be reported the way it should be, but that's not how the world works, and Apple knows it.

    And read what I actually wrote, I gave apple full credit for developing a secure system. But what have they done to make sure their partners are protecting their end? It would seem nothing. All Apple has to say to their partners is -- you can't use Apple Pay unless you meet minimum requirements to prevent criminals from using our system for fraud. But it would seem such a simple step has not been taken, and banks have dropped the ball allowing their incompetence to sully Apple's achievements in the media. Nobody is talking about how secure ?Pay is, but rather how it's being used for fraud. People don't care whose fault it is, all they hear is ?Pay & fraud. And Apple has a duty to itself, if no one else, to make sure it's partners can't damage the reputation of their product.
     0Likes 0Dislikes 0Informatives
  • Reply 28 of 50
    Apple is one of the most trustworthy cardholders in the world for years with iTunes Store and Apple Store operations. Maybe Apple gave too much autonomy to the banks that weren%u2019t properly prepared. If Apple operate alone probably these problems could not be occurring.

    We don't even know for sure if banks are facing real problems with frauds in their approval process for credit cards. As everything related to Apple, this story smells too much like just another irresponsible rush for pageviews.
     0Likes 0Dislikes 0Informatives
  • Reply 29 of 50
    solipsismysolipsismy Posts: 5,099member
    mac_128 wrote: »
    Apple knows anything attached to ?Pay however remotely is going to reflect on them. I'd prefer this story be reported the way it should be, but that's not how the world works, and Apple knows it.

    That's right, which is why Apple should never do anything if even the weakest of connections with Apple will cause sensationalist rag sites create a headline devised to get more page clicks. Apple should have never made ?Pay and we would all be better off¡
     0Likes 0Dislikes 0Informatives
  • Reply 30 of 50
    habihabi Posts: 317member
    Quote:

    Originally Posted by SolipsismY View Post





    1) It could be a stolen iPhone.



    2) The device doesn't need a valid SIM card for it to be connected to the Internet and otherwise working.



    3) You don't need to use your fingerprint with Touch ID.



    4) There is no evidence Apple copies your Touch ID prints and then uploads to their servers. In fact I'm quite certain they don't, not to mention that Touch ID doesn't take a photograph of your fingerprint.



    I really dont understand number 3. Please explain. I tought touch ID reads your print?!? Have I really understood this wrong? And the second thing is where I live if cardholder details dont match up on the service (itunes, web application, applepay?) then it shouldnt go trough...

     0Likes 0Dislikes 0Informatives
  • Reply 31 of 50
    solipsismysolipsismy Posts: 5,099member
    habi wrote: »
    I really dont understand number 3. Please explain. I tought touch ID reads your print?!? Have I really understood this wrong?

    You can use a fingerprint, but the print of a finger is not required. You can use most parts of your body, your pet's paw, or pretty anything else that that has also has some electrical resonance to it. The only think that seems to really be a requirement is touch.

    And the second thing is where I live if cardholder details dont match up on the service (itunes, web application, applepay?) then it shouldnt go trough...

    I don't understand this question and comment.
     0Likes 0Dislikes 0Informatives
  • Reply 32 of 50
    dasanman69dasanman69 Posts: 13,002member
    Journalists today would call Watergate "Watergategate" without blinking.

    So what would we call a '-gate' that is actually about water?
     0Likes 0Dislikes 0Informatives
  • Reply 33 of 50
    magman1979magman1979 Posts: 1,301member
    What on earth are you talking about? This fraud had nothing to do with regular consumers using Apple Pay. The victims are not necessarily Apple customers at all. The criminals used stolen CC data to create Apple Pay access to those stolen accounts because of weak bank protocols.

    How can the average Joe iPhone 6 owner using Apple Pay cause fraud to occur?
    Hes a known troll, and I already have him blocked. Best not to feed the trolls.
    xixo wrote: »
    Online stolen credit card bazaars provide all the information that some banks were requiring for registration with ?Pay.

    No legitimate user of ?Pay was ever at risk of fraud or theft.

    But - thieves who acquired credentials have obviously been able to register stolen cards using ?Pay.

    Due to the implied security of ?Pay's design, this meant they they could make multi-thousand-dollar purchases without even showing a photo ID.

    This has everything to do with ?Pay. Between Apple and the issuing banks, someone certainly dropped the ball. Apparently the loophole is being closed.

    I'm continually amazed at the number of posters here who believe apple to be infallible, impermeable and invincible.

    Keep slurping that kool-aid, folks...
    This has NOTHING to do with ?PAY, the system has not been breached, as everything is working as it should be. You just love trolling. Learn to read, this issue stems from the BANKS not doing any verification on new activations, a BIG no-no!

    So thanks, but we're not slurping any kook-aid (poison btw), we just know how to read and how to understand the truth. You, just like to troll.
     0Likes 0Dislikes 0Informatives
  • Reply 34 of 50
    mstonemstone Posts: 11,510member
    Quote:
    Originally Posted by xixo View Post

     
    without even showing a photo ID.


    This an interesting point. Since the merchant can't see the CC data, they have no way to compare the drivers license. Many places require the card to be present along with photo ID. The post office is one that I know off hand.

     0Likes 0Dislikes 0Informatives
  • Reply 35 of 50
    solipsismysolipsismy Posts: 5,099member
    mstone wrote: »
    Since the merchant can't see the CC data...

    Sure they can. They can see everything that goes through their terminal. What they don't see is the physical card's number, but rather the data for the represtnaial number that is tied to your account. They can still track that data when you do purchases.
     0Likes 0Dislikes 0Informatives
  • Reply 36 of 50
    mstonemstone Posts: 11,510member
    Quote:

    Originally Posted by SolipsismY View Post

     
    Quote:

    Originally Posted by mstone View Post



    Since the merchant can't see the CC data...




    Sure they can. They can see everything that goes through their terminal. What they don't see is the physical card's number, but rather the data for the represtnaial number that is tied to your account. They can still track that data when you do purchases.

    Really? The check out clerk can see the name on the credit card? Everywhere I have used ?Pay they just wait for the receipt to pop up. Where does the name on card display?

     0Likes 0Dislikes 0Informatives
  • Reply 37 of 50
    solipsismysolipsismy Posts: 5,099member
    mstone wrote: »
    Really? The check out clerk can see the name on the credit card? Everywhere I have used ?Pay they just wait for the receipt to pop up. Where does the name on card display?

    Oh, you mean the employee at the register? I thought you meant the merchant, as in the company in which you're making the purchase, as well as all others involved with the actual digital transaction, regarding the verification, allocation, and transfer of funds from your account to theirs.
     0Likes 0Dislikes 0Informatives
  • Reply 38 of 50
    Quote:

    Originally Posted by SolipsismY View Post



    I couldn't believe that one of my cards had no authorization system in place when I added it to ?Pay. I hope their shortsightedness has been corrected, but I don't understand why they felt it was OK to announce their system was ready when they failed to have a basic system in place. They could have even made it as simple as calling their help desk to have a CSR verify your identity with challenge questions before authorizing the card for payments.



    Banks like other corporations exist to make money for their CEO's and investors, with no laws in place or enforced to make the CEO's and investors liable for incompetence or mistake. Banks don't care and they don't have to. It's a cost of doing business, which, of course, we pay for. Since they own the politicians, nothing will change. 

     0Likes 0Dislikes 0Informatives
  • Reply 39 of 50
    solipsismysolipsismy Posts: 5,099member
    Banks like other corporations exist to make money for their CEO's and investors, with no laws in place or enforced to make the CEO's and investors liable for incompetence or mistake. Banks don't care and they don't have to. It's a cost of doing business, which, of course, we pay for. Since they own the politicians, nothing will change. 

    Sure, but we're talking about very little effort to create a great deal more security that will result in less costs to the bank (or the insurance company they pay for fraud claims which they then have to pay into with each renewed contract), as well other issues that can hurt a bank's brand. It's clearly about money for not investing in that little bit of extra work, but it's the shortsightedness I mention.
     0Likes 0Dislikes 0Informatives
  • Reply 40 of 50
    Quote:

    Originally Posted by habi View Post



    To me this whole thing seems just so idiotic. Why would someone be so STUPID to try something like that? Apple has your fingerprint and your phone ID and your other credentials. Why pair other peoples credit cards to your phone? Seems just like a shure way to get cought and get your ass jailed??? Man, its like making a burglary and leaving your drivers license on the floor?!?!



    I don't believe you are correct. As I understand it, the fingerprint data on the phone is not accessible, Apple does not have your fingerprints -- the fingerprint data on the iPhone cannot be read or dumped. It's a one-way cypher. The iPhone merely determines if the last touchID finger image matches the stored data. 

     0Likes 0Dislikes 0Informatives
Sign In or Register to comment.