Banks reportedly clamp down on Apple Pay card provisioning in wake of fraud

Posted:
in iPhone edited March 2015
Banks are instituting more stringent credit and debit card authorization policies for Apple Pay users after criminals took advantage of previously lax security protocols to provision new accounts using stolen card data.



The Wall Street Journal said on Friday that banks are adding extra steps to Apple Pay's card provisioning process to stem a recent tide of fraudulent purchasing activity.

It came to light earlier this week that fraudsters were using stolen credit cards to buy big-ticket items in Apple Stores and other retailers supporting Apple Pay's NFC-based touchless mobile payments system. Criminals reportedly provisioned new Apple Pay accounts using card data harvested from the recent Home Depot and Target data breaches, the publication said.

According to the report, banks are now employing a variety of verification protocols to stop fraudsters from adding illegitimate accounts. For example, with Apple Pay, banks can choose to go employ a so-called "yellow path" activation routine and send one-time authorization codes via email or text to a registered address or phone number.

Other methods include challenge questions about recent purchases, a user's address or other specific details only a cardholder would know. Some banks may also require new Apple Pay users to call a customer service representative for person-to-person verification.

On the other hand, the report said that users who already have a card registered with iTunes may "sail through" the provisioning process. Criminals attempting to create a new account will likely have trouble without a physical card, however, as Apple Pay requires specific card information -- including the card verification value (CVV) -- to enroll.

It should be noted that Apple Pay itself has not been breached, meaning existing user information is secure.
«13

Comments

  • Reply 1 of 50

    Is there any business (or even person) out there who likes banks, who trusts them? Morons. When something goes wrong they take the hit because, drumroll, "It's not their (personal) money." These could not run their own business for very long without going broke. Who allowed this kind of lax behavior to happen?

  • Reply 2 of 50
    calicali Posts: 3,494member
    Good. Apple can't afford negative press against ?Pay right now.

    Even though this has nothing to do with ?Pay.
  • Reply 3 of 50
    slurpyslurpy Posts: 5,382member
    Quote:

    Originally Posted by cali View Post



    Good. Apple can't afford negative press against ?Pay right now.



    Even though this has nothing to do with ?Pay.

     

    Banks and CC companies can't afford negative press against ?Pay either, since they're also the ones benefitting from it. 

     

    As expected, this report was sensational, has nothing to do with  ?Pay , and any issues will be addressed by the banks in short order. 

  • Reply 4 of 50
    solipsismysolipsismy Posts: 5,099member
    I couldn't believe that one of my cards had no authorization system in place when I added it to ?Pay. I hope their shortsightedness has been corrected, but I don't understand why they felt it was OK to announce their system was ready when they failed to have a basic system in place. They could have even made it as simple as calling their help desk to have a CSR verify your identity with challenge questions before authorizing the card for payments.
  • Reply 5 of 50
    foggyhillfoggyhill Posts: 4,767member
    Quote:
    Originally Posted by AppleInsider View Post



    Banks are instituting more stringent credit and debit card authorization policies for Apple Pay users after criminals took advantage of previously lax security protocols to provision new accounts using stolen card data.

     





    The Wall Street Journal said on Friday that banks are adding extra steps to Apple Pay's card provisioning process to stem a recent tide of fraudulent purchasing activity.



    It came to light earlier this week that fraudsters were using stolen credit cards to buy big-ticket items in Apple Stores and other retailers supporting Apple Pay's NFC-based touchless mobile payments system. Criminals reportedly provisioned new Apple Pay accounts using card data harvested from the recent Home Depot and Target data breaches, the publication said.



    According to the report, banks are now employing a variety of verification protocols to stop fraudsters from adding illegitimate accounts. For example, with Apple Pay, banks can choose to go employ a so-called "yellow path" activation routine and send one-time authorization codes via email or text to a registered address or phone number.



    Other methods include challenge questions about recent purchases, a user's address or other specific details only a cardholder would know. Some banks may also require new Apple Pay users to call a customer service representative for person-to-person verification.



    On the other hand, the report said that users who already have a card registered with iTunes may "sail through" the provisioning process. Criminals attempting to create a new account will likely have trouble without a physical card, however, as Apple Pay requires specific card information -- including the card verification value (CVV) -- to enroll.



    It should be noted that Apple Pay itself has not been breached, meaning existing user information is secure.

     

    Another "news" which points to "a report", what report?

    Doubt any bank said anything to anyone.

    WTH is that journalism! from the Wall Street Journal of all places.

    Imagine the Watergate break-in beign sourced that way...

    Man, they would have been destroyed.

     

    Also, what the hell banks are they talking about? Should be easy to tell us shouldn't it?

    Most banks already had security in place.

    This FUD on grand scale.

     

    Not using "some", instead of the generic "banks", not listing them, and then putting Apple in there is getting to be just too easy for lazy modern pseudo journalists. I'm not just talking about this story, or even just those with Apple in the title. Journalism these days is pathetic.

  • Reply 6 of 50
    joshajosha Posts: 901member
    Quote:

    Originally Posted by bobbyfozz View Post

     

    Is there any business (or even person) out there who likes banks, who trusts them? Morons. When something goes wrong they take the hit because, drumroll, "It's not their (personal) money." These could not run their own business for very long without going broke. Who allowed this kind of lax behavior to happen?




    Banks don't take the fraud hit on them.

    Banks simply pass the loss on to their customers, thru less interest and higher credit card costs.

    Banks control the money flow.

     

    If banks  screw up badly they cry to the Gov for money (from the taxpayers) to bail them out.

  • Reply 7 of 50
    pfisherpfisher Posts: 758member
    slurpy wrote: »
    Banks and CC companies can't afford negative press against ?Pay either, since they're also the ones benefitting from it. 

    As expected, this report was sensational, has nothing to do with  ?Pay , and any issues will be addressed by the banks in short order. 
    It doesn't matter. Perception is everything. Also It has everything to do with Apple Pay. If you use Apple Pay fraud can occur.
  • Reply 8 of 50
    pfisher wrote: »
    It doesn't matter. Perception is everything. Also It has everything to do with Apple Pay. If you use Apple Pay fraud can occur.

    What on earth are you talking about? This fraud had nothing to do with regular consumers using Apple Pay. The victims are not necessarily Apple customers at all. The criminals used stolen CC data to create Apple Pay access to those stolen accounts because of weak bank protocols.

    How can the average Joe iPhone 6 owner using Apple Pay cause fraud to occur?
  • Reply 9 of 50
    solipsismysolipsismy Posts: 5,099member
    pfisher wrote: »
    It doesn't matter. Perception is everything. Also It has everything to do with Apple Pay. If you use Apple Pay fraud can occur.

    You know those people could have simply used the card data to clone a physical card or make purchases online, right? If not, then I can then understand why you think it has EVERYTHING to do with ?Pay, and simply not issues with the stolen card data. Since it's been reported that some banks didn't do challenge responses -and- that the data was from previous breeches from Target and Home Depot, this would not have happened if banks had built their end correctly from the start -and- if ?Pay had been in-place when these Target and Home Depot breaches had occurred, because then those customers that paid with ?Pay at those stores would not have had to worry about their info being used to make fraudulent charges from another device, a cloned physical card, or online.
  • Reply 10 of 50
    habihabi Posts: 317member
    To me this whole thing seems just so idiotic. Why would someone be so STUPID to try something like that? Apple has your fingerprint and your phone ID and your other credentials. Why pair other peoples credit cards to your phone? Seems just like a shure way to get cought and get your ass jailed??? Man, its like making a burglary and leaving your drivers license on the floor?!?!
  • Reply 11 of 50
    xixoxixo Posts: 450member
    slurpy wrote: »
    As expected, this report was sensational, has nothing to do with ?Pay 

    Online stolen credit card bazaars provide all the information that some banks were requiring for registration with ?Pay.

    No legitimate user of ?Pay was ever at risk of fraud or theft.

    But - thieves who acquired credentials have obviously been able to register stolen cards using ?Pay.

    Due to the implied security of ?Pay's design, this meant they they could make multi-thousand-dollar purchases without even showing a photo ID.

    This has everything to do with ?Pay. Between Apple and the issuing banks, someone certainly dropped the ball. Apparently the loophole is being closed.

    I'm continually amazed at the number of posters here who believe apple to be infallible, impermeable and invincible.

    Keep slurping that kool-aid, folks...
  • Reply 12 of 50
    solipsismysolipsismy Posts: 5,099member
    habi wrote: »
    To me this whole thing seems just so idiotic. Why would someone be so STUPID to try something like that? Apple has your fingerprint and your phone ID and your other credentials. Why pair other peoples credit cards to your phone? Seems just like a shure way to get cought and get your ass jailed??? Man, its like making a burglary and leaving your drivers license on the floor?!?!

    1) It could be a stolen iPhone.

    2) The device doesn't need a valid SIM card for it to be connected to the Internet and otherwise working.

    3) You don't need to use your fingerprint with Touch ID.

    4) There is no evidence Apple copies your Touch ID prints and then uploads to their servers. In fact I'm quite certain they don't, not to mention that Touch ID doesn't take a photograph of your fingerprint.
  • Reply 13 of 50
    xixoxixo Posts: 450member
    habi wrote: »
    To me this whole thing seems just so idiotic. Why would someone be so STUPID to try something like that? Apple has your fingerprint and your phone ID and your other credentials. Why pair other peoples credit cards to your phone? Seems just like a shure way to get cought and get your ass jailed??? Man, its like making a burglary and leaving your drivers license on the floor?!?!

    Apple doesn't have your fingerprint. It never leaves the phone.

    If you have stolen credit card credentials it's pretty easy to set up an Apple ID to use them.
  • Reply 14 of 50
    solipsismysolipsismy Posts: 5,099member
    xixo wrote: »
    This has everything to do with ?Pay.

    Nope. At least try to comprehend the facts before you comment. One more fucking time: these stolen credentials were NOT stolen from the secure element used by ?Pay. These stolen credentials could be used in any number of ways. The fact that some banks didn't have any challenge responses in their setup is their fault. The fact that some banks didn't automatically cancel cards, replace cards, and inform customers that their data was compromised though HD, Target, or some other Internet-based data breach is NOT Apple's fault, much less having everything to do with ?Pay.
  • Reply 15 of 50
    solipsismysolipsismy Posts: 5,099member
    xixo wrote: »
    If you have stolen credit card credentials it's pretty easy to set up an Apple ID to use them.

    Only if the bank didn't protect their user's properly when the data was stolen, where it was being used. Again, not an issue with ?Pay.
  • Reply 16 of 50
    foggyhillfoggyhill Posts: 4,767member
    Quote:
    Originally Posted by SolipsismY View Post





    1) It could be a stolen iPhone.



    2) The device doesn't need a valid SIM card for it to be connected to the Internet and otherwise working.



    3) You don't need to use your fingerprint with Touch ID.



    4) There is no evidence Apple copies your Touch ID prints and then uploads to their servers. In fact I'm quite certain they don't, not to mention that Touch ID doesn't take a photograph of your fingerprint.

     

    It doesn't take a photo, it basically samples your fingerprint, passes it through some kind of one way hash and stores it somewhere secure. I don't even think you can read the hash directly, you only find out if the input from touch ID matches it. After X tries to match security reverts to the long pin.

     

    I think is is crazy rare if this thing happens. You need a stolen Iphone 6/Ipad that's hasn't had activation lock on, had no pin, no touch ID on Apple pay and that crook at CC info from a card that wasn't reported stolen/canceled from a bank with weak security.

     

    That's some chain of fools!!

  • Reply 17 of 50
    misamisa Posts: 827member
    xixo wrote: »
    Apple doesn't have your fingerprint. It never leaves the phone.

    If you have stolen credit card credentials it's pretty easy to set up an Apple ID to use them.

    Devil's Advocate...

    What is happening is that they take stolen numbers (which should have been blacklisted by banks after the target and home depot breeches) and do the Apple Pay authorization from an iPhone. This is much easier and faster than creating physical swipe cards , and allows a thief to not look obtrusive when they walk into Apple stores or other places to buy high value items.

    Now... Imagine if this was CurrentC. Once your ACH numbers are stolen, you are royally and utterly screwd. You would need to alert the bank to freeze the back account immediately, assuming your money hasn't already been cleaned out in one shot. You have no recourse to recover it, and the bank's will just go "you shouldn't have given out your bank account number, it's the same as handing someone a blank check"

    It kinda boggles the mind when Australians readily hand out their bank account numbers, but their bank system is different and actually allows a form of direct deposit without handing over the keys to the account. Not true of American or Canadian banks. This is why CurrentC is dead before it arrives.

    Paypal and Amazon Payments were the only real options to not handing your payment information directly to potential fraudsters. Most other options are too propietary and have no support from banks. You know what is the most widely used payment system for committing fraud? Western Union. Because there's no identity verification what-so-ever.

    Apple Pay is kinda this middle road. It offers a secure method of payment without physically handing out the card number in-the-clear to merchants, but it puts the risk on the banks for actually having a verification process to start this secure process. So it's not Apple Pay that is at fault, but the banks. This all goes back to the swipe-cards being stupidly insecure, and banks automatically approving anything with a working card number.

    When you work in a call center, and people tell you their card numbers over the phone, the credit card verification system tells you when it doesn't match, but you can still just click "accept anyway" and off it goes. This is because the only numbers that have to be correct are the card number and the expiry. The name on the card can be anything, the billing address can be anything, and the postal code/zip code can be anything.

    With ACH, the system has no way of verifying anything and will accept any name and number. So it's entirely possible for a phone representative to pay someone elses account with your ACH payment information because there is no verification. This is just how banks work.
  • Reply 18 of 50
    foggyhill wrote: »
    Imagine the Watergate break-in beign sourced that way...

    Journalists today would call Watergate "Watergategate" without blinking.
  • Reply 19 of 50
    pfisher wrote: »
    It doesn't matter. Perception is everything. Also It has everything to do with Apple Pay. If you use Apple Pay fraud can occur.

    You are perpetuating an ignorant logical fallacy. Proud of yourself?
  • Reply 20 of 50
    plovellplovell Posts: 824member
    Quote:

    Originally Posted by pfisher View Post

     


    If you use Apple Pay fraud can occur.

    Actually, the victims of this fraud are mostly not users of Apple Pay. They're just ordinary folks who've had their credit card info hacked, and loaded onto a stolen iPhone (or one itself obtained by fraud).

Sign In or Register to comment.