One of Apple’s big selling points -- perhaps the biggest -- for Apple Pay was that this sharp new payment-processing system it unveiled last September would be all but immune from fraud. “It’s easy, it’s secure, and it’s private,” Apple executive Eddy Cue declared at the rollout event.
As we wrote at the time: “We’ll see: Credit account information will flow between the customer and Apple at some point, somehow. Apple’s systems haven’t been anything like secure in the past (see here and here), so the company’s promise that this one will be rock-solid shouldn’t be taken as gospel.” We observed that although the iPhones carrying the Apple Pay app might be as secure as the company claimed, “the risk will reside somewhere.”
We told you so.
Reports have surfaced over the last week that fraudsters have found the soft underbelly of Apple Pay -- as one would expect -- and are exploiting it gleefully, with one security expert estimating the fraud rate at a stupendous $6 per $100 of transactions. “Fraud ... is growing like a weed,” says the expert, Cherian Abraham of Drop Labs, a mobile commerce consultant.
The security hole Apple claimed to have closed via Apple Pay may even make certain forms of fraud even easier. Avivah Litan of Gartner Inc. wrote on her firm’s blog last week of being struck by learning at a recentinformation security conference of “how rampant Apple Pay fraud is.”
It’s possible that Apple’s boasts about the security of Apple Pay made the credit card industry too complacent. The flaw arose in a part of the system especially vulnerable to low-tech hacking.
Apple’s “security” pitch focused on the moment of transaction between customer and retailer; with Apple Pay, no credit card or card information passes from one to the other, so it can’t be hijacked by hackers. A customer simply swipes an Apple Pay-enabled iPhone at a retailer’s terminal, and the transaction is done. (Apple Pay will also be incorporated into the Apple Watch, which was introduced Monday.) That method may indeed short-circuit certain forms of credit card fraud and identity theft, but it doesn’t close off all criminal opportunities.
The vulnerability occurs at an earlier step of the Apple Pay system, when users add their credit card numbers to Apple Pay accounts by communicating with their banks. Fraud rings are simply adding stolen credit card numbers to Apple Pay accounts, then buying merchandise using iPhones provisioned with the stolen numbers. By Apple’s rules, it’s up to credit card-issuing banks to verify the legitimacy of their cards when they’re added to Apple Pay, a process called “provisioning.” That’s where the system breaks down.
Banks are expected to require extra steps to validate users’ identities when they’re presented with suspect cards for Apple Pay provisioning. Sometimes the extra steps are ineffective. A user might be required to call an account rep and provide such personal information as a Social Security number or street address; but hackers with stolen credit cards often have enough other personal data about their real owners to answer the questions. In any case, banks try to make validation simple, so they don’t frustrate legitimate customers and overload their own understaffed call centers.
Once a card is provisioned into Apple Pay, it can be used with abandon. Because merchants accepting Apple Pay give up their opportunity to eyeball the credit card being used, Apple Pay actually could make it harder to stop fraudulent credit card use at the retail counter.
A criminal who acquired stolen Target credit card numbers through a massive hack of that retail chain’s data system in 2013 could use them via Apple Pay to buy merchandise from, well, Target. (The chain allows Apple Pay purchases online, though not at its stores.) According to the Wall Street Journal, more than three-quarters of the fraudulent purchases have been made at Apple’s own retail stores -- perhaps unsurprising, given the high value of the company’s merchandise.
Card-issuing banks say that cardholders won’t be held responsible for purchases made with their stolen cards via Apple Pay. Industry spokesmen say banks are tightening their procedures to validate suspect cards before they’re added to the payment processing system.
Does Apple deserve some blame for the use of fraudulent credit cards on its system? The answer is yes. The company left it to the banks to determine when they wished to require additional verification, and by what means, before greenlighting a card for Apple Pay. But Apple could have mandated tougher standards on its own, say by refusing to accept cards that hadn’t been put through the validation wringer.
Possibly due to its desire to line up as many card issuers as possible for the service, Apple may not have wished to increase the banks’ costs by demanding stricter verification. Given that Apple Pay is designed to supplant merchants’ point-of-sale verification of credit cards, perhaps that was the wrong decision, especially since Apple’s own brand name is on Apple Pay.
Gartner’s Litan says the problem of “identity proofing in a non-face-to-face environment...is only going to get worse” as Apple rivals, including Samsung, roll our their own payment processing apps. She’s critical of Apple and other processing vendors for leaving validation policies to the banks. “Maybe it’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps, she wrote.
The episode is another reminder, as Abraham wrote on his blog, “that the strongest chain is only as good as its weakest link -- and those with malice are almost always the first to find it.” Although the card-issuing banks are responsible for setting up their own provisioning validation systems for Apple Pay, Abraham contends that it was up to Apple to make sure those systems were foolproof, and to warn the banks of gaps.
The reason is now obvious: Any hole along the line undermines Apple’s claim that Apple Pay is a big step forward in security. But who really believed that Apple Pay would be rock-solid secure in the first place?