Brian Jackson - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Amid Apple Pay fraud, banks scramble to fix Yellow Path process

Banks are rushing to fix sloppy authentication processes at the heart of rising Apple Pay fraud. Experts also worry about potential fraud with other mobile payment systems.

Apple Pay fraud is on the rise and said to be caused by lax provisioning checks by banks, which some fear may ultimately threaten other mobile payment systems.

When Apple Pay was first unveiled by Apple in October 2014, it was touted for its increased security, thanks to tokenized Device Account Numbers and the Touch ID fingerprint system. However, recent reports indicate that Apple Pay fraud is being caused by lax provisioning checks by banks.

According to reports, criminals have been setting up iPhones with stolen personal information, then calling banks to authenticate a victim's card on the new device. This is so-called "Yellow Path" authentication, in which a card isn't automatically accepted (Green Path) or rejected (Red Path), but requires additional provisioning by the bank to be added to Apple Pay.

If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the Secure Element of the phone. Yet at the heart of the problem is that some banks have lax Yellow Path processes, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit/debit cards to purchase high-priced goods, often from Apple Stores.

Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked.
Cherian AbrahamMobile commerce and payments lead at Experian Global Consulting

Avivah Litan, vice president and distinguished analyst for research firm Gartner Inc., based in Stamford, Conn., said that this kind of fraud is a fundamental flaw that will affect all mobile payment services.

"This isn't necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card," Litan wrote in a blog post. "That always appeared to me to be the weakest link in mobile commerce -- making sure you provide the app to the right person instead of a crook."

Apple Pay fraud warning signs

Apple Pay fraud is getting attention now, but Cherian Abraham, mobile commerce and payments lead at Experian Global Consulting, based in Costa Mesa, Calif., and an adviser on multiple mobile payments boards, has been writing about the potential for this kind of fraud for two months.

In January, Abraham wrote about the wide variations in how participating card issuers were dealing with Yellow Path checks for Apple Pay, and noted that the inconsistency stemmed from Apple failing to make Yellow Path checks mandatory until less than one month before Apple Pay was launched, leaving the banks little time to refine and implement strong authentication processes.

Abraham reported that an unnamed card issuer had seen a case of Apple Pay fraud equal to roughly $6 per $100 worth of transactions, while issuers had hoped the increased security of Apple Pay would keep fraud to around $.02  to $.03 per $100 of transactions.

"The levels of fraud has varied since launch," Abraham wrote in a February blog post, but said this level of fraud is no longer seen as an anomaly to be chalked up to early Apple Pay bugs. "Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked."

Litan said that she has been been worried for years about procedures behind identity proofing in non-face-to-face situations, like with mobile apps. She said bankers often complain that they don't get enough information from Apple Pay to support fraud processes. Litan said that the problem stems from an overreliance on personally identifiable information (PII).

"The key is reducing reliance on static data," Litan wrote, "much of which is PII data that has been compromised by the crooks -- and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements."

Abraham said that fraudsters are far better at social engineering than call centers are at identifying fraud, and there is no good way to track fraudulent activity back to the lax provisioning checks that may have caused the problem. Abraham suggested that banks need to find a way to handle token requests that can scale and don't rely on call centers, because the mobile payments ecosystem is only going to grow from here.

"Apple Pay is just the first among the hundreds of token requestors that will come to dot the tokenization landscape," Abraham wrote. "If every time I add my card to a token requestor (say, Amazon), and I have to call my bank – well … in short, provisioning must become secure, invisible and scalable."

Next Steps

Learn how mobile e-commerce fraud is leading to big losses for enterprises.

Dig Deeper on Debit and credit card fraud prevention

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you trust the security of mobile payment systems?
Cancel
The answer is yes! I trust the security of mobile payment systems. Why? Because I have worked with them for the longest time and have not experienced any insecurity so far. The systems are pretty discreet and comprehensively structured. The efficiency is remarkable and even at times when I have made a mistake and sent money to the wrong recipient, there are systems to reverse the transaction. I have no reservations at the moment.
Cancel
Don't the banks have a list of lost or stolen cards to access (which they can do automatically) and channel each request into red or green automatically - or is the problem associated with very recent lost or stolen cards? If cards won't work perhaps bank account numbers would.
Cancel
I would imagine if you record all of the phone calls coming in and tag them looking at points on speech patterns at the very least you might not be able to identify a person but could certainly spot the same person phoning up using different names etc that would be enough to say this is fraud and not a genuine person.
Cancel
Do banks need to change, or does Apple Pay? I'd say both.
Cancel
The issue here isn't the technology, it's the weak link in every fraud and security chain - HUMANS. We've seen it time and again. In movies, the bad guys let in James Bond because he's charming. In supposedly secure systems, our colleagues are subject to phishing attacks because they're gullible. It's not always the technology that gets breached. I think people need to smarten up and get more vigilant about keeping walls up and properties safe. 'Nuf said.
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

ComputerWeekly.com

Close