Brian Jackson - Fotolia
Apple Pay fraud is on the rise and said to be caused by lax provisioning checks by banks, which some fear may ultimately threaten other mobile payment systems.
When Apple Pay was first unveiled by Apple in October 2014, it was touted for its increased security, thanks to tokenized Device Account Numbers and the Touch ID fingerprint system. However, recent reports indicate that Apple Pay fraud is being caused by lax provisioning checks by banks.
According to reports, criminals have been setting up iPhones with stolen personal information, then calling banks to authenticate a victim's card on the new device. This is so-called "Yellow Path" authentication, in which a card isn't automatically accepted (Green Path) or rejected (Red Path), but requires additional provisioning by the bank to be added to Apple Pay.
If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the Secure Element of the phone. Yet at the heart of the problem is that some banks have lax Yellow Path processes, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit/debit cards to purchase high-priced goods, often from Apple Stores.
Cherian AbrahamMobile commerce and payments lead at Experian Global Consulting
Avivah Litan, vice president and distinguished analyst for research firm Gartner Inc., based in Stamford, Conn., said that this kind of fraud is a fundamental flaw that will affect all mobile payment services.
"This isn't necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card," Litan wrote in a blog post. "That always appeared to me to be the weakest link in mobile commerce -- making sure you provide the app to the right person instead of a crook."
Apple Pay fraud warning signs
Apple Pay fraud is getting attention now, but Cherian Abraham, mobile commerce and payments lead at Experian Global Consulting, based in Costa Mesa, Calif., and an adviser on multiple mobile payments boards, has been writing about the potential for this kind of fraud for two months.
In January, Abraham wrote about the wide variations in how participating card issuers were dealing with Yellow Path checks for Apple Pay, and noted that the inconsistency stemmed from Apple failing to make Yellow Path checks mandatory until less than one month before Apple Pay was launched, leaving the banks little time to refine and implement strong authentication processes.
Abraham reported that an unnamed card issuer had seen a case of Apple Pay fraud equal to roughly $6 per $100 worth of transactions, while issuers had hoped the increased security of Apple Pay would keep fraud to around $.02 to $.03 per $100 of transactions.
"The levels of fraud has varied since launch," Abraham wrote in a February blog post, but said this level of fraud is no longer seen as an anomaly to be chalked up to early Apple Pay bugs. "Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked."
Litan said that she has been been worried for years about procedures behind identity proofing in non-face-to-face situations, like with mobile apps. She said bankers often complain that they don't get enough information from Apple Pay to support fraud processes. Litan said that the problem stems from an overreliance on personally identifiable information (PII).
"The key is reducing reliance on static data," Litan wrote, "much of which is PII data that has been compromised by the crooks -- and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements."
Abraham said that fraudsters are far better at social engineering than call centers are at identifying fraud, and there is no good way to track fraudulent activity back to the lax provisioning checks that may have caused the problem. Abraham suggested that banks need to find a way to handle token requests that can scale and don't rely on call centers, because the mobile payments ecosystem is only going to grow from here.
"Apple Pay is just the first among the hundreds of token requestors that will come to dot the tokenization landscape," Abraham wrote. "If every time I add my card to a token requestor (say, Amazon), and I have to call my bank – well … in short, provisioning must become secure, invisible and scalable."