Slashdot Mirror
Fraud Rampant In Apple Pay
PvtVoid writes with this report from the New York Times, excerpting: An industry consultant, Cherian Abraham, put the fraud rate [for Apple Pay] at 6 percent, compared with a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. [i.e. one tenth of one percent]. The vulnerability in Apple Pay is in the way that it — and card issuers — "onboard" new credit cards into the system. Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless," the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early. The banks, desperate to become their customers' default card on Apple Pay — most add only one to their iPhones — did little to build their own defenses or to push Apple to provide more detailed information about its customers. Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up.
The story doesn't really indicate how this could be much of Apple's problem - it sounds like the cards that are getting used are already stolen?
I guess what's happening is criminals are getting stolen CC info, and are then able to use it in a physical environment via Apple Pay where it previously would have required printing a forged card?
The article mentions that it's easier to get away with fraud in person because the lack of shipping delay leaves less time to catch it, which shows why they'd be so eager to jump to a method like this.
Apple Pay is simply going to get too expensive for all but the most clueless merchants to use, both from the fraud and from Apple's eventual fees. It was a bad idea to begin with, and it's a bad idea now.
I don't respond to AC's.
I could see the big bad CEOs being scared when Jobs was in charge, but Cook?
God, bankers are even bigger pussies than I thought.
That is all.
For credit cards, frauds are nothing to banks. They just pay it from their profits, and the customer doesn't have to worry. Maybe it is the same here? Perhaps it still pays off for the banks and Apple to do that extra business, and it works out in their calculation.
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
Both of the banks and the on CC card I have on ApplePay required I read an email, click a link and login to my account and explicitly authorize the use of the card before it was usable.
You mean there are companies NOT doing this?!
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up.
And such officials are still employed? In my opinion, such employees are good candidates for immediate termination.
But wait! We're gonna hear about the usual vitriol from these banks. I will go something like this:
"We take [the] security of our operations and clients' accounts with us very seriously."
"We process in excess of several billion transactions daily and although fraud is part of our industry, it constitutes less than 0.1% of our business." "Our bank is committed to providing the best security there is in this business..."
Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up.
Its a sign of the politically correct times, they were so afraid of being accused of homophobia that they allowed an insecure system.
10 cents for every $100 spent. [i.e. one tenth of one percent]
Thanks for doing the hard work for us. No way I could have done that calculation myself.
.. I had to electronically send in a picture of a government-issued photo ID and a recent utility bill showing my home address.
Short story: Retailers should probably trust Google's platform more when it comes to fraud.
The fraud would have to be much higher before the banks bail on Apple Pay. At this level they will do what any business does: absorb the loss up front with the affected customers but pass the loss on as fees to the merchants. Remains to be seen if merchants will charge a premium for Apple Pay use. Customer will pay eventually, I think.
So.... are the criminals just getting warmed up? If the system is so easy to game that it has this sort of loss with just basic passing of bad cards, will there be a fraud assault by organized crime that will increase the fraud to an unsustainable point? Or will the banks and Apple get their poop together and plug the holes in the money boat?
How do I know it's safe? Siri told me so.
Yes, but it is ridiculously easy to create a phoney name account on itunes. None of my accounts are tied to my actual self. Originally I created multiple accounts to access music titles in different iTunes stores and I don't see that Apple has instituted any significant changes to prevent this.
What good is authenticating against an account that is going to be bogus?
Towers of gold; feet of clay.
How on earth does Apple Pay have more simplicity than a credit card? Here's how it works with a credit card:
1. Touch card or even whole wallet on reader.
2. Done!
And for more expensive transactions (over 20GBP, soon to be 30):
1. Insert card.
2. Enter PIN.
3. Done.
It doesn't get much simpler than the first one, really. I don't even have to extract my card.
SJW n. One who posts facts.
My bank and CC companies verified my request to add the card to ApplePay after I added it to my phone but before it was usable.
I had to login to THEIR sites, not Apples.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Apple Pay is simply going to get too expensive for all but the most clueless merchants to use, both from the fraud and from Apple's eventual fees.
Anything Apple might charge will be a rounding error compared to the 3-5% the credit card companies charge merchants. Furthermore those fees get passed on to the customers so merchants only give a shit if their competition doesn't have to pay the same fees.
Regarding the fraud, it sounds like the banks aren't following their own security procedures which results in... duh, fraud.
It was a bad idea to begin with, and it's a bad idea now.
I could not disagree more. I'm not an Apple fanboi but I've used ApplePay and it's fantastic for customers. It's easily the best piece of tech I've seen come out of Apple since the iPhone itself. Remains to be seen how it will do in the market but Apple pretty much nailed the customer experience. If the banks cannot be bothered to follow appropriate fraud procedures then that's on them.
Suppose the industry banded together and said not just no but "Hell. No!" to measures to water down security in the name of convenience. Then they'd be accused of anti-competitive tactics and trying to protect their business model by many of Apple's supporters.
.. I had to electronically send in a picture of a government-issued photo ID and a recent utility bill showing my home address.
Google can kiss my shiny-white-hiney if they think I'm going to share any of that with them. They already know too much about me. My bank has more than adequate information to confirm my identity to Apple or Google. They don't need more than they already have.
Short story: Retailers should probably trust Google's platform more when it comes to fraud.
Right because it would be so hard to forge a picture of a government photo ID and utility bill...
Apple Pay is for stupid people.
It's Apple's problem because they're not providing enough information to the banks and credit card companies. For instance if it just shows up as "APPLE PAY" on my credit card statement, instead of "AP: WHOLE FOODS FL"
That does not happen. When I use ApplePay it shows up on my credit card statement as WALGREENS #3493 or similar. I just looked at a statement to confirm. Apple doesn't even appear on the statement line anywhere unless I'm actually buying something from Apple themselves (like through iTunes). They're providing all the information the merchants need to do the transaction and do it securely. If the banks cannot be bothered to secure their credit cards then that is a problem Apple needs to work out with the banks.
Paypal used to have the same exact problem but now provide lots of details on my statement instead of just "PAYPAL."
Different company, different product, different procedures. Not remotely relevant to this discussion because Apple does not do that.
I like the looks of Apple Pay, and think it's a great move forward but even as an Apple fan, it seems bizarre for Apple to move forward on their own payment standard rather than the industry creating one.
ApplePay uses industry standard technology that was not created by Apple. Apparently you were not aware of this. Plenty of merchants already have the necessary tech to use ApplePay whether or not they elect to accept it. The only thing Apple did was to make setting up and using the whole thing FAR easier. I fully expect ApplePay to get copied in part or in whole by the Android and Windows ecosystems.
While I'm sure there is fraud, and maybe it is rampant, Abraham's 600bps statement is backed by no source. He might as well pulled out the old, "some people say" line to use with it.
Mastercard and Visa are the only two companies that handle credit card transactions at the end of the day, and theyve often admitted theyre effectively the same company. Apple is acting as a credit card processor, and affording nothing more than a luxurious API to developers and consumers at a premium that includes the credit card processing fee assessed by the only credit card processing monopoly in america. Its why credit card companies compete with, but ultimately dont care about, apple pay.they control the VAN (Value added networks) through which credit and debit cards get processed.
What Apple should be worried about here is fraud, for which credit card companies have zero tolerance outside their own fuckups. Screw up too many times and your processing fees go up and banks flag you for fraud analysis. screw up way too many times and they revoke your processing capability entirely.
Good people go to bed earlier.
Contactless is pointless and expensive as fuck for merchants.
If your customers like it then it is not pointless. Furthermore most merchants either already have the tech or will have it within the next year. The costs get passed on to customers anyway so the only relevant comparison is if one merchant is getting a better deal than another merchant. If both accept the same methods of payment then there is effectively no cost to the merchant at all. You need to familiarize yourself with the concept of Incidence of Payment.
I can't imagine many businesses where the "neat-o" factor from a few phone enthusiasts to be able to pay with their phones is going to outweigh the costs.
Because it won't be just a few phone enthusiasts. Have you not paid any attention to the effect Apple often has on markets it enters? ApplePay is easy enough my mother can use it and I assure you that she is no "phone enthusiast" and certainly not a techie. If you need an example, walk into any Starbucks and watch how many people pay with their phones. And that process is MUCH harder than ApplePay. People LIKE this tech and they'll use it.
How on earth does Apple Pay have more simplicity than a credit card?
No swipe. No handing the card to the cashier to verify signatures. No request for ID. No pulling the card out of the wallet. No signature. Takes about 3 seconds for the payment to complete. ApplePay is significantly less hassle than a credit or debit card.
I've actually used ApplePay and there is not a faster or easier payment method out there right now. Not credit cards, no other contactless payment system, not cash, and certainly not checks. They all have their uses and advantages but given a choice and having used all of them I'd use ApplePay preferentially in most cases. I almost always have my phone with me anyway so it works great for me.
1. Touch card or even whole wallet on reader.
Yeah, that doesn't work. Hell, I have a chipped card and most of the places I've tried it it does not work because the merchant disabled the capability. Certainly doesn't work from inside my wallet and even if it did I'd still be asked to show the card and/or my ID.
It doesn't get much simpler than the first one, really. I don't even have to extract my card.
You must not do much shopping in the US because you definitely have to here.
Here's how it gets easier. No cards to carry. I don't know about you but I carry four credit cards with me. Heck I could even imagine no wallet. One less thing to carry. Touch phone to reader... done. Works for other things too... unlike your credit card. Hotel door room, electronic key for your car/house, airline boarding passes, movie passes. (Yes, I mixing the two... but that shows the simplicity of it.) One phone to rule them all! (small print: "And in the darkness bind them.") :D
There is much FUD and disinformation in this story and the comments posts that the entire page is useless. Most of you people reveal a strong bias against Apple in your writing (much of which also is produced by embarrassingly undereducated writers) and you have gotten many of the facts wrong as well. Move on. Nothing to see hee.
I would presume Apple.
Does this mean I never have to pay for anything out of my own pocket for the rest of my life?
This is a good example of what happens when a market is totally unregulated:
* big fish eats small fish; Interestingly, small fish here are the banks, and even smaller fish are the consumers
The remedy to this situation may be to force insurance costs across all transacting parties, so that there is an incentive for liability and correct behaviour.
Otherwise, what we have here is banks passing down the risks to consumers, who are little to not able to react and avoid their troubles.
Or, you can hope that one day the banks will automatically fix the problem. Oh, boy.
Laissez-faire, in the wild financial west, anyone?!
At this point Apple has become synonymous with "insecure".
"If any question why we died, Tell them because our fathers lied."
They invented digital transactions, give them a little leeway.
Aren't all companies who back-end credit cards... aren't they suppose to have certification to make sure everything is okay?
A 10% fraud rate compared to any of it's nearest competitors (tap-to-pay cc, google wallet) is insane.
I dont' want to sound too optimistic, but if someone's using one of this compromised CC's, with Apple Pay at least you have their fingerprint in record. The rest of the thief catching process is trivial.
LA
Seems that the concept of re-inventing the wheel causes the folks new to the picture to either be ignorant of, or discounting all existing risk.
I can hear product management now: "Get the feature out - all of those concerns from the big fat banks aren't important - this is new! none of those problems will occur this time around !!!"
Apple isn't responsible for banks' security or lack thereof. Some backs apparently let you activate any card you have the information off of. My credit union (not an employee, just a very happy customer) went live with Apple Pay this morning and it was nothing like the story described. I added my debit card, and the Passbook app popped up a notice that I had to call my CU, including a button to push to dial them. The customer service rep asked for my "phone and chat authorization password", which is a password they required me to set up earlier and is not the same as my banking login password. Then she asked me to describe my most recent debit card purchase and for the name of the company that direct deposits my salary. Only then did she authorize my debit card for Apple Pay.
It was mildly inconvenient in exactly the way I want my banking security to be. It wasn't enough for me to take a picture of some random credit card I'd found. Instead, I had to call my CU and convince an actual human that I'm who I claim to be. It wasn't perfect, sure: she didn't require a DNA sample or a retina scan, but it was vastly more secure than any other debit or credit card transaction I've ever made before.
Some banks (again, not Apple) are playing fast and loose with security for the short term convenience of their users. It sucks in the long term, sure, when the bank lets a thief authorize a stolen debit card and their customer has to get a new one issued, but someone did the math and decided this was a good idea. That's a problem with those banks, though, and not a design flaw in the system. Apple can't do much to improve that unless they wanted to man-in-the-middle security checks between a bank and its customers.
Dewey, what part of this looks like authorities should be involved?
This is Big Deal at work. We saw nothing like this with Softcard or Google Wallet, and most of the causes are related to sloppy onboarding. Right now we are writing off almost all losses, but that's only until we resolve the major problems.
This is not just the onboarding however, and we will see changes in how these charges are authed.
Growing pains. I'm not excessively worried yet.
deleting the extra space after periods so i can stay relevant, yeah.
Ditto here. I forget what I had to do to verify, but it was basically the same as if I had called in and wanted to do something with my account. In fact, that's exactly what it was! At the end of entering the card into my iPhone, it prompted me to call the card's service phone number, where I verified my identity, and then they activated Apple Pay. This was in December, well before the rash of articles on this topic, so wasn't just a knee-jerk reaction by my bank.
True, it wasn't as much security as the bank wanted when I wired a down payment for my house; after receiving that fax, they asked no fewer than TEN security questions. I didn't know they had that many pieces of knowledge about me!
So the person making this assertion is a consultant....
They didn't show their work in any way shape or form to back up their claim. Why would this person be any more knowledgable about potential fraud rates than either the banks or Apple for that matter?
#businesstroll
Some bank executives acknowledged that they were were so scared of COMPETITORS GETTING THE FEES that they didn't speak up.
When I added an AMEX Business card to my ApplePay, it required me to contact AMEX and then be put through the ringer of answering a bunch of obscure questions including responding as to whether I lived at the addresses they proffered. Some from decades ago. It's pretty freaky that a credit card company would know all that about you. There was probably little question that the card I was adding to ApplePay was assigned to me.
Fraudsters find the weakest link to exploit, in this case it is the issuers (which there are 100s btw) in the US. Apple Pay, just like EMV, is a secure _platform_, so therefore, if implemented properly can be used to combat fraud. If as an issuer you are accepting Apply Pay as a secure platform and do not complete the necessary quality checks to ensure the loaded card is not compromised you become the weakest link. I do not understand why people are calling for Apple Pay to increase the level of checks required when it is the issuing banks laziness to implement proper controls in order to increase their speed to market. It is not until we have a market-wide dynamic CVV (or like technology) available will we never see fraud virtually disappear. The fact is that issuers need more stringent controls in place in how the authorize a card into Apple Pay and two-factor authentication is a sure way to do it. Relying on information like social security numbers, address, location, etc. is no longer secure enough.
I would bet the high percentage of fraud is because not many people are even using the system for legitimate purposes. Why mess with my phone when a credit card works fine?
This article completely misrepresents the issue, which is identity fraud. Yes, I know it's easy to hate on Apple, but if you're a thoughtful individual, read this story at Forbes for a better explanation of the issue. ApplePay isn't at fault here. Banks and their lax verification practices are when coupled with how easy it is to steal identity data.
The Apple-Pay software requires the Iphone with the fingerprint reader.
Doesn't Apple, and the Credit Card Companies, and the Banks, all know exactly who the criminal is?
Name and address included.
Once the authorities are notified, then it is a quick drive to arrest the criminal.
If the Iphone ApplePay is used in credit card fraud just once, then that Iphone should be blocked from any further ApplePay transactions.
Where is the problem here?
But it seems to me that more and more often the knee jerk reaction to these articles should be that they are full of crap and misdirection. Far too many news outlets, bloggers, etc, have realized the kind of click through they can generate by creating a fake Apple-Gate, and the torrent of hits from both sides of the conflict is too appealing for them to correct the content or unbias a headline.
- Holy crap, I've got MOD points! Who thought that was a good idea.
I think many people here are missing a key point... I read comments about cards with tap and pay being easy to use as ApplePay, but the big problem with modern chip and pin cards (also contactless) is that you have to type a pin! And most of all you have to remember the damn pin!
I have 5 cards with chip and pin and do you think I'm able to remember all of them???
Apple Pay is still not available in Europe where I live but I would love it If I can get rid of the pin and use my fingerprint to authorize a payment. Now I have to open the phone, launch an application and read the pin...
I have worked in several places in the back office and the merchant always took the loss when there was a question of fraud.
Instead of:
> 6 percent, compared with a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. [i.e. one tenth of one percent]
How about:
> 6%, compared with a traditional credit card fraud rate of 0.1%.
History shows us that a company like apple gets one shot when the market is already owned by someone else like Android. If there's a problem due to their carelessness, the banks could simply shut them down cold and demand big changes before they take a dime again. I'd hope Apple would be smart enough to know that. Someone should have told them to feel free to comment, no goons are here. We really want to know. Now they could be done.
Real shame, I own quite a few Apple products. Just not like they used to be. I'm wondering if I'll own any apple products by 2020.