Fraud Rampant In Apple Pay

PvtVoid writes with this report from the New York Times, excerpting: An industry consultant, Cherian Abraham, put the fraud rate [for Apple Pay] at 6 percent, compared with a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. [i.e. one tenth of one percent]. The vulnerability in Apple Pay is in the way that it — and card issuers — "onboard" new credit cards into the system. Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless," the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early. The banks, desperate to become their customers' default card on Apple Pay — most add only one to their iPhones — did little to build their own defenses or to push Apple to provide more detailed information about its customers. Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up.

Re:Calculated risk

[DogDude]

. They just pay it from their profits, and the customer doesn't have to worry.

No, they charge the merchant all different rates based on the risk of that particular transaction. There are hundreds of categories of cards, swiped vs non-swiped, address info vs no address info, etc. Apple Pay is going to be absurdly expensive for the merchants dumb enough to take it.

Re:Calculated risk

they charge the merchant all different rates based on the risk

And then on top of that, when fraud is caught they just take the money back out of the merchant's account.

In no way do they ever "pay it from their profits".

Re:Aren't these already compromised cards?

The story doesn't really indicate how this could be much of Apple's problem - it sounds like the cards that are getting used are already stolen?

I guess what's happening is criminals are getting stolen CC info, and are then able to use it in a physical environment via Apple Pay where it previously would have required printing a forged card?

The article mentions that it's easier to get away with fraud in person because the lack of shipping delay leaves less time to catch it, which shows why they'd be so eager to jump to a method like this.

It's Apple's problem because they're not providing enough information to the banks and credit card companies. For instance if it just shows up as "APPLE PAY" on my credit card statement, instead of "AP: WHOLE FOODS FL" it would be hard to catch the fraud that is revealed when you consider that I used my credit card last night in Oregon and hours later via some Apple Pay account at a Florida Whole Foods in person.

Paypal used to have the same exact problem but now provide lots of details on my statement instead of just "PAYPAL."

Re:Aren't these already compromised cards?

[Ronin+Developer]

I read another article on this. As the article tries to expose, the fault lies not in Apple Pay, but rather in (as the article suggests), the process by which cards are authorized for use with Apple Pay during the onboarding process. There are two paths, the Green Path and the Yellow Path when authorizing a card. The difference is the types of information collected and passed. Most cards go down the Green path. But, when a card has incomplete information, it goes down the Yellow path and is subject to less stringent and, sometimes, manual intervention. It is down this pathway where the fraud occurs.

While a card is being approved during the Yellow pathway, the card can be used using the card number, expiration date and, not always, the security check value.

It is up to the banks and card issuers to secure their onboarding process. Apple (via Apple Pay) is not responsible for ensuring this takes place. Thankfully, the fraud is easy to detect and remedy. Next year, when our cards all have chips in them, the exposure via the Yellow Path will all be eliminated.

Apple supporters were right to call out Mr. Abraham - he is biased and attempting to create FUD against Apple and Apple Pay. The real fault and finger pointing needs to be directed to the banks and they need to get their houses in order.

Simplicity?

[serviscope_minor]

How on earth does Apple Pay have more simplicity than a credit card? Here's how it works with a credit card:

1. Touch card or even whole wallet on reader.
2. Done!

And for more expensive transactions (over 20GBP, soon to be 30):

1. Insert card.
2. Enter PIN.
3. Done.

It doesn't get much simpler than the first one, really. I don't even have to extract my card.

Re:Aren't these already compromised cards?

[Solandri]

When you use a credit card online or in the store, the merchant can use various information like your address, phone number, the security code printed on the card, your signature, to confirm the card is valid. (The U.S. is finally rolling out EMV smart card chips.) This is actually optional - the merchant doesn't have to do it. But if the cardholder issues a chargeback, the merchant's chances of successfully contesting the chargeback are much better if they've used these options. If you've ever wondered why the gas pump asks for your zip code when you use a credit card, this is why. It's not trying to collect marketing data, it's doing a rudimentary identity check to elevate the chances that you are the card's actual owner.

Anyhow, allowing transactions using only the card numbers themselves is horribly flawed because anyone can just take a photo of a card to get its numbers. So the credit card companies have come up with these other methods to "verify" the card's authenticity. (I put it in quotes because it doesn't actually verify the card's authenticity, just reduces the chances the card is not authentic.) Apparently Apple refused to forward much if any of this information to the banks when a fresh card is first being loaded into Apple Pay, making it easy to load a stolen credit card - easier than actually using the card for a purchase. And the banks were too cowed to make an issue of it, landing them in the mess they're in.

On the one hand it's the bank's fault for not speaking up and pressing a vital security issue. On the other hand it's Apple's fault for being an 800 pound gorilla which uses its market clout to force concessions from its partners. Stuff like this is why you always want at least two strong competitors in a given market - so if one makes unreasonable demands of a business partner, the partner is not afraid to tell them to go jump in a lake. It's the same reason we allow unions - because the hiring employer has a lot more clout than the individual employees.

Re: accounts

[BitZtream]

My bank and CC companies verified my request to add the card to ApplePay after I added it to my phone but before it was usable.

I had to login to THEIR sites, not Apples.

Apple does not obfuscate transaction info

[sjbe]

It's Apple's problem because they're not providing enough information to the banks and credit card companies. For instance if it just shows up as "APPLE PAY" on my credit card statement, instead of "AP: WHOLE FOODS FL"

That does not happen. When I use ApplePay it shows up on my credit card statement as WALGREENS #3493 or similar. I just looked at a statement to confirm. Apple doesn't even appear on the statement line anywhere unless I'm actually buying something from Apple themselves (like through iTunes). They're providing all the information the merchants need to do the transaction and do it securely. If the banks cannot be bothered to secure their credit cards then that is a problem Apple needs to work out with the banks.

Paypal used to have the same exact problem but now provide lots of details on my statement instead of just "PAYPAL."

Different company, different product, different procedures. Not remotely relevant to this discussion because Apple does not do that.

Re:Yes simplicity

[serviscope_minor]

ApplePay is significantly less hassle than a credit or debit card

I don't have to do any of that to pay with my debit card. I touch my wallet to the reader and I'm done.

Yeah, that doesn't work.

Yeah it does.

Certainly doesn't work from inside my wallet and even if it did I'd still be asked to show the card and/or my ID.

My wallet is not a farady cage, and I've never been asked to reveal my card. Hell many of the places I use it aren't even manned.

You must not do much shopping in the US because you definitely have to here.

Nope, almost none, seeing as I live in Europe.

Re:Aren't these already compromised cards?

[Austerity+Empowers]

...and stop calling me Shirley.

Re:Aren't these already compromised cards?

[Theaetetus]

I always assumed CCV was designed to offer basic protection against incidental photographs of the card being taken, and other situations where only one side of the card has been compromised.

Not really - Amex puts its CCV on the front of the card. The real purpose is that the CCV isn't encoded in the magnetic strip, and isn't embossed, so theoretically, someone using a magnetic swiper to steal data or someone dumpster diving for those old carbon paper-imprint style records would get the numbers but not the CVV.

But of course, the person who is stealing your credit card info is most likely your waiter, and they have a minute or two with your card over at the POS to copy down the CVV manually.

Re:Aren't these already compromised cards?

The reason why in Europe tipping is less "rampant" is that the tip is a tip and not a the service charge. In most European countries, the service is calculated into the price of the meal, so you are paying the tip to encourage above average service and not to make sure the waiter gets paid at all.