Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fraud Rampant In Apple Pay

Posted by timothy on from the play-money dept.

PvtVoid writes with this report from the New York Times, excerpting: An industry consultant, Cherian Abraham, put the fraud rate [for Apple Pay] at 6 percent, compared with a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. [i.e. one tenth of one percent]. The vulnerability in Apple Pay is in the way that it — and card issuers — "onboard" new credit cards into the system. Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless," the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early. The banks, desperate to become their customers' default card on Apple Pay — most add only one to their iPhones — did little to build their own defenses or to push Apple to provide more detailed information about its customers. Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up.

7 of 269 comments (clear)

  1. Aren't these already compromised cards? by Galaga88 · · Score: 5, Interesting

    The story doesn't really indicate how this could be much of Apple's problem - it sounds like the cards that are getting used are already stolen?

    I guess what's happening is criminals are getting stolen CC info, and are then able to use it in a physical environment via Apple Pay where it previously would have required printing a forged card?

    The article mentions that it's easier to get away with fraud in person because the lack of shipping delay leaves less time to catch it, which shows why they'd be so eager to jump to a method like this.

    1. Re:Aren't these already compromised cards? by rgbscan · · Score: 5, Interesting

      This is exactly what it is. Already compromised cards being added as payment token. Banks are supposed to follow a protocol called "Yellow path" to prevent this fraud, but since everyone wants their ApplePay to work right away without having to call a call center, a lot of banks are lenient on the security checks. This is not a problem with Apple's technology, or the secure element on the phone, or the fingerprint reader. This is a bank allowing a card to be added to an ewallet, presumably because the party adding the card has all the relevant info (stolen identity) to make it work.

    2. Re:Aren't these already compromised cards? by _xeno_ · · Score: 4, Interesting

      It may not be Apple's fault (exactly), but it sure as hell is their problem. If more than 1 in 20 ApplePay transactions are fraudulent, what merchant in their right mind is going to accept it as a payment method? (Remember that fraud is paid by the merchants, not the banks.)

      Even if it isn't Apple's fault, it sure is their problem to solve.

      --
      You are in a maze of twisty little relative jumps, all alike.
    3. Re: Aren't these already compromised cards? by slew · · Score: 4, Interesting

      Apples' implementation IS more *convenient* for the *fraudulent* user.

      FTFY. By hiding some of the transaction information from the banks that clear the transactions, the fraud detection heuristics used by banks are less effective. By requiring no physical trace of the transaction, the merchants don't have any incentive to intervene to avoid chargebacks thus making it easier those in possession of stolen card numbers to rack up charges.

      Actually this was quite predictable (and predicted by several industry folks), but fear of being left off the ship that was going to sail basically led the banks to just hope for the best as a cost of doing business.

      Reminds me of a story a co-worker told me. Back many moons ago (~20years ago), he was a field engineer for mainframes. One day he got an emergency call from a customer that needed a mainframe fixed as some ridiculous hour of the morning. When he got there, his boss was there along with a half-a-dozen Bank presidents in suits in the computer room hovering and watching him work.

      Later he found out from his boss that it was a mainframe that did real-time credit card approvals and the bank was basically approving nearly all transactions blind whilst they waited for the computer to be fixed. The theory was that if they didn't do this, people would just take out another card and they would lose all the business for potentially several days (the once bitten twice shy on c-c declines). Apparently all the Bank presidents were there as part of an agreement to verify if he wasn't able to fix the computer within that hour, they would start denying large transactions and they expected to lose tens of millions dollars in lost merchant fees if they did that (and something like that needed their immediate approval). That's why his boss didn't tell him that before he started working on the machine. No pressure...

    4. Re:Aren't these already compromised cards? by Theaetetus · · Score: 3, Interesting

      But of course, the person who is stealing your credit card info is most likely your waiter, and they have a minute or two with your card over at the POS to copy down the CVV manually.

      And this is why the United States needs to move to EMV (Chip & Pin) like the rest of the world. Rather than the waiter taking your card away, they bring you a hand-held terminal, which you then take and perform the last portion of the contract yourself, with the card never leaving your hands.

      Yep. Great system, though a little awkward when tipping and they're standing over you staring as you go to push the 10- no, 15- no, [gulp] 20% button. Maybe that's why they don't tip much in Europe.

      That said, there's a reason why the US is moving to Chip & Signature cards, but not Chip & PIN. The banks will tell you it's because they don't want to confuse or scare their customers who can't learn new systems, but the real answer is that legally, if there's fraud on regular credit cards or chip & signature, the banks can charge it back to the merchant, who must have failed to verify the signature or ID of the purchaser. If there's fraud on chip & PIN cards, legally, the banks have to eat it. So they're not moving to that until they have to.

  2. Come on... by frank_adrian314159 · · Score: 1, Interesting

    I could see the big bad CEOs being scared when Jobs was in charge, but Cook?

    God, bankers are even bigger pussies than I thought.

    --
    That is all.
  3. Re:Calculated risk by ShanghaiBill · · Score: 3, Interesting

    For credit cards, frauds are nothing to banks. They just pay it from their profits

    No. Nearly all the cost of fraud is pushed onto the merchants, who pass it on to consumers in the form of higher prices. So you are paying for credit card fraud even if you pay cash.

    This is the problem with credit card fraud. The banks are in the best position to fix the problem, but have little incentive to do so, since they don't bear the cost.