Slashdot Mirror


Fraud Rampant In Apple Pay

PvtVoid writes with this report from the New York Times, excerpting: An industry consultant, Cherian Abraham, put the fraud rate [for Apple Pay] at 6 percent, compared with a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. [i.e. one tenth of one percent]. The vulnerability in Apple Pay is in the way that it — and card issuers — "onboard" new credit cards into the system. Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless," the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early. The banks, desperate to become their customers' default card on Apple Pay — most add only one to their iPhones — did little to build their own defenses or to push Apple to provide more detailed information about its customers. Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up.

4 of 269 comments (clear)

  1. Aren't these already compromised cards? by Galaga88 · · Score: 5, Interesting

    The story doesn't really indicate how this could be much of Apple's problem - it sounds like the cards that are getting used are already stolen?

    I guess what's happening is criminals are getting stolen CC info, and are then able to use it in a physical environment via Apple Pay where it previously would have required printing a forged card?

    The article mentions that it's easier to get away with fraud in person because the lack of shipping delay leaves less time to catch it, which shows why they'd be so eager to jump to a method like this.

    1. Re:Aren't these already compromised cards? by rgbscan · · Score: 5, Interesting

      This is exactly what it is. Already compromised cards being added as payment token. Banks are supposed to follow a protocol called "Yellow path" to prevent this fraud, but since everyone wants their ApplePay to work right away without having to call a call center, a lot of banks are lenient on the security checks. This is not a problem with Apple's technology, or the secure element on the phone, or the fingerprint reader. This is a bank allowing a card to be added to an ewallet, presumably because the party adding the card has all the relevant info (stolen identity) to make it work.

    2. Re:Aren't these already compromised cards? by _xeno_ · · Score: 4, Interesting

      It may not be Apple's fault (exactly), but it sure as hell is their problem. If more than 1 in 20 ApplePay transactions are fraudulent, what merchant in their right mind is going to accept it as a payment method? (Remember that fraud is paid by the merchants, not the banks.)

      Even if it isn't Apple's fault, it sure is their problem to solve.

      --
      You are in a maze of twisty little relative jumps, all alike.
    3. Re: Aren't these already compromised cards? by slew · · Score: 4, Interesting

      Apples' implementation IS more *convenient* for the *fraudulent* user.

      FTFY. By hiding some of the transaction information from the banks that clear the transactions, the fraud detection heuristics used by banks are less effective. By requiring no physical trace of the transaction, the merchants don't have any incentive to intervene to avoid chargebacks thus making it easier those in possession of stolen card numbers to rack up charges.

      Actually this was quite predictable (and predicted by several industry folks), but fear of being left off the ship that was going to sail basically led the banks to just hope for the best as a cost of doing business.

      Reminds me of a story a co-worker told me. Back many moons ago (~20years ago), he was a field engineer for mainframes. One day he got an emergency call from a customer that needed a mainframe fixed as some ridiculous hour of the morning. When he got there, his boss was there along with a half-a-dozen Bank presidents in suits in the computer room hovering and watching him work.

      Later he found out from his boss that it was a mainframe that did real-time credit card approvals and the bank was basically approving nearly all transactions blind whilst they waited for the computer to be fixed. The theory was that if they didn't do this, people would just take out another card and they would lose all the business for potentially several days (the once bitten twice shy on c-c declines). Apparently all the Bank presidents were there as part of an agreement to verify if he wasn't able to fix the computer within that hour, they would start denying large transactions and they expected to lose tens of millions dollars in lost merchant fees if they did that (and something like that needed their immediate approval). That's why his boss didn't tell him that before he started working on the machine. No pressure...