Slashdot Mirror

← Back to Stories (view on slashdot.org)

Fraud Rampant In Apple Pay

Posted by timothy on from the play-money dept.

PvtVoid writes with this report from the New York Times, excerpting: An industry consultant, Cherian Abraham, put the fraud rate [for Apple Pay] at 6 percent, compared with a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. [i.e. one tenth of one percent]. The vulnerability in Apple Pay is in the way that it — and card issuers — "onboard" new credit cards into the system. Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless," the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early. The banks, desperate to become their customers' default card on Apple Pay — most add only one to their iPhones — did little to build their own defenses or to push Apple to provide more detailed information about its customers. Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up.

9 of 269 comments (clear)

  1. Aren't these already compromised cards? by Galaga88 · · Score: 5, Interesting

    The story doesn't really indicate how this could be much of Apple's problem - it sounds like the cards that are getting used are already stolen?

    I guess what's happening is criminals are getting stolen CC info, and are then able to use it in a physical environment via Apple Pay where it previously would have required printing a forged card?

    The article mentions that it's easier to get away with fraud in person because the lack of shipping delay leaves less time to catch it, which shows why they'd be so eager to jump to a method like this.

    1. Re:Aren't these already compromised cards? by rgbscan · · Score: 5, Interesting

      This is exactly what it is. Already compromised cards being added as payment token. Banks are supposed to follow a protocol called "Yellow path" to prevent this fraud, but since everyone wants their ApplePay to work right away without having to call a call center, a lot of banks are lenient on the security checks. This is not a problem with Apple's technology, or the secure element on the phone, or the fingerprint reader. This is a bank allowing a card to be added to an ewallet, presumably because the party adding the card has all the relevant info (stolen identity) to make it work.

    2. Re:Aren't these already compromised cards? by Ronin+Developer · · Score: 5, Informative

      I read another article on this. As the article tries to expose, the fault lies not in Apple Pay, but rather in (as the article suggests), the process by which cards are authorized for use with Apple Pay during the onboarding process. There are two paths, the Green Path and the Yellow Path when authorizing a card. The difference is the types of information collected and passed. Most cards go down the Green path. But, when a card has incomplete information, it goes down the Yellow path and is subject to less stringent and, sometimes, manual intervention. It is down this pathway where the fraud occurs.

      While a card is being approved during the Yellow pathway, the card can be used using the card number, expiration date and, not always, the security check value.

      It is up to the banks and card issuers to secure their onboarding process. Apple (via Apple Pay) is not responsible for ensuring this takes place. Thankfully, the fraud is easy to detect and remedy. Next year, when our cards all have chips in them, the exposure via the Yellow Path will all be eliminated.

      Apple supporters were right to call out Mr. Abraham - he is biased and attempting to create FUD against Apple and Apple Pay. The real fault and finger pointing needs to be directed to the banks and they need to get their houses in order.

    3. Re:Aren't these already compromised cards? by DogDude · · Score: 5, Insightful

      It's easier to punch stolen numbers into a phone than it is to print up an actual card. When chip + pin happens, all of the criminals will be using Apple Pay.

      --
      I don't respond to AC's.
    4. Re:Aren't these already compromised cards? by jellomizer · · Score: 5, Insightful

      So if you use Apple Pay, you have less of a chance of getting YOUR credit card data stolen... However if your credit card had already been stolen, Apple Pay means there is a higher chance of it getting used. Because you won't need to face someone who may question your identity.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    5. Re:Aren't these already compromised cards? by Austerity+Empowers · · Score: 5, Informative

      ...and stop calling me Shirley.

    6. Re: Aren't these already compromised cards? by Lumpy · · Score: 5, Funny

      Actually an apple employee will show up and push you off the cliff if you dont jump. It's a part of the customer care program.

      --
      Do not look at laser with remaining good eye.
  2. Simplicity? by serviscope_minor · · Score: 5, Informative

    How on earth does Apple Pay have more simplicity than a credit card? Here's how it works with a credit card:

    1. Touch card or even whole wallet on reader.
    2. Done!

    And for more expensive transactions (over 20GBP, soon to be 30):

    1. Insert card.
    2. Enter PIN.
    3. Done.

    It doesn't get much simpler than the first one, really. I don't even have to extract my card.

    --
    SJW n. One who posts facts.
  3. Re: accounts by BitZtream · · Score: 5, Informative

    My bank and CC companies verified my request to add the card to ApplePay after I added it to my phone but before it was usable.

    I had to login to THEIR sites, not Apples.

    --
    Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager