Bank's Weak Apple Pay Back-End Security Systems Led to Fraud
Apple aimed to solve the issue of stolen credit cards by working with the card networks to mask the user's information by issuing a one-time code for each purchase. However, this doesn't prevent thieves from loading already stolen cards into the service. Banks are using an assortment of methods to authenticate cardholder identity on Apple Pay, including sending a verification text to the customer. That is considered a fairly secure method because a fraudster who has stolen card information likely doesn't have possession of the victim's phone, reports the Wall Street Journal (WSJ). That's really the bottom line and yet the bulk of the WSJ report attempts to put the Apple Pay service in a dark light when really the fraudulent activity is due to weak banking policies and security procedures.
The heart of the problem in the Wall Street Journal's report rests with the huge breaches in security that occurred at Home Depot, Target and others over the past year. We all read about these huge breaches and just expected that these companies along with their banks would issue new credit or debit cards to users to safeguard against fraud.
In the case of Home Depot, 53 million email addresses and payment card data was stolen. At the time Home Depot stated that the file containing the email addresses did not contain passwords or other sensitive personal information. And yet these hackers have reportedly found a way to use the stolen card information using Apple Pay?
The report notes that the Apple Pay system itself hasn't been penetrated by hackers. Rather, fraudsters are entering stolen card data into phones, which can then be used to make purchases without a physical card being present. That's not an Apple Pay defect; it's a banking process defect. And yet the WSJ continued to slant the story in a negative light against Apple Pay whenever possible. The report noted that "The bogus purchases are a setback for Apple's high-profile foray into electronic payments, even though banks are responsible for verifying customer information before cards can be used with phones." So because of a banking system failure, it's twisted to being an Apple Pay setback?
Jeff Siekman, director of payments and commerce solutions products at Fifth Third Bancorp, a large regional bank that is based in Cincinnati straight out admitted that "There is a trail of fraudulent activity as a result of these larger breaches [like Home Depot] and our job is to catch that in the process."
Yes, the banks and their policies are to blame here, not Apple Pay. The report even acknowledges that the credit card companies figure that the cost of potential fraud is often less than giving each customer a new card. The costs of such fraud are borne by the banks because cardholders aren't responsible for unauthorized purchases.
The WSJ report notes that "Apple has earned a reputation for holding suppliers and partners to its exacting standards. In this instance, Apple left the process of verifying questionable cards to the banks' discretion.
Some banks get it right, some don't. But again it goes back to the problem being one stemming from the banks. Some ask customers to enter additional data to confirm their identities. A few banks require customers to log into their online accounts to authorize the Apple Pay service. Sometimes, customers are asked to call customer-service representative to set up cards.
In the end, banks are trying to stem the Apple Pay fraud by tightening their verification procedures to load card data into Apple Pay. It's a security problem for the banks and it really has nothing to do with a security problem with Apple Pay itself. As Apple's spokesman stated for the WSJ report, "Apple Pay is designed to be extremely secure and protect a user's personal information."
While the WSJ report tried to play it down the line, it still put the slant on this being an Apple Pay problem and presented two photos showing an iPhone 6 being used in a retail transaction where there isn't a problem. I'm sure such a story will play well for Apple's competitors with their upcoming Samsung Pay or Google Pay wannabe services to use against Apple – when the onus really has to be put back on the banks that need to get their security act together.
In September, Apple's Eddy Cue introduced Apple Pay. During his introduction, at around the 7 minute mark, Cue mentioned how entering a new credit card into Apple Pay was handled. Cue stated that "You use your iPhone iSight camera … we take a picture of the card, gather all the information, go to your bank and verify that that's your card and we add it right to Passbook."
It's at the juncture in the verification process where the banks should be saying, oops, that's a stolen credit card number and stop it from being entered into Apple's Passbook. Obviously the banks aren't "verifying" the card numbers with the needed scrutiny that the process demands.
A Reminder about Supporting Patently Apple: Hi guys. One or two months a year we remind our fans that interacting with our site ads is how we get paid. We don't plaster our site with tons of ads to keep the site clean, but we do need your participation in clicking on a few ads whenever you visit our site to keep us going every month. Thanking you in advance for your participation and support.
Comments