57 comments

[ 3.1 ms ] story [ 109 ms ] thread
TL;DR:

Apple wanted getting on Apple Pay to be as easy as possible. Banks decided supporting Apple Pay was more important than being able to implement good fraud protection. Banks now have to deal with a magnitude higher fraud rates.

Are these particularly high fraud rates for NFC transactions, though? Or online transactions? Or even telephone (as in reading one's card number out loud) transactions?

I would imagine that anything abstracting the physical card away ends up with a significantly higher fraud rate, but the only numbers we're given are for Apple Pay specifically and for all credit card transactions in total.

Online and phone transactions require shipping a product. Being able to walk out with the stolen products is much more practical.
(comment deleted)
Flashing an iPhone provides social engineering cachet in the sorts of small businesses that will implement Apple Pay. "You take Apple Pay, I have an iPhone, we are brothers of another mother."
Regular NFC(Visa PayWave/Mastercard PayPass) are limited to a certain amount per transaction(25 pounds in UK, not sure how much in US), and you can only do 5 until it asks for your PIN. So there is simply very little incentive to be stealing NFC data for those systems,because you can't use it to steal high-value items. With Apple Pay, you can pay for anything, and there is pretty much no verification. You can use any card number to purchase items in stores,so there is nothing stopping you from using a stolen card to walk out of Wallmart with a $1000 TV.
no verification?

Apple Pay requires Touch ID on use.

Yes, but the verification is tied to the phone, not the card. The way this fraud works is that fraudster has their "own" iPhone, then "loads" single or multiple stolen card details (perhaps obtained by mail intercept / redirect of new or reissued cards). The beauty of this from a fraudsters perspective is that you could have a whole deck of cards (all associated with different providers and individual victims) in your Appple Pay wallet and if one gets declined, well, cycle to the next. It's not like the teller sees the card name, just a secondary wave of the (apparently) legitimate customers phone. It's a beautifully anonymous customer journey for a fraudster in any busy physical retail environment.

Edited for grammer

Interesting. In Australia, I think the limit is $50 (which is about the same in pounds) but there's no entering your PIN number every 5 transactions.

This is in the country that has the highest adoption of contactless payments.

Last I checked the limit was now $100, or could be different per provider. I have been asked for my pin on some occasions, mainly when doing a large transaction (IIRC).
I know PNC requires a phone call to activate your PNC Debit / Credit cards on Apple devices.

Sure it takes more time (a phone call to a rep during business hours) but I'm willing to bet that their fraud is much, much lower.

kind of interesting that fraud is about 0.1% of revenue. Kind of says a lot about the margins behind being a payment processor.
Fraud rate is 0.1% Fraud rate of Apple Pay is 6% that is 600 times higher. The NYT places the Banks at a higher fault because they should know better. I place blame on the strong arm tactics that Apple uses on every deal they make.
Normally I'd agree with you, except if ANYONE could stand up to Apple's "strong arm" tactics, it'd be freaking Bank of America and Wells Fargo.
Although that 6% figure is completely unsourced, unverified, and comes from someone employed by a competitor. So...
An industry consultant does not equal a competitor. It is 100% source and is 100% not verified nor can it be verified. Except if the banks came out and said it. This is standard journalism practice when there is a problem with something that can't be normally verified.

To Quote the blog that first reported the story and linke din the NYT article, "No one, is bold enough to call the emperor naked." http://www.droplabs.co/?p=1231

This is the whole bases and point of the article.

In this thread there are two accounts describing how some banks require extra verification before their cards can be added to Apple Pay... and sombe banks don't.

Apparently, Apple gave the banks the hooks they needed to eliminate the type of fraud the article describes but they didn't do it.

How is this Apple's fault?

To quote someone that the article links to: http://www.droplabs.co/?p=1231

"Isn’t this a Bank problem? And don’t that absolve Apple and Networks of their responsibility in this?

"It is unconscionable that Apple did not, and was not strongly advised by its partners – to make the Yellow Path implementation (by an issuer) mandatory sooner than it did – which was 4 weeks before AP launch. "

"unconscionable" that banks should be expected to understand security well enough to know that not using any verification was stupid?

It was mandatory 4 weeks before the launch, so it's been 6 months since then... and yet we're seeing how banks haven't bothered to fix it?

I think Apple could have said something sooner, but in order to throw the word "unconscionable" around, I think that they would have to have done something deliberate or secretive.

I view that 90% of this rests directly on the banks' shoulders for not implementing good security in the first place, then sitting on not implementing it for months.

It's a good observation, but I was trying to work out what this actually says.

I read this as being fraud accounts for 0.1% of the value of all handled transactions. The transaction fees of a payment processor seem to vary between about 1% and 2.5%(although this may differ for CNP scenarios).

Let's assume 2.5%, so fraud accounts for 4% (0.1%/2.5%) of the payment processor's fees. Intuitively, this doesn't feel too bad.

However, I'm not actually sure what that says about how much the payment processor spends on _preventing_ fraud (and so how this impacts their margins). I think all we can really say is that they're likely to be at or near an equilibrium where if they aimed for less fraud it would have a negative impact on their business.

This might not even be due to having to spend more money. For example, as you make your detection sensitivity higher, you're more likely to have false positives and reject valid transactions. In turn, this is likely to drive customers away from your payment processor towards your competitors.

Maybe a certain level of fraud is just a cost of doing business?

Just some thoughts...

Founder at a small payment processor. Most of the risk for fraud is shifted to the merchant or payer (small transactions, not reported quickly... terms in the cardholder agreement). The processor is usually only on the line for refunding fees in the original transaction... there are a few exceptions (i.e. merchant doesn't have money in the bank when the payment is pulled back and heads for the hills).

Also, there are many, many fingers in the pie.

I think Apple is getting too much slack. They made it way to easy to add a new credit card.
Some Credit Card issuing banks actually went through verification process when a card was aadded to Apple Pay. For example, a colleague added her United Airlines MileagePlus Club Card. She had to verify her identity before the card was approved for Apple Pay.

Meanwhile, another credit card issuing bank which shall remain unnamed, did not go through the verification process when the card was added to Apple Pay.

No, name it. Why should known bad players go unnamed? They're the ones which will ramp up the cost of doing business because they get defrauded, and you can bet it's not coming off their yacht bills.
why would it be un-named? are you employed by them or something? It would be nice to know who has no verification more than anything.
No, I am not employed by any financial institutions.

At that time my colleague added her Wells Fargo card to Apple Pay and it went through without any notifications from the bank. She has been using this card with iTunes store though.

Another colleague added her F&A Federal Credit Union card and went through with little notifications.

First National Bank of Omaha notifies the email address on file that that the card is added to Apple Pay.

US Bank actually sends a letter via mail that the card was added to Apple Pay.

This could change by now.

> Meanwhile, another credit card issuing bank which shall remain unnamed, did not go through the verification process when the card was added to Apple Pay.

No, you need to name the bank. Seriously.

Perhaps so, but you won't catch me complaining about that.
They made it as easy as the banks allowed them to, some banks require bank login details, some require a call, and some require nothing. The ones in the last two groups are the ones that will be effected not the first (Unless the thief has your bank login and then you're just fucked).
US Bank required a call to customer service to activate Apple Pay. I don't remember what exactly I had to verify once on the phone, but it wasn't as simple as adding a card number to a phone.

The only place I've been able to use Apple Pay so far is Whole Foods and I'm pretty sure it takes a little bit longer than swiping my card. It also feels like showing off for some reason, like "look at what I can do".

"I'm pretty sure it takes a little bit longer than swiping my card."

It probably does, but swiping your card is about as insecure as a transaction can be. (Thieves love it though - they break into POS systems and there are tons of mag stripe details.)

However, as time goes by you'll have to enter a PIN (as we do in the UK) which is a bit slower - perhaps slower than Apple Pay.

I can't believe that buying a device for several hundred dollars, signing up for a cellular contract, entering a stolen credit card number, and then tricking a customer service rep is supposedly easier than just swiping a card with a fake magnetic strip?

Shouldn't it be trivial for Apple to block devices with fraudulent transactions from using Apple Pay?

Yes, only if the issuing bank flagged it.
There's also the bit where you don't need the original card to shop. Overall the system seems secure with the exception of being able to punch in anyone's card and use it without needing the card again.

Nonetheless, you can keep it easy and get loads of people on board first before making it tougher.

You don't need a cellular contract - and the simcard is presumably stolen as well or a pre-pay account created under a fake name.
You don't even need an active sim card to activate a phone. As long as there's a sim card in the tray, the iPhone will activate.
There's probably much less friction for someone who say works as a waiter to start stealing cards by snapping photos with their iPhone vs buying a card skimmer, learning to use it, etc.
I would also think the risk is pretty high.

Unless you’re very careful, your phone (i.e. Apple) has your identity, so if you add stolen credit cards to Apple Pay, and those cards are flagged as stolen, it should be possible to figure out who tried to use them.

It also seems like a simple one-time password sent to the mobile phone number that the bank has on record, as a mandatory step when adding a credit card to Apple Pay, would effectively make it impossible to add stolen credit cards.

The article makes it sound like it’s up to the bank to accept or deny a credit card, once added, so I would assume the bank can do this even without cooperation from Apple.

In a new edition of our recurring series: "Apple sacrifices shit for usability", we will explore why Apple fucked up security once again.
Did they, though?

I have two cards in Apple Pay, a Capital One credit card and a Wells Fargo debit card. When I added my Capital One card I was asked to log into their mobile app to verify the card. This seems highly secure. Someone may have my stolen credit card details, but they're not going to have my banking passwords (if they did, I'd have bigger things to worry about).

Wells Fargo didn't even offer that as an option. They had me ring up a call center. Apple provided secure ways to verify identity, but only one of my two banks seems to have been bothered to implement them.

To be fair it's not Apple that's at fault here, but it is a problem that manifests itself around the Apple brand, so it is very much an Apple problem.

There is also another more recent issue which hasn't been picked up yet (apart from by one particularly insightful writer [0]) -- Apple Pay tokens can be grabbed from iPhones and spent later (and at any amount) by anyone wielding an Android NFC device running a particular publicly available app. While presented by the author of this app as a bit of fun, it is also a POC for a relay attack against Apple Pay.

This also applies to Google Wallet, as it exploits a problem that lies with the Visa software in contactless terminals in the US. Again, it's not a problem with Apple Pay but it is a problem for Apple Pay.

[0] http://www.nfcworld.com/2015/03/03/334455/spotme-app-lets-an...

The lesson is the same: Apple doesn't partner with other companies. Large as a bank wanting to cash in on Apple pay or small as a developer in their garage panning for a bonanza in the app store, it's Apple's ball and bat and wickets. Even if Real Madrid and Manchester United show up, Ronaldo and Rooney are getting innings not stoppage time.
Like many disruptors, Apple isn't offering a 100% complete business and technological model for their partners. They're offering a new way of thinking about traditional services and a family of integrated computing products with which to deploy those services.

The business partners can't just expect to do nothing to be a part of a game-changing service. They'll need to adapt their technologies, business models, expectations, etc.

(comment deleted)
Cricket is hardly disruptive. Apple's market position allows it forgo B2B relationships based on the goal of mutual success.
What is Cricket? I googled "apple cricket" and nothing interesting came up. I'm not sure what point you're trying to make.
May I suggest reading my top comment beyond the first sentence now?
Oh, sorry, that latter sentence of your original post made absolutely no sense to me. First time through, I had even read it several times but figured it was some obscure sport reference and I just stuck with stuck with my contention of your statement that 'Apple doesn't partner with other companies'.
It is good to see that kind of go getter attitude. I wish more people would argue against things they don't understand.
It wasn't my fault that your statement was easy to refute.

After that, I just chalked the poorly-worded obscure sport reference up to poor communication skills.

This all certainly makes for an interesting case study in security tradeoffs.

I wonder if the numbers cited in the article about the rates of "traditional" credit card fraud (said to be 0.1%) include the massive costs borne by retailers, banks, and customers after the Target and Home Depot breaches and other similar compromises, scenarios that Apple Pay was well-designed to prevent.

Of course, the 6% Apple Pay fraud rate is also magnified by the fact that the fraudsters of course took to this new system far far faster than regular consumers. Once more retailers and banks support Apple Pay, the relative proportion of fraud will drop. In the next two years as most Americans replace their existing Android and iOS phones with ones capable of low-friction NFC payments and awareness increases, the use of this technology will likely take off.

Ultimately it sounds like best practice for individuals is to use a new credit card for Apple Pay, and not one that you ever use online or particularly in restaurants.

I don't see how you arrive at your "best practice" advice, given the information in the article. How would it address the problem in any way?
smacks forehead You're right, it wouldn't. Nevermind. :)
Your 'best practice' shows that you don't understand the problem here.

ApplePay poses no risk to you unless your card numbers have already been stolen.

If they have been stolen, some banks aren't doing enough to check this before allowing them to be enrolled in ApplePay, so ApplePay is being used by criminals to buy goods using stolen card numbers.

That's it.

Owner of several Apple products. I never cared for the idea of Apple pay for one reason. I did not need one more touch point to deal with. People claim Apple pay simplifies buying but I am of the opinion I don't want any more people with that access to my credit information than I already have.

Yeah it might be able to provide a layer of anonymity that Paypal does for online purchases but I still end up with a service authorized to use my card.

What I do want and some CC services can provide is instant messaging of when the card is charged.

You seem to fail to recognize that every time you make a payment with your credit card, you create "one more touch point to deal with" - every shady taxi driver, every hole in the wall restaurant, every employee making $5/hour who just started that day - you are handing your credit card information (and cvv) to them. And, if they ask for ID, there is a non-zero chance that you are giving them your billing information as well.

The value to users of Apple Pay, is that all disappears. They don't get anything useful, you never give them your credit card information, and the token they do get, is only good for that purchase.

Apple pay is a huge leap forward in security, for the card holder - not necessarily for the banks though, if they don't actually verify that the number going into the phone is owned by the cardholder.

Google Wallet's NFC payments immediately send an email receipt. It works pretty well.