Apple wanted getting on Apple Pay to be as easy as possible. Banks decided supporting Apple Pay was more important than being able to implement good fraud protection. Banks now have to deal with a magnitude higher fraud rates.
Are these particularly high fraud rates for NFC transactions, though? Or online transactions? Or even telephone (as in reading one's card number out loud) transactions?
I would imagine that anything abstracting the physical card away ends up with a significantly higher fraud rate, but the only numbers we're given are for Apple Pay specifically and for all credit card transactions in total.
Flashing an iPhone provides social engineering cachet in the sorts of small businesses that will implement Apple Pay. "You take Apple Pay, I have an iPhone, we are brothers of another mother."
Regular NFC(Visa PayWave/Mastercard PayPass) are limited to a certain amount per transaction(25 pounds in UK, not sure how much in US), and you can only do 5 until it asks for your PIN. So there is simply very little incentive to be stealing NFC data for those systems,because you can't use it to steal high-value items. With Apple Pay, you can pay for anything, and there is pretty much no verification. You can use any card number to purchase items in stores,so there is nothing stopping you from using a stolen card to walk out of Wallmart with a $1000 TV.
Yes, but the verification is tied to the phone, not the card. The way this fraud works is that fraudster has their "own" iPhone, then "loads" single or multiple stolen card details (perhaps obtained by mail intercept / redirect of new or reissued cards). The beauty of this from a fraudsters perspective is that you could have a whole deck of cards (all associated with different providers and individual victims) in your Appple Pay wallet and if one gets declined, well, cycle to the next. It's not like the teller sees the card name, just a secondary wave of the (apparently) legitimate customers phone. It's a beautifully anonymous customer journey for a fraudster in any busy physical retail environment.
Last I checked the limit was now $100, or could be different per provider. I have been asked for my pin on some occasions, mainly when doing a large transaction (IIRC).
Fraud rate is 0.1% Fraud rate of Apple Pay is 6% that is 600 times higher. The NYT places the Banks at a higher fault because they should know better. I place blame on the strong arm tactics that Apple uses on every deal they make.
An industry consultant does not equal a competitor. It is 100% source and is 100% not verified nor can it be verified. Except if the banks came out and said it. This is standard journalism practice when there is a problem with something that can't be normally verified.
To Quote the blog that first reported the story and linke din the NYT article, "No one, is bold enough to call the emperor naked." http://www.droplabs.co/?p=1231
In this thread there are two accounts describing how some banks require extra verification before their cards can be added to Apple Pay... and sombe banks don't.
Apparently, Apple gave the banks the hooks they needed to eliminate the type of fraud the article describes but they didn't do it.
"Isn’t this a Bank problem? And don’t that absolve Apple and Networks of their responsibility in this?
"It is unconscionable that Apple did not, and was not strongly advised by its partners – to make the Yellow Path implementation (by an issuer) mandatory sooner than it did – which was 4 weeks before AP launch. "
"unconscionable" that banks should be expected to understand security well enough to know that not using any verification was stupid?
It was mandatory 4 weeks before the launch, so it's been 6 months since then... and yet we're seeing how banks haven't bothered to fix it?
I think Apple could have said something sooner, but in order to throw the word "unconscionable" around, I think that they would have to have done something deliberate or secretive.
I view that 90% of this rests directly on the banks' shoulders for not implementing good security in the first place, then sitting on not implementing it for months.
It's a good observation, but I was trying to work out what this actually says.
I read this as being fraud accounts for 0.1% of the value of all handled transactions. The transaction fees of a payment processor seem to vary between about 1% and 2.5%(although this may differ for CNP scenarios).
Let's assume 2.5%, so fraud accounts for 4% (0.1%/2.5%) of the payment processor's fees. Intuitively, this doesn't feel too bad.
However, I'm not actually sure what that says about how much the payment processor spends on _preventing_ fraud (and so how this impacts their margins). I think all we can really say is that they're likely to be at or near an equilibrium where if they aimed for less fraud it would have a negative impact on their business.
This might not even be due to having to spend more money. For example, as you make your detection sensitivity higher, you're more likely to have false positives and reject valid transactions. In turn, this is likely to drive customers away from your payment processor towards your competitors.
Maybe a certain level of fraud is just a cost of doing business?
Founder at a small payment processor. Most of the risk for fraud is shifted to the merchant or payer (small transactions, not reported quickly... terms in the cardholder agreement). The processor is usually only on the line for refunding fees in the original transaction... there are a few exceptions (i.e. merchant doesn't have money in the bank when the payment is pulled back and heads for the hills).
Some Credit Card issuing banks actually went through verification process when a card was aadded to Apple Pay.
For example, a colleague added her United Airlines MileagePlus Club Card. She had to verify her identity before the card was approved for Apple Pay.
Meanwhile, another credit card issuing bank which shall remain unnamed, did not go through the verification process when the card was added to Apple Pay.
No, name it. Why should known bad players go unnamed? They're the ones which will ramp up the cost of doing business because they get defrauded, and you can bet it's not coming off their yacht bills.
No, I am not employed by any financial institutions.
At that time my colleague added her Wells Fargo card to Apple Pay and it went through without any notifications from the bank. She has been using this card with iTunes store though.
Another colleague added her F&A Federal Credit Union card and went through with little notifications.
First National Bank of Omaha notifies the email address on file that that the card is added to Apple Pay.
US Bank actually sends a letter via mail that the card was added to Apple Pay.
> Meanwhile, another credit card issuing bank which shall remain unnamed, did not go through the verification process when the card was added to Apple Pay.
They made it as easy as the banks allowed them to, some banks require bank login details, some require a call, and some require nothing. The ones in the last two groups are the ones that will be effected not the first (Unless the thief has your bank login and then you're just fucked).
US Bank required a call to customer service to activate Apple Pay. I don't remember what exactly I had to verify once on the phone, but it wasn't as simple as adding a card number to a phone.
The only place I've been able to use Apple Pay so far is Whole Foods and I'm pretty sure it takes a little bit longer than swiping my card. It also feels like showing off for some reason, like "look at what I can do".
"I'm pretty sure it takes a little bit longer than swiping my card."
It probably does, but swiping your card is about as insecure as a transaction can be. (Thieves love it though - they break into POS systems and there are tons of mag stripe details.)
However, as time goes by you'll have to enter a PIN (as we do in the UK) which is a bit slower - perhaps slower than Apple Pay.
I can't believe that buying a device for several hundred dollars, signing up for a cellular contract, entering a stolen credit card number, and then tricking a customer service rep is supposedly easier than just swiping a card with a fake magnetic strip?
Shouldn't it be trivial for Apple to block devices with fraudulent transactions from using Apple Pay?
There's also the bit where you don't need the original card to shop. Overall the system seems secure with the exception of being able to punch in anyone's card and use it without needing the card again.
Nonetheless, you can keep it easy and get loads of people on board first before making it tougher.
There's probably much less friction for someone who say works as a waiter to start stealing cards by snapping photos with their iPhone vs buying a card skimmer, learning to use it, etc.
Unless you’re very careful, your phone (i.e. Apple) has your identity, so if you add stolen credit cards to Apple Pay, and those cards are flagged as stolen, it should be possible to figure out who tried to use them.
It also seems like a simple one-time password sent to the mobile phone number that the bank has on record, as a mandatory step when adding a credit card to Apple Pay, would effectively make it impossible to add stolen credit cards.
The article makes it sound like it’s up to the bank to accept or deny a credit card, once added, so I would assume the bank can do this even without cooperation from Apple.
I have two cards in Apple Pay, a Capital One credit card and a Wells Fargo debit card. When I added my Capital One card I was asked to log into their mobile app to verify the card. This seems highly secure. Someone may have my stolen credit card details, but they're not going to have my banking passwords (if they did, I'd have bigger things to worry about).
Wells Fargo didn't even offer that as an option. They had me ring up a call center. Apple provided secure ways to verify identity, but only one of my two banks seems to have been bothered to implement them.
To be fair it's not Apple that's at fault here, but it is a problem that manifests itself around the Apple brand, so it is very much an Apple problem.
There is also another more recent issue which hasn't been picked up yet (apart from by one particularly insightful writer [0]) -- Apple Pay tokens can be grabbed from iPhones and spent later (and at any amount) by anyone wielding an Android NFC device running a particular publicly available app. While presented by the author of this app as a bit of fun, it is also a POC for a relay attack against Apple Pay.
This also applies to Google Wallet, as it exploits a problem that lies with the Visa software in contactless terminals in the US. Again, it's not a problem with Apple Pay but it is a problem for Apple Pay.
The lesson is the same: Apple doesn't partner with other companies. Large as a bank wanting to cash in on Apple pay or small as a developer in their garage panning for a bonanza in the app store, it's Apple's ball and bat and wickets. Even if Real Madrid and Manchester United show up, Ronaldo and Rooney are getting innings not stoppage time.
Like many disruptors, Apple isn't offering a 100% complete business and technological model for their partners. They're offering a new way of thinking about traditional services and a family of integrated computing products with which to deploy those services.
The business partners can't just expect to do nothing to be a part of a game-changing service. They'll need to adapt their technologies, business models, expectations, etc.
Oh, sorry, that latter sentence of your original post made absolutely no sense to me. First time through, I had even read it several times but figured it was some obscure sport reference and I just stuck with stuck with my contention of your statement that 'Apple doesn't partner with other companies'.
This all certainly makes for an interesting case study in security tradeoffs.
I wonder if the numbers cited in the article about the rates of "traditional" credit card fraud (said to be 0.1%) include the massive costs borne by retailers, banks, and customers after the Target and Home Depot breaches and other similar compromises, scenarios that Apple Pay was well-designed to prevent.
Of course, the 6% Apple Pay fraud rate is also magnified by the fact that the fraudsters of course took to this new system far far faster than regular consumers. Once more retailers and banks support Apple Pay, the relative proportion of fraud will drop. In the next two years as most Americans replace their existing Android and iOS phones with ones capable of low-friction NFC payments and awareness increases, the use of this technology will likely take off.
Ultimately it sounds like best practice for individuals is to use a new credit card for Apple Pay, and not one that you ever use online or particularly in restaurants.
Your 'best practice' shows that you don't understand the problem here.
ApplePay poses no risk to you unless your card numbers have already been stolen.
If they have been stolen, some banks aren't doing enough to check this before allowing them to be enrolled in ApplePay, so ApplePay is being used by criminals to buy goods using stolen card numbers.
Owner of several Apple products. I never cared for the idea of Apple pay for one reason. I did not need one more touch point to deal with. People claim Apple pay simplifies buying but I am of the opinion I don't want any more people with that access to my credit information than I already have.
Yeah it might be able to provide a layer of anonymity that Paypal does for online purchases but I still end up with a service authorized to use my card.
What I do want and some CC services can provide is instant messaging of when the card is charged.
You seem to fail to recognize that every time you make a payment with your credit card, you create "one more touch point to deal with" - every shady taxi driver, every hole in the wall restaurant, every employee making $5/hour who just started that day - you are handing your credit card information (and cvv) to them. And, if they ask for ID, there is a non-zero chance that you are giving them your billing information as well.
The value to users of Apple Pay, is that all disappears. They don't get anything useful, you never give them your credit card information, and the token they do get, is only good for that purchase.
Apple pay is a huge leap forward in security, for the card holder - not necessarily for the banks though, if they don't actually verify that the number going into the phone is owned by the cardholder.
57 comments
[ 3.1 ms ] story [ 109 ms ] threadApple wanted getting on Apple Pay to be as easy as possible. Banks decided supporting Apple Pay was more important than being able to implement good fraud protection. Banks now have to deal with a magnitude higher fraud rates.
I would imagine that anything abstracting the physical card away ends up with a significantly higher fraud rate, but the only numbers we're given are for Apple Pay specifically and for all credit card transactions in total.
Apple Pay requires Touch ID on use.
Edited for grammer
This is in the country that has the highest adoption of contactless payments.
Sure it takes more time (a phone call to a rep during business hours) but I'm willing to bet that their fraud is much, much lower.
To Quote the blog that first reported the story and linke din the NYT article, "No one, is bold enough to call the emperor naked." http://www.droplabs.co/?p=1231
This is the whole bases and point of the article.
Apparently, Apple gave the banks the hooks they needed to eliminate the type of fraud the article describes but they didn't do it.
How is this Apple's fault?
"Isn’t this a Bank problem? And don’t that absolve Apple and Networks of their responsibility in this?
"It is unconscionable that Apple did not, and was not strongly advised by its partners – to make the Yellow Path implementation (by an issuer) mandatory sooner than it did – which was 4 weeks before AP launch. "
It was mandatory 4 weeks before the launch, so it's been 6 months since then... and yet we're seeing how banks haven't bothered to fix it?
I think Apple could have said something sooner, but in order to throw the word "unconscionable" around, I think that they would have to have done something deliberate or secretive.
I view that 90% of this rests directly on the banks' shoulders for not implementing good security in the first place, then sitting on not implementing it for months.
I read this as being fraud accounts for 0.1% of the value of all handled transactions. The transaction fees of a payment processor seem to vary between about 1% and 2.5%(although this may differ for CNP scenarios).
Let's assume 2.5%, so fraud accounts for 4% (0.1%/2.5%) of the payment processor's fees. Intuitively, this doesn't feel too bad.
However, I'm not actually sure what that says about how much the payment processor spends on _preventing_ fraud (and so how this impacts their margins). I think all we can really say is that they're likely to be at or near an equilibrium where if they aimed for less fraud it would have a negative impact on their business.
This might not even be due to having to spend more money. For example, as you make your detection sensitivity higher, you're more likely to have false positives and reject valid transactions. In turn, this is likely to drive customers away from your payment processor towards your competitors.
Maybe a certain level of fraud is just a cost of doing business?
Just some thoughts...
Also, there are many, many fingers in the pie.
Meanwhile, another credit card issuing bank which shall remain unnamed, did not go through the verification process when the card was added to Apple Pay.
At that time my colleague added her Wells Fargo card to Apple Pay and it went through without any notifications from the bank. She has been using this card with iTunes store though.
Another colleague added her F&A Federal Credit Union card and went through with little notifications.
First National Bank of Omaha notifies the email address on file that that the card is added to Apple Pay.
US Bank actually sends a letter via mail that the card was added to Apple Pay.
This could change by now.
No, you need to name the bank. Seriously.
The only place I've been able to use Apple Pay so far is Whole Foods and I'm pretty sure it takes a little bit longer than swiping my card. It also feels like showing off for some reason, like "look at what I can do".
It probably does, but swiping your card is about as insecure as a transaction can be. (Thieves love it though - they break into POS systems and there are tons of mag stripe details.)
However, as time goes by you'll have to enter a PIN (as we do in the UK) which is a bit slower - perhaps slower than Apple Pay.
Shouldn't it be trivial for Apple to block devices with fraudulent transactions from using Apple Pay?
Nonetheless, you can keep it easy and get loads of people on board first before making it tougher.
Unless you’re very careful, your phone (i.e. Apple) has your identity, so if you add stolen credit cards to Apple Pay, and those cards are flagged as stolen, it should be possible to figure out who tried to use them.
It also seems like a simple one-time password sent to the mobile phone number that the bank has on record, as a mandatory step when adding a credit card to Apple Pay, would effectively make it impossible to add stolen credit cards.
The article makes it sound like it’s up to the bank to accept or deny a credit card, once added, so I would assume the bank can do this even without cooperation from Apple.
I have two cards in Apple Pay, a Capital One credit card and a Wells Fargo debit card. When I added my Capital One card I was asked to log into their mobile app to verify the card. This seems highly secure. Someone may have my stolen credit card details, but they're not going to have my banking passwords (if they did, I'd have bigger things to worry about).
Wells Fargo didn't even offer that as an option. They had me ring up a call center. Apple provided secure ways to verify identity, but only one of my two banks seems to have been bothered to implement them.
There is also another more recent issue which hasn't been picked up yet (apart from by one particularly insightful writer [0]) -- Apple Pay tokens can be grabbed from iPhones and spent later (and at any amount) by anyone wielding an Android NFC device running a particular publicly available app. While presented by the author of this app as a bit of fun, it is also a POC for a relay attack against Apple Pay.
This also applies to Google Wallet, as it exploits a problem that lies with the Visa software in contactless terminals in the US. Again, it's not a problem with Apple Pay but it is a problem for Apple Pay.
[0] http://www.nfcworld.com/2015/03/03/334455/spotme-app-lets-an...
The business partners can't just expect to do nothing to be a part of a game-changing service. They'll need to adapt their technologies, business models, expectations, etc.
After that, I just chalked the poorly-worded obscure sport reference up to poor communication skills.
I wonder if the numbers cited in the article about the rates of "traditional" credit card fraud (said to be 0.1%) include the massive costs borne by retailers, banks, and customers after the Target and Home Depot breaches and other similar compromises, scenarios that Apple Pay was well-designed to prevent.
Of course, the 6% Apple Pay fraud rate is also magnified by the fact that the fraudsters of course took to this new system far far faster than regular consumers. Once more retailers and banks support Apple Pay, the relative proportion of fraud will drop. In the next two years as most Americans replace their existing Android and iOS phones with ones capable of low-friction NFC payments and awareness increases, the use of this technology will likely take off.
Ultimately it sounds like best practice for individuals is to use a new credit card for Apple Pay, and not one that you ever use online or particularly in restaurants.
ApplePay poses no risk to you unless your card numbers have already been stolen.
If they have been stolen, some banks aren't doing enough to check this before allowing them to be enrolled in ApplePay, so ApplePay is being used by criminals to buy goods using stolen card numbers.
That's it.
Yeah it might be able to provide a layer of anonymity that Paypal does for online purchases but I still end up with a service authorized to use my card.
What I do want and some CC services can provide is instant messaging of when the card is charged.
The value to users of Apple Pay, is that all disappears. They don't get anything useful, you never give them your credit card information, and the token they do get, is only good for that purchase.
Apple pay is a huge leap forward in security, for the card holder - not necessarily for the banks though, if they don't actually verify that the number going into the phone is owned by the cardholder.