Fraud comes to headlines about Apple Pay

I am a cynical, grizzled veteran of the technology wars. I implemented my first payment system in 1995, and just a few weeks ago was programming in PHP to handle refunds through the online payment processor Stripe's excellent interface.

But when I saw the variants on the headline, "Fraud Comes to Apple Pay," I figured what was stated wasn't true. Apple retains so very little information about credit cards registered to a phone, and tucks it away so securely, that this scenario seemed exceedingly unlikely.

And that's turned out to be the case--including in the further explanation in the body of articles that led with that banner. In truth, the problem has little to do with Apple, and you have additional tools by which you can can protect yourself should you experience what I describe below.

Charge ahead

A blog written by a consultant in the financial industry, Cherian Abraham, noted two weeks ago that Apple Pay was facing a high level of fraud based on his ongoing conversations with clients and others in his field. Fraud rates as high as 6 percent have been seen. It's impossible to verify or contradict his claims, but his track record is excellent, and let's take it as accurate.

The fraud, however, isn't in Apple Pay: it's in the verification process by which banks allow a card added to an iPhone to be enrolled in Apple Pay. That process is entirely controlled by the banks. Along with your credit card number, expiration date, and other details, Apple sends several signals to banks that are used to determine whether a valid user of the card is trying to enroll it.

As noted in Apple's iOS Security Guide:

Additionally, as part of the Link and Provision process, Apple shares information from the device with the issuing bank or network, like the last four digits of the phone number, the device name, and the latitude and longitude of the device at the time of provisioning, rounded to whole numbers.

Apple declined to offer more insight, such as whether taking a picture of a card, which is then analyzed on the phone to enter the credit card number and expiration date, was a signal sent as well, or any unique attributes of the phone, like its cellular network IMEI number. As for latitude and longitude, while it's possible to fake out a GPS receiver, the kind of criminal involved in fraud is unlikely to have the equipment and interest in that kind of fiddly work; they engage in bulk fraud.

An Apple spokesperson provided a statement about its stance:

During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.

Abraham, in his blog, provided additional details about the process from his insider knowledge: Apple has two paths of approval, "Green Path" and "Yellow Path." If one of several signs on Apple's side are off, such as a recent change to one's Apple ID or no activity on the account for a year, Apple requires banks to use the Yellow Path approach, which is a higher standard of validation. Abraham writes that Green Path enrollments, about 60 percent of the total, have an exceedingly low fraud rate.

With Yellow Path, banks are required to use a higher standard to ensure that the card is being legitimately added to Apple Pay, up to requiring a phone call to a service center, which obtains additional information--and is subject to social engineering. (In activating six cards across four banks, the most I've experienced is a delay of under a day. In some cases, I was surprised to not be asked for more validation.)

This is a similar or identical process that banks go through whether you receive a physical card in the mail, use another mobile payment system, or enroll with Apple Pay. Abraham throws Apple under the bus, which is his prerogative, as he says banks weren't given enough time to ramp up their customer service staff and training, and thus it's clear that representatives are being fooled. As with most things involving Apple, partners (like cellular carriers) plan for low volume, even when the prediction is high. Remember multiple waves of failure with activation servers for iPhones?

So let's be clear. This "Apple Pay fraud":

  • Does not put your iPhone at risk.
  • Does not affect Apple Pay transactions.
  • Does not let your credit cards be siphoned from an iPhone and used elsewhere.

What the fraud truly is? Identity theft involving a hole in bank security procedures that will rapidly close as training and other processes improve.

If you find that one of your credit cards is used fraudulently with Apple Pay, it's because the card number was stolen from a merchant, large (like Target) or small, and then added to an iPhone through identity theft or social engineering. People who never used Apple Pay may find their cards misused, as a result.

Monitor fraud with Apple Pay

We can't control whether our cards are misused with Apple Pay or any mobile or other payment system. That's a problem right now in terms of retailers--brick and mortar as well as online--properly adhering to existing standards set by the major credit-card issuers, like Visa and American Express. But we can add more vigilance without driving ourselves crazy.

All major banks and credit unions have iOS apps, and many have increasingly useful websites. You don't need an iPhone 6 or 6 Plus to use these apps, but it's a neat dance between Passbook, Apple Pay, and the apps when everything is aligned.

I recently got an American Express card for hotel points. After adding the card to Apple Pay, which resulted in an email confirming enrollment, I also installed the Amex app. The app works with Touch ID as a nice added benefit. On Amex's website, I added the option for the company to notify me whenever a charge exceeded $200.

Whenever I make a charge, a push notification appears. It's rather reassuring to click Submit on a website, and seconds later see a confirmation on my iPhone lock screen. With my fraud setting thresholds on the website, I also receive an email alert for "card not present," which includes all online orders.

Every bank and credit union's options are different. If yours doesn't offer mobile, push, or email alerts about odd behavior, you should pester them, and explain how competitor X has such a notification.

Financial institutions should--and I expect some will soon--expose one of their fraud markers that they currently don't: location. I'd be happy to geofence my card-present spending, and say if the card is truly present or used via Apple Pay (a form of physical presence) outside of that area, it should require additional approval. Likewise, I want to approve my first transaction with any online site. Those two measures alone would vastly reduce fraud (a cost to banks and consumers) and hassle (mostly born by consumers).

Apple Pay fraud isn't in your hands, and it's not fraud with Apple Pay. You can stay alert with iOS and email, and head off card theft, whatever its origin.

Join the CSO newsletter!

Error: Please check your email address.

Tags HPApplesecurityApple PayStripe

More about American ExpressAppleProvisionStripeVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

More videos

Blog Posts