Fraud comes to headlines about Apple Pay

I am a cynical, grizzled veteran of the technology wars. I implemented my first payment system in 1995, and just a few weeks ago was programming in PHP to handle refunds through the online payment processor Stripe's excellent interface.

But when I saw the variants on the headline, "Fraud Comes to Apple Pay," I figured what was stated wasn't true. Apple retains so very little information about credit cards registered to a phone, and tucks it away so securely, that this scenario seemed exceedingly unlikely.

And that's turned out to be the case--including in the further explanation in the body of articles that led with that banner. In truth, the problem has little to do with Apple, and you have additional tools by which you can can protect yourself should you experience what I describe below.

Charge ahead

A blog written by a consultant in the financial industry, Cherian Abraham, noted two weeks ago that Apple Pay was facing a high level of fraud based on his ongoing conversations with clients and others in his field. Fraud rates as high as 6 percent have been seen. It's impossible to verify or contradict his claims, but his track record is excellent, and let's take it as accurate.

The fraud, however, isn't in Apple Pay: it's in the verification process by which banks allow a card added to an iPhone to be enrolled in Apple Pay. That process is entirely controlled by the banks. Along with your credit card number, expiration date, and other details, Apple sends several signals to banks that are used to determine whether a valid user of the card is trying to enroll it.

As noted in Apple's iOS Security Guide:

Additionally, as part of the Link and Provision process, Apple shares information from the device with the issuing bank or network, like the last four digits of the phone number, the device name, and the latitude and longitude of the device at the time of provisioning, rounded to whole numbers.

Apple declined to offer more insight, such as whether taking a picture of a card, which is then analyzed on the phone to enter the credit card number and expiration date, was a signal sent as well, or any unique attributes of the phone, like its cellular network IMEI number. As for latitude and longitude, while it's possible to fake out a GPS receiver, the kind of criminal involved in fraud is unlikely to have the equipment and interest in that kind of fiddly work; they engage in bulk fraud.

An Apple spokesperson provided a statement about its stance:

During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.

Abraham, in his blog, provided additional details about the process from his insider knowledge: Apple has two paths of approval, "Green Path" and "Yellow Path." If one of several signs on Apple's side are off, such as a recent change to one's Apple ID or no activity on the account for a year, Apple requires banks to use the Yellow Path approach, which is a higher standard of validation. Abraham writes that Green Path enrollments, about 60 percent of the total, have an exceedingly low fraud rate.

With Yellow Path, banks are required to use a higher standard to ensure that the card is being legitimately added to Apple Pay, up to requiring a phone call to a service center, which obtains additional information--and is subject to social engineering. (In activating six cards across four banks, the most I've experienced is a delay of under a day. In some cases, I was surprised to not be asked for more validation.)

This is a similar or identical process that banks go through whether you receive a physical card in the mail, use another mobile payment system, or enroll with Apple Pay. Abraham throws Apple under the bus, which is his prerogative, as he says banks weren't given enough time to ramp up their customer service staff and training, and thus it's clear that representatives are being fooled. As with most things involving Apple, partners (like cellular carriers) plan for low volume, even when the prediction is high. Remember multiple waves of failure with activation servers for iPhones?

So let's be clear. This "Apple Pay fraud":

  • Does not put your iPhone at risk.
  • Does not affect Apple Pay transactions.
  • Does not let your credit cards be siphoned from an iPhone and used elsewhere.

What the fraud truly is? Identity theft involving a hole in bank security procedures that will rapidly close as training and other processes improve.

If you find that one of your credit cards is used fraudulently with Apple Pay, it's because the card number was stolen from a merchant, large (like Target) or small, and then added to an iPhone through identity theft or social engineering. People who never used Apple Pay may find their cards misused, as a result.

Monitor fraud with Apple Pay

We can't control whether our cards are misused with Apple Pay or any mobile or other payment system. That's a problem right now in terms of retailers--brick and mortar as well as online--properly adhering to existing standards set by the major credit-card issuers, like Visa and American Express. But we can add more vigilance without driving ourselves crazy.

All major banks and credit unions have iOS apps, and many have increasingly useful websites. You don't need an iPhone 6 or 6 Plus to use these apps, but it's a neat dance between Passbook, Apple Pay, and the apps when everything is aligned.

I recently got an American Express card for hotel points. After adding the card to Apple Pay, which resulted in an email confirming enrollment, I also installed the Amex app. The app works with Touch ID as a nice added benefit. On Amex's website, I added the option for the company to notify me whenever a charge exceeded $200.

Whenever I make a charge, a push notification appears. It's rather reassuring to click Submit on a website, and seconds later see a confirmation on my iPhone lock screen. With my fraud setting thresholds on the website, I also receive an email alert for "card not present," which includes all online orders.

Every bank and credit union's options are different. If yours doesn't offer mobile, push, or email alerts about odd behavior, you should pester them, and explain how competitor X has such a notification.

Financial institutions should--and I expect some will soon--expose one of their fraud markers that they currently don't: location. I'd be happy to geofence my card-present spending, and say if the card is truly present or used via Apple Pay (a form of physical presence) outside of that area, it should require additional approval. Likewise, I want to approve my first transaction with any online site. Those two measures alone would vastly reduce fraud (a cost to banks and consumers) and hassle (mostly born by consumers).

Apple Pay fraud isn't in your hands, and it's not fraud with Apple Pay. You can stay alert with iOS and email, and head off card theft, whatever its origin.

Join the CSO newsletter!

Error: Please check your email address.

Tags HPApplesecurityApple PayStripe

More about American ExpressAppleProvisionStripeVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts