Though Apple Pay is intended as an extremely secure method of payment, criminals have found a way to circumvent its encryption and biometrics. Identity thieves look for the weakest link, and have found one not in Apple Pay itself, but in the process by which banks and card issuers verify cards for use with the service. Charles Arthur reports for The Guardian that criminals in the United States are using Apple Pay to buy expensive goods, often from Apple stores, with stolen identities and credit cards.
The identity thieves haven’t broken the secure encryption that Apple implemented with Apple Pay. Instead, they are taking advantage of banks’ lax procedures for card verification to set up new iPhones with stolen information. As Tech Cheat Sheet reported recently, card issuers are Apple Pay’s weakest link. As Apple’s support page for Apple Pay explains, when a user attempts to add a credit or debit card to Apple Pay, the data is encrypted and sent to Apple’s servers. Apple then decrypts the data, determines the card’s payment network, and re-encrypts the data with a key that only the payment network can unlock.
Apple then sends the encrypted data, along with information about the user’s iTunes account activity and the device, to the bank. With that information, the bank determines whether to approve adding the card to Apple Pay. Banks create a “green path” for cards that they approve right away, but some cards require more checks. Reasons include the Apple ID and card pairing going beyond a specific date threshold, the Apple account having been recently modified, the Apple account registering no activity for more than a year, or the Apple ID being too new. These follow a “yellow path” for the issuer to gather additional information.
While all participating card issuers create this “yellow path” for use when verifying or provisioning a card for use in Apple Pay, the implementation has varied widely among banks and issuers. Customers could be directed to call their issuer’s call center, be asked to authenticate through the bank’s mobile app, or be required to verify via a two-factor code sent to the card owner’s phone.
Most issuers have opted for call-in authentication, which is the easiest for fraudulent users to pass. Many ask callers to verify their identity with the last four digits of their Social Security Number, which are commonly stolen in instances of identity theft. 11.5 million Americans are victims of identity theft annually, and the average incident costs $4,930. In 2013, losses from identity theft totaled $24.7 billion, and nearly two-thirds of cases involved credit card details. Criminals with stolen identities and stolen credit cards are now targeting Apple Stores, because they accept Apple Pay and offer high-value products which can be resold for cash.
Arthur reports that fraud using stolen identities has allegedly reached much higher levels than expected, with total losses “already running into millions,” compared with the expected value of about $5 billion for smartphone-based payments in the United States this year. In a recent post on the Drop Labs blog, mobile payments expert Cherian Abraham wrote of the fraud levels in Apple Pay, “EVERY issuer in [Apple Pay] has seen significant *ongoing* provisioning fraud via customer account takeover. The levels of fraud has varied since launch, but 600bps is now seen as hardly an anomaly. Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one, is bold enough to call the emperor naked.”
Abraham reports that “organized crime rings” are behind the scams, and committing fraud with Apple Pay has proven to be much simpler than with online retailers, who shoulder liability in the occurrence of fraud and therefore are growing increasingly sophisticated in fighting it. Abraham reports that there is negligible fraud with cards provisioned via the green path, and posits that “It is unconscionable that Apple did not, and was not strongly advised by its partners – to make the Yellow Path implementation (by an issuer) mandatory sooner than it did – which was 4 weeks before AP launch. By then, it was too late for any issuer who had been focused elsewhere to put up any effort of merit.”
More secure yellow path implementations, such as directing the customer to log in via the bank’s app, require a significant amount of planning and effort. So most card issuers rely on call centers. But Abraham reports that identity thieves “are better at social engineering than call center reps are at sniffing out fraud,” and in some cases even call the call centers to alert the bank to a trip out of town so that traditional red flags of transaction anomalies don’t interfere. Furthermore, Abraham thinks that Apple Pay is ” just the first among the hundreds of token requestors that will come to dot the tokenization landscape,” a projection that leads him to conclude that provisioning needs to become secure, invisible, and scalable.
An Apple spokesman reached by The Guardian reiterated that “Apple Pay is designed to be extremely secure and protect a user’s personal information,” and added, “Banks are always reviewing and improving their approval process, which varies by bank.” Tim Sloane, vice president of payments innovation at the Massachusetts-based Mercator Group, characterized the current issues as “probably just some teething problems.” If the banks are able to improve the authentication process, Sloane thinks they’ll see less fraud. “Battle plans always look great until you meet the enemy.”
Speaking to Mashable on the problem of Apple Pay fraud, Patrick Nielsen, senior security researcher at Kaspersky Lab, explains, “All these kinds of new technologies will have growing pains. The best way to solve this particular issue, though, would be to stop thinking of social security numbers as something that’s privileged and secret, and therefore not grant access (to use the credit card like a physical card, in this case) based on that knowledge alone.”