We told you very early on (13 Oct 2014) that there was going to be a problem with Apple Pay, and it has turned out to be true. We wrote about the possible fraud vulnerabilities in Apple Pay, and the question asked at the time was: Does Apple or the card issuer know who is actually loading a credit card into Apple Passbook?
Let me bring it back a bit. I am a huge Apple fan and I love the company, but this isn’t just about Apple. As Apple Pay and a myriad of other payment alternatives become available to millions of consumers, mobile payment providers and card issuers face a basic problem – is the person loading a credit card into a mobile wallet the account holder of that card?
As the excitement over Apple Pay grows, so does the clamor for Apple-esque simplicity that consumers have come to expect from all mobile experiences - what is challenging for both mobile wallets and card issuers is determining what level of security they must add to ensure that credit cards added to mobile wallets belong to the right consumers… without stifling adoption and usage.
As reported by AppleInsider, fraudsters are using credit card information, stolen from high-profile retail chain data, to create Apple Pay accounts. Within the unauthorized purchases being made by these fraudsters, Apple Store purchases themselves account for 80%. Criminals are making purchases at Apple Stores using fraudulent Apple Pay accounts that were created using credit card data stolen from Home Depot and Target.
Here’s a simple illustration of the risks involved in elevating simplicity over security, that takes place even before a payment transaction is conducted– a consumer handing their card to an ill-intentioned restaurant worker, who simply loads the consumer’s card onto their own Apple Passbook account. Aside from this, Touch ID and tokenization kick in to guard against typical fraud scenarios, but that’s not enough. The damage is already done and a perfectly secure transaction will be authorized on a compromised account.
There are several aspects involved in the creation of Apple Pay accounts. All Apple Pay participating card issuers are required to build a “Yellow Path” to facilitate additional bank verification when the payment card is provisioned into Apple Pay. The “Yellow Path” experience varies per card issuer during the on-boarding process. The user might be authenticated via the bank’s mobile app or through an entirely different two-factor authentication procedure –or they may simply be redirected to call centers.
Each of these authentication methods has varying levels of success and friction. Also, some banks use a “Green Path” method as well, which immediately provisions the card without additional steps for user verification. As cited by Cherian Abraham, in his blog DropLabs, every card issuer, as part of Apple Pay, is witnessing some significant fraud levels. The levels of fraud have reached 6 percent and are growing in both paths mentioned, with banks having no clue on who the fraudsters might be. The problem lies in the provisioning of cards into Apple Pay.
We had earlier discussed some possible solutions to this fraudulent scenario. Fundamentally, mobile payments security will benefit from a multi-layered solution: Apple has already integrated Touch ID; companies like Payfone bring the mobile-originated capabilities, and others such as Socure can bring the social graph to play a meaningful role in transaction security.
Collaboration is required within the broader ecosystem to bolster and continuously evolve the security and authentication systems. Fintech startups can play a big role in this endeavor, and can help Apple Pay and other platforms to become mainstream and more secure at the same time.