While Apple Pay is the gold standard for safe card transactions, some partner banks are leaving customers vulnerable to fraud via identity theft thanks to weak checks when cards are added to Apple Pay, according to mobile commerce consultants Drop Labs. Some partner banks are consequently seeing fraud rates six times higher than with physical cards.
For consumers, Apple Pay is extremely safe, thanks to the use of Touch ID fingerprint verification and single-use code transmission rather than sharing full card details. Drop Labs claims that the weak link in the chain is what happens when cards are added to Apple Pay …
When you add a card to Apple Pay, the bank is supposed to verify that you are the card’s owner, preventing an unauthorized user from adding your card to another phone. While some banks make these checks via secure mobile apps, others are simply asking customers to phone a call center. With access to hacked card details, such as those from high-profile breaches at major retailers like Target, a fraudster may have sufficient information to pass this phone check.
No, iPhones weren’t stolen and then used for unauthorized purchases, TouchID was not compromised, Credentials weren’t ripped out of Apple’s tamper proof secure element – nor the much feared but rarely attempted man-in-the-middle attacks (capture and relay an NFC transmission at a different terminal). Instead fraudsters bought stolen consumer identities complete with credit card information, and convinced both software and manual checks that they were indeed a legitimate customer.
Fraudsters can then use Apple Pay to make fraudulent transactions despite the built-in security, with the retailer satisfied that the safeguards make the transaction a safe one.
Drop Labs says that the problem can only be solved if banks improve the security of the so-called ‘Yellow Path’ procedures designed to ensure that cards are only added to Apple Pay by the genuine cardholder.
Apple Pay now has more than 45 partner banks, with Bank of America alone reporting 1.1 million cards added to the service.
Via Gizmodo
FTC: We use income earning auto affiliate links. More.
My bank requires you to verify part of the virtual card number which is a smart move because you need to secured access to the phone to get it. It’s sort of a two-factor authentication.
Actually, not really. My mind was thinking in context of cards which have already been associated with a device which may not be the case with this type of fraud. The banks should be requiring multiple pieces of verification (which my bank does in addition to the virtual number).
And now that I think about it, one of the other cards I have registered (not from my primary bank) did have a true form of two-factor authentication by requiring you receive a call or have a PIN sent to the phone number registered on the account. So as long as your account itself wasn’t hacked, you should be made aware a card if your card is being added to somebody’s passbook.
If you have this problem your identity has probably been stolen, and you have much bigger problems.
“Some partner banks are consequently seeing fraud rates six times higher than with physical cards.”
Hmm…if this was the case wouldn’t we be seeing stories left and right about stolen credit card data being added to passbook?
Plus, don’t you have to scan a physical card into passbook? Or are these fraudsters using stolen data and making fake cards with it? Something doesn’t smell right with this story.
As I understand it, the scanning stage just reads in the data, so a pretty crude copy would pass.
You dont have to scan the card, the information can be manually entered into passbook but it does require the 3 digit security code from the back of the card which I am not sure where fraudsters would get without having possession of the card but who knows.
None the less, your original point is very true no way this is 6 times higher or media would be blowing up with interviews of victims of the evil new technology. And this is a simple fix for banks anyway.
Exactly, how are the fraudsters getting the 3 digit verification code if they don’t have the actual card?? You need that to enter the card into Apple Pay. I’m calling BS on this.
No, the scanning is just a way of quickly entering some to all of the data. It’s not required, and when I last tried it wasn’t perfect — there was a mistake or two I needed to fix manually. And you can also just type it in normally.
Nothing is stopping a waiter or waitress from either taking a picture of the front and back of your card or quickly jotting down the info to use later. My biz partner had his CC info taken like this, brand new card used 1 time at dinner, within a week there were 2 bogus charges, the person was caught but you’re at the mercy of the honesty of whomever gets possession of your card.
Banks traditionally keep fraud pretty quiet.
But surely some local news report would be all over this interviewing impacted consumers. These kinds of stories are right up their alley,
Sound like this is the fault of the bank not properly verifying the account holder.
Weak ID check? I had to call my bank and give them everything but my favorite color to verify identity before I could use it.
After that, how much more secure could it be?
Are these insane people not realizing that this is still a world that SHIP ACTIVE CARDS IN THE MAIL.
The PIN still comes in a different envelope on a different day. Oh wait, you’re probably from the US where pretty much everything about payments is insane.
As always banks/card companies will weigh small losses from fraud against big profits from more convenient use by card owners. Loss of confidence/good name is probably the first thing that makes them act, not actual $/£ losses.
My bank gives me a little device like a small pocket calculator which needs my chip & PIN card inserted in it, then my PIN typed in, then a single use code from their website typed in and finally it produces a one time code to identify me. No doubt they will have me use this in order to add their card to apple pay. Other banks will figure the cost of that kind of security against how much they actually loose to this.
Personally I still think chip and PIN was a step up from magnetic stripe card & signature and I think apple pay is another step in the right direction – nothing is perfect but apple pay is better, not worse.
Excellent article and good perspective. The fraud is shifting from the merchant-consumer transaction to the provisioning. And Apple Pay is coming when there’s still a wealth of hacked information to mine for identities.
The banks and CUs have to be aware of this and tighten up their procedures. I’m hoping this was a manifestation of the early days and that banks, CUs are learning from these instances.
As a consumer, I want my information protected. And it is in Apple Pay. But the banks have to make sure things are good at the start. And that’s their one job. Hopefully they can adapt and get better at it.
If dumb fraudsters do indeed add stolen cards to Apple Pay, wouldn’t it be possible (in the future) for law enforcement to work with Apple to identify them?
Seeing as they can gather: Apple ID, IP, Cellular Network, location and correlate the info.
Still no validating using auto fill in Safari.
To me validating using the banks app or website would be a more secure way.
I have added 5 cards to Aplle Pay and none have asked me any questions to verify the accounts are mine. 2 are family members cards and had no issues adding them.
When this rolls out to Europe early spring I hope,Apple and the financial institutioms start implementing better authorization for Apple Pay and starts or for Safari Auto fill.