11
Mar 15

Apple Pay: Bridging Online and Big Box Fraud

Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.

applepayTo understand what’s going on here, a quick primer on card fraud is probably in order. If you’re a fraudster and you wish to walk into a Best Buy store and walk out with a big screen TV or xBox console on someone else’s dime, you’re going to buy “dumps,” which are data stolen straight off the magnetic stripe on the backs of cards.

Typically, dumps are stolen via malware planted on point-of-sale devices, as in the breaches at brick-and-mortar stores like Target, Home Depot and countless others over the past year. Dumps buyers encode the data onto new plastic, which they then use “in-store” at retailers and walk out with armloads full of high-priced goods that can be easily resold for cash. The average price of a single dump is between $10-$30, but the payoff in stolen merchandise per card is often many times that amount.

When fraudsters want to order something online using stolen credit cards, they go buy what the crooks call “CVVs” — i.e., card data stolen from hacked online stores. CVV stands for “card verification code,” and refers to the three-digit code on the back of cards that’s required for most online transactions. Fraudsters buying CVVs get the credit card number, the expiration date, the card verification code, as well as the cardholder’s name, address and phone number. Because they’re less versatile than dumps, CVVs cost quite a bit less — typically around $1-$5 per stolen account.

So in summary, dumps are stolen from main-street merchants, and are sought after by crooks mainly for use at main street merchants. CVVs, on the other hand, are stolen from online stores, and are useful only for fraud against online stores.

Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs. That’s because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession.

Avivah Litan, a fraud analyst with Gartner Inc. explained a blog post published earlier this month that Apple provides banks with a fair amount of data to aid banks in their efforts at “identity proofing” the customer, such as device name, its current geographic location, and whether or not the customer has a long history of transactions with iTunes.

All useful data points, of course, unless the iTunes account that all of this information is based on is hijacked by fraudsters. And as we know from previous stories on this blog, there is a robust trade in the cybercrime underground for hijacked iTunes accounts, which retail for about $8 per account.

Litan’s column continues:

Interestingly, neither Apple nor the banks get any useful identity information out of the mobile carriers – at least that I know or heard of. And mobile carrier data could be particularly helpful with identity proofing. For example the banks could compare the mobile service’s billing address with the card account holder’s billing address.

For years, we have been briefed by vendors offering a plethora of innovative and strong user authentication solutions for mobile payments and commerce. And for years, we have been asking the vendors touting them how they know their mobile app is being provisioned to a legitimate user rather than a fraudster. That always appeared to me to be the weakest link in mobile commerce –making sure you provide the app to the right person instead of a crook.

Identity proofing in a non-face-to-face environment is anything but easy but there are some decent solutions around that can be stitched together to significantly narrow down the population of fraudulent transactions and identities. The key is reducing reliance on static data – much of which is PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements.

This problem is only going to get worse as Samsung/LoopPay and the MCX/CurrentC (supported by Walmart, BestBuy and many other major retailers) release their mobile payment systems, without the customer data advantages Apple has in their relatively closed environment.

Sure, the banks could pressure Apple Pay to make their users take a picture of their credit cards with the iPhone and upload that data before signing up. That might work for a short while to deter fraud, at least until the people at underground document forgery sites like Scanlab see a new market for their services.

But in the end, most banks coming online with Apple Pay are still using customer call centers to validate new users, leveraging data that can be purchased very cheaply from underground identity theft sites. If any of you doubt how easy it is to buy personal data on just about anyone, check out the story I wrote in December 2014, wherein I was able to find the name, address, Social Security number, previous address and phone number on all current members of the U.S. Senate Commerce Committee.

The irony here is that while Apple Pay has been touted as a more secure alternative to paying with a credit card, the way Apple and the banks have implemented it actually makes card fraud cheaper and easier for fraudsters.

Even more deliciously ironic, as noted in Cherian Abraham‘s insightful column at Droplabs, is how much of the fraud stemming from crooks signing up stolen credit cards with Apple Pay was tied to purchases of high-dollar Apple products at Apple’s own brick-and-mortar stores! That banks end up eating the fraud costs from this activity is just the cherry on top.

Abraham said the banks are in this mess because they didn’t demand more transparency and traceability from Apple before rushing to sign customers up (or “provision” them, in banker-speak) for Apple Pay.

“One of the biggest gripes I have heard from issuers is the lack of transparency from Apple (what did they expect?) and the makeshift reporting provided to issuers that is proving to be woefully inadequate,” Abaraham wrote. “As long as issuers fall back on measures easily circumvented by freely available PII – this problem will continue to leech trust and large sums of cash. And alongside of the latter, there is much blame to go around as well.”

Both Abraham and Gartner’s Litan say banks need to take a step back and take the time to develop more robust, thoughtful and scalable solutions to identity proofing customers, particularly as other mobile providers begin rolling out their mobile payment systems without the customer data advantages that Apple has in their relatively closed environment.

“The vendors in the mobile user authentication space have consistently answered that they are leaving account provisioning policies to the banks or other consumer service providers provisioning the apps,” Litan wrote. “Well maybe it’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps. Whoever does this well is surely going to win lots of customer support… and revenue.”

Tags: , , , , , , , ,

84 comments

  1. itsmeitsmeitsddp

    Good thing I dont have any apple products or ever plan to.

    • Except of course, that this issue does not apply to people who own Apple products.

      ANYONE whose “CVVs” have been stolen (not dumps) in any other credit card hack is susceptible to this issue now if your bank doesn’t have a secure method of validating your identity when adding your card to ApplePay on ANY ONE ELSE’S iPhone.

      I’m generally a pretty big fan of Apple… and I do think ApplePay will go a long way toward reducing card-present fraud, but only if Apple and/or the banks come up with a reliable, secure solution to the ID validation when adding a card to Apple Pay.

      • I meant to say that this issue does not ONLY apply to people who own Apple product.

        Obviously, it does apply to those who own Apple products as well as those who do not.

        • itsmeitsmeitsddp

          I said that a little sarcastically which is hard to convey in an internet comment I suppose. The blame for this rests solely on the banks wanting to push this out without giving the security of the ability to use these services (apple, samsung, yada, yada, yada) without really verifying who is at fault. Being a long time android user myself I am in no way going to adopt any form of this service and yes anyone who has their cvv stolen is at risk. They were of course at risk before this type of fraud can happen, but these services just make it easier for the criminals to do so.

          • itsmeitsmeitsddp

            *verifying who is at fault – should have read – who is on the other end of the line.

          • Indeed. The problem is entirely on the bank side. Our bank required a phone call and multiple steps of verification in order to activate it. As a security professional who deals with phishing sites every single day, I can vouch that the questions they asked are not the kinds of things that phishers would typically have.

      • Let’s be clear about who is failing… this is not a problem with ApplePay, but with the banks using inadequate authentication procedures.

        … also, as previously stated, ‘manually keyed, card present’ fraud has been occurring for years from simple stolen PAN information (non track data) just being embossed and stores having the option to manually key a card in when the magstripe fails.

        This is not a new trend, it’s just a new method. One that can be avoided if issuers use better authentication procedures.

        • “Let’s be clear ” Greedy Apple (and other tech companies), who moves revenue offshore to avoid paying taxes, burden the taxpayer from both ends: making him pay percentage-wise more to support the services Apple enjoys. It delivers a buggy payment system which will cost the tax payer as banks seek help from the government, or raise charges to their customers.

          People who hide their revenue, you can’t take it with you.

      • Wombat94 “I do think ApplePay will go a long way toward reducing card-present fraud, but only if Apple and/or the banks come up with a reliable, secure solution to the ID validation when adding a card to Apple Pay.”

        This is a ridiculous statement. ApplePay is irrelevant to “reducing card-present fraud” since it is an interfering intermediary, creating a card-NOT-present payment situation. Waving your phone is NOT “card present.” Look at your own statement. The intermediary (Apple in this case) and the banks would have to come up with a reliavle, secure solution, as you say. That means that ApplePay is irrelevant to making things more secure for card-present purchases, as you say yourself that improved security relies on the two parties (intermediary and the bank) to make a separate part of the system more secure. By your own description, that’s not ApplePay making anything more secure. Your comment is incoherent!

        The article cited that Apple is not being transparent in a way that the banks need in order to properly monitor transactions for security. Why not just cut out the salami-shaving intermediary and let the merchant have your money instead? Just like Visa and Mastercard networks shave off a fee, Apple is adding another shaving to the amount merchants don’t get.

        Is it really a problem to pull out your wallet that we can’t unglue our phones from our hands for a moment to pay for groceries? Have you seen the commercial where some idiot picks up all his grocery bags and THEN tries to pay? (It’s the “problem” portion of the commercial pitch.) The idea is that we are somehow suffering because we get our hands too full, and waving your ever-present phone is the answer. What moron does that? Normal people pay first and then pick the bags up.

        ApplePay isn’t the solution to a non-problem when Apple is obstructing what the banks need for proper security in the first place.

    • Then you are actually at more risk. The thief will just do it for you at your exspense.

    • Thieves have been able to take stolen PAN information and emboss them on counterfeit cards for years. Merchants use manually keyed information as a fall back when the card won’t swipe properly (because it is blank… because it’s a counterfeit card).

      This has been an issue for literally years. ApplePay is not causing anything new to occur. This is an issue… but to imply that it is something new is a bit misleading.

  2. Donald J Trump

    Good synapse on how credit card fraud occurs

  3. I just finished the above article and I don’t know why I’m surprised that some FI’s are seeing fraud on Apple Pay but I am. The FI I work for has decided not to sign up with Apple Pay until we see how popular it becomes and determine if the cost is worth it. After reading this article, I’m glad we’ve decided to take a step back and wait. I don’t know if I’ve been hiding under a rock but I haven’t heard of any fraud concerning Apple Pay. Where can I go to review the percentage of Apple Pay fraud FI’s are seeing? Thanks!

    • I hear its around 6% of all apple pay transactions are fraud. Not sure how accurate that is.

    • I don’t think you read the article correctly. Apple Pay is actually providing a lot of useful information to the banks that they ca use to protect your identity and money. Is the implementation of the banks and how the sign-up process is set why it is easy to steal a card. All you have to do is buy a dump or a CCV and add it to your phone thru Apple Pay. Just like it was before.

      I don’t think Apple Pay is bad, but not secure the way it is now. But to put all the blame on it, that’s taking it a little to far.

      • A really simple solution that would block 99% of the fraud is for the banks to compare the geographic location of the phone to the card holder’s home address. If the bank automatically rejects all Apple Pay signups that don’t originate at the card holder’s home, the problem would be solved.

        • … because that is easily done in the 1/12th of a second a bank has to authorize a transaction (also, because people don’t travel or anything)

          • This isn’t about authorizing charges. This is about authorizing provisioning. Totally different and totally separate. The banks have rather significant time to authorize provisioning. Hours, days, even weeks!

            Also it should probably be pointed out that requests for provisioning are flagged into multiple categories: green, yellow, red or basically highly likely to be good, unknown, highly likely to be bad.

            The specific issue isn’t the green paths or the red paths. By all reports those are working about as perfectly as could be expected. The issue is with the yellow path. These are the cases where there isn’t enough information to determine outright correctness or outright fraud.

            And the primary problem is that apparently a lot of banks were not only using call centers for the yellow path, but also using obvious substandard verification like last 4 ssn!

        • The one way to provision it is to have the customer provide transactions amount based on information completed by the customer. I’ve heard PNC Bank requires customers to provide several transaction amounts just so they can have Apple Pay included on their card.

    • The American Banker in the Bank Technology section has a couple of articles on Apple Pay. The latest article claims some issuers are finding up to 8% of the Apple Pay transactions are fraudulent. Here’s a link to the latest article.

      http://www.americanbanker.com/syndication/banks-changing-apple-pay-procedures-after-fraud-consultants-say-1073138-1.html

      The earlier article claimed 6% of the Apple Pay transactions were fraudulent.

      http://www.americanbanker.com/news/bank-technology/is-apple-pay-a-fraud-magnet-only-if-banks-drop-the-ball-1073127-1.html

      • Note the headline in the article: “Only if banks drop the ball”. Fraud happens on Apple Pay because banks aren’t doing adequate verification when a card is loaded. That is hardly the fault of Apple Pay.

        • Except that Apple isn’t being transparent with what information the banks need. See the Krebs article.

  4. Interesting article and the subject got some attention at Forbes as well, who doesn’t seem to think its a big deal.

    http://www.forbes.com/sites/paularosenblum/2015/03/04/apple-pay-fraud-overhyped/

    Dumps weren’t a big deal either several years ago.

    • It’s an issue…but one that is easily fixed.

      Banks need to better authenticate their users when they sign up. None of this is Apple’s fault. If you are using credentials that are just as easily stolen (if not easier) as the card information is, then you are obviously not doing enough to ensure these people are who they claim to be when they are being provisioned.

      • “None of this is Apple’s fault.”

        Let’see, from Krebs, citing an Abrahm’s article, in reference to transactions after the initial sign-up:

        “One of the biggest gripes I have heard from issuers is the lack of transparency from Apple (what did they expect?) and the makeshift reporting provided to issuers that is proving to be woefully inadequate,” Abaraham wrote.

        Why is everyone so drooling to make sure that nothing is ever Apple’s fault? Apple leveraged hard between merchants and banks in order to lauch Apple pay, and part of that was moving fee structures on transactions so that Apple would get a part, cutting into what Banks/Visa/MC get and possibly raising merch fees, and in the end Apple is not being transparent with the banks. Gee, what’s not Apple’s fault?

  5. Does the fingerprint reader factor into this Identity Proofing issue at all?

    • Not really, since fingerprints aren’t tied to individual credit cards, just the device itself. Fraudsters can use a stolen device with stolen credit card data and their own finger prints

    • No, the TouchID information does not figure into this at all. Neither Apple nor the Banks have access to the encrypted TouchID fingerprint information. Another story I read states that this fraud is often perpetrated with either stolen iPhones or iPhones purchased with stolen credit card info.

    • This is a problem with the banks not confirming people properly… not a problem with any of Apple’s hardware or software.

  6. If fraudsters can encode stolen data from dumps onto new plastic cards, why can’t they do the same with data obtained through CVV purchases?

    What information are they missing that keeps them from creating a fake credit card (assuming we’re not discussing chip and pin)?

    • http://en.wikipedia.org/wiki/Card_security_code is probably worth a read.

      * The first code, called CVC1 or CVV1, is encoded on track-2 of the magnetic stripe of the card and used for card present transactions. The purpose of the code is to verify that a payment card is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is swiped on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid. (See the Skimming section, in the article Credit card fraud.)
      * The second code, and the most cited, is CVV2 or CVC2. This code is often sought by merchants for card not present transactions occurring by mail or fax or over the telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person.[citation needed]
      * Contactless card and chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.

      In short, a big box hack gets you a CVV1 that you can use to encode a magnetic card.
      an online hack gets you a CVV2 that lets you purchase online. OR sign up with Apple Pay.

      once you sign up with Apple Pay, you get to make purchases w/ iCVV.

      Basically, the card companies weren’t entirely stupid when they designed CVV1/CVV2 as distinct things.

      But Apple, and the Banks are apparently pretty clueless wrt how they enabled iCVV.

  7. I’m missing something. Why can’t CVV data also be used to encode a counterfeit card for in-store fraudulent purchases? I would think a CVV is *more* versatile than a dump for a given card number.

    Thanks,

    • Online “CVVs” are just the account number (and possibly cardholder name) and the CVV 3-digit code that is printed on the back of the card – the data that is required to be entered on most e-commerce sites for purchasing merchandise online.

      “Dumps” include the full data encoded on the magnetic stripe of the card – this full data contains more/different information from the CVV and is required to make a clone of the original card in order to use it at brick-and-mortar point of sale.

      The issue here is that a thief can use the CVV data and lax user identification techniques from Apple/the issuing banks to register a credit card account with ApplePay and then use that card at brick and mortar stores without ever requiring a magstripe dump

    • James Harrison

      Stephen–I believe the answer is because the CVV2 code is not stored on the mag stripe–on purpose to ensure all credentials are not compromised. CVV2 is on the card as a way to “authenticate” the owner. Obviously this only works if the CVV2 has not been compromised as well.

      • It has always bothered me that merchants, online or face-to-face, will ask me for the CVV.

        So now they have it … and likely entered it to compare.

        Where is the safety in a 3-4 digit number?

        What am I missing?

        • A face to face merchant is not supposed to ask for/retain CVV2.

          CVV2s are not raised, so a carbon copy of a card won’t retain it.

          http://blog.paylane.com/what-everybody-should-know-about-cvv2/ says:

          … merchants who require the CVV2 for card not present transactions are forbidden in the USA by Visa from storing the security code after the transaction is completed. It means that if somebody unauthorized gets access to the transactions or credit cards numbers database, he won’t find the CVV2 codes there, so the stolen card numbers are less useful. Additionally, the Payment Card Industry Data Security Standard (PCI DSS) also prohibits storage of the card security code. This also applies to anyone who stores, processes or transmits the card holder data.

          So, in theory no one should retain it, but, this doesn’t protect a MITM hacker (which is effectively what attacks against purchase systems [and not databases] is about).

          • A new Walmart location near me requires the CVV2 on all card-present transactions. I’ve also seen this at a local hardware store.

            This is disconcerting to me as it breaks the barrier that is often in place between card present and online transactions, increasing the usability of any stolen data (including my own).

            It’s also very annoying as their setup will only accept a 3 digit code and I primarily use AmEx – which has a 4 digit code.

      • Why do you think the security code is not stored in the magnetic strip?

    • What more data do you need in addition to the PAN and the CVV?
      See the section “Financial Cards” on the Wikipedia page

      http://en.wikipedia.org/wiki/Magnetic_stripe_card

      • Re-read the Wikipedia article (and timeless’ excellent post above, also from that article) for the three different kinds of CVVs. Before Apple Pay, only a CVV1 (magstripe, NOT back of card) could enable big-box fraud; only a CVV2 (back of card, NOT magstripe) could enable online fraud. Now, if the crook can add your card to Apple Pay *BOTH* kinds of fraud can be enabled with a single CVV (usually CVV2).

  8. Why is this only an issue on Apple pay?
    I have google wallet and was able to add cards digitally in the same fashion – no ID/proof required – and make purchases in similar fashion.

    • Perhaps because Apple actually provides a second level of security for use of the card, raising interest in that additional security. In fact, the card as stored in your iPhone is more like a second card linked to your account that can only be used with your fingerprint validated.

      A fraudster can do just fine with stolen credentials/ID; it’s easy to make a fake card and use it “in person” at gas stations or vending machines where you don’t risk face-to-face recognition. Putting stolen credentials into an Apple Pay card lets you use it anonymously more widely. But again, only if a thief has card info that hasn’t been reported stolen; it’d seem EXTREMELY risky to use stolen info and then receive a package that was charged fraudulently.

    • It is… and Google Wallet fraud has occurred…

      It just did not have nearly the widespread acceptance as Apple Pay already has.

  9. It seems to me the best way to combat this is for Apple to simply brick any iPhone that is used with a compromised card number, driving the cost of using a CVV up by a few hundred $ at least…
    This could even be why so much of the fraud was in Apple stores; fraudsters stocking up on devices that they could use later?

  10. It should be noted that Apple does offer a number of verification mechanisms for provisioning new cards in Apple Pay. For example, banks can send a verification code to a known mobile number or email address of the customer, or require the user to log in to an app using their online banking password. If banks don’t use the provided methods, that’s purely their own fault.

    See page 25, “Additional verification” in this document for more details:

    https://www.apple.com/br/privacy/docs/iOS_Security_Guide_Oct_2014.pdf

    • > For example, banks can send a verification code to a known mobile number or email address of the customer, or require the user to log in to an app using their online banking password.

      My banks used the known email and mobile number when verifying my cards that I loaded. Not 100% foolproof, but it adds a huge barrier for the thieves.

  11. I wonder if anyone was using their new Turbo Tax refund prepaid visa card at the apple store hahaha.

    And Similar to the intuit issue, it Sounds to me, like another area for more regulation> This is on the banks and regulators, not apple.

    Competitors focusing on apple, or those who dont’ like them (me included) wanting to cost them money to teach them a lesson, is not going to lessen credit card fraud.

  12. fwiw, American Express cards have their CVV on the front…

  13. So, where is the weak spot here? If ApplePay validates the card with the issuing bank, and it is valid, it stores the token on the phone. What if the card number becomes invalid later?

    Or is the weak spot the above along with a compromised iTunes account? Do both of these need to be leveraged?

    Also, the bank can issue a text as an additional security measure if they think the transaction is fraud, which adds a bit of security over the card, right?

    • The weak spot is that banks don’t do a particularly good job of validating the card information that Apple offers.

      It’s also questionable that they *can* do a good job of validating it.

      Probably, what they should do is force a 2FA check (e.g. a Voice call to the phone of record asking for confirmation of the activation).

      • They can and some do validate that the card is entered by the owner. For example, Wells Fargo requires the user to enter their banking password into a special “Wells Fargo Verify” app before the card can be used in Apple Pay. To add my Bank of America card, I had to enter a verification code that they texted to my mobile number that they had on file. Other banks, like Chase, are laxer and only rely on the information initially supplied by Apple Pay (like the phone number of the Apple Pay device and the geographic location).

        • Thanks, but that sounds like Wells Fargo is one of the few good exceptions…

          • … and that this is actually problem with the banks, not with ApplePay

          • I wouldn’t credit wells Fargo too much. Of the banks I’ve checked their account login is the most easily comprised. They go so far to not only allow on page password changes (no email link etc) but will also display user names on page if you ‘forgot’ all with easily obtained details.

  14. “…deliciously ironic, as noted in Cherian Abraham‘s insightful column at Droplabs, is how much of the fraud stemming from crooks signing up stolen credit cards with Apple Pay was tied to purchases of high-dollar Apple products at Apple’s own brick-and-mortar stores!”

    It’d me MORE deliciously ironic if it weren’t so obviously BS trolling.

    Krebs ought to be smart enough to know that the fraudsters themselves would be the ONLY possible source for data on this. If Abraham is actually in touch with these “fraudsters,” he could and should be subpoenaed. Except that it’d be such a waste of time to make this weasel look any more important than he is.

    Oh, there’s Apple’s retail fraud team. Some blogger who’s just seen his wannabe competitive product go down the shooter, is perhaps the VERY LAST PERSON who would be able to get that data. Scratch that avenue.

    The likelihood that Abraham has done anything than make up a badmouth story about a system he hoped to compete with, is near zero. But you don’t have to make an ad hom attack on his credibility to say that neither Occam’s Razor, nor Sagan’s “exceptional claims” Rule have been ignored in Krebs’s glee in spreading this FUD. Where is your sense of responsibility?

    Meanwhile, the amount of fraud as reported in the WSJ and others appears more like 0.01% of signups that were fraudulent. That number may even reflect a lower cost than normally happens when fraudsters have such complete control over stolen credentials. Nowhere close to the 6% that Abraham claimed with zero evidence.

    Krebs itself has been p0wned by biting on this fanciful piece of fiction. You owe your readers an apology for (1) not doing the least bit of fact-checking on actual fraud levels tied to Apple Pay signups, and also from obscuring the incidence of that fraud.

    • Yeah, It seems a bit odd that Brian is dedicating 5 paragraphs to someone involved in a competing platform ( 1 1/2 if you include ModoPayments – I’m not sure I fully understand what it is)

      “Board of Advisors at SimplyTapp – creators of Host Card Emulation & a LightSpeed Ventures Co, delivering HCE enabled mobile payment distribution & authorization solutions for enterprises”

      http://www.droplabs.co/?page_id=2

      At least amend the article and make that clear.

      • That “delicious” part, and the promulgation of this story struck me as unseemly as well. Old resentments die hard I guess.

  15. FWIW, I tried calling a US bank and asking how to block this (others, please do the same). They were not helpful.

    I’ll have to walk into a brick and mortar store (yes, my bank calls its physical locations stores) and complain in person.

    I wonder if I should donate my copy of Spam Nation to the bank (I haven’t read it yet, it’s waiting for me) — I guess I’d need to print out the NYT bestseller list in order for the bank to understand why it’s important….

  16. Since newer iphone (and android) now have builtin NFC & most credit cards (well outside the US at least) have NFC/Paywave chips builtin, wouldn’t it be possible to use this to verify the physical presence of the card when adding it? (ie ebter the card details in & then tap the card against your phone to verify you have it?

    Also I would think a periodical tap the card against the phone to verify you still have it would also help. e.g. once a month you have 7 days to tap the card against your phone to prove you still have it.

    Just a thought.

    • Very good question.

      http://www.businessnewsdaily.com/4457-mobile-payment-solutions.html

      Lists a number of ways to receive payments.

      One thing to remember about NFC (and Bluetooth, and IRDA) is that it involves profiles, a system (typically the hardware or OS level) needs to support it.

      Apple specifically locks the NFC API for iOS to prevent other applications from performing NFC payments.

      My guess is that either phone hardware doesn’t support some portion of NFC payment reception, or the complexity / liability is sufficiently high that everyone intentionally blocks it.

      While it would be cool to tap a pair of phones together to trade cash, it’s a scary nightmare for a phone in the hands of a pickpocket to be able to wipe out a whole bunch of prepaid cards.

      • @timeless, the most likely reason Apple locks down NFC is to ensure that rogue apps can’t misdirect charges to other, unapproved accounts, etc.

        Apple stands to get a rather small percent increase in its revenue from Apple Pay; however, if it can establish its brand as THE way to securely transact—better than existing cards as Brian notes—then they’ll sell a lot of phones. That’d all go into the shooter if on-the-fence, would-be users see reports of fraud that are actually weaknesses in the Apple security.

        Right now, the issue seems exclusively one Mr. Abrahams, who has been promoting a competitive system, has claimed that Apple didn’t provide banks enough time to hone their signup procedures, so some are seeing high levels of fraud. Bankers are taking note, and are concerned that (a) THEIR institution might be next, or (b) all the benefits they see will be blown away because consumers get confused by all the FUD about fraud.

        Probably, the former is something they feel they can control — it’s what they do for a living, after all. The latter, all sorts of sloppy and incomplete reporting can trash, in a way that might see banks stuck with unhappy users, more people such as those who comment here about how they are happy to get cash from a teller so they’re not at risk. From banks’ perspective, that’d be a terrible setback.

  17. I am stopping by the bank tomorrow and get my usual cash withdrawl. I use the plastic only when I have to or want to. Feel a lot better too!

  18. Hrrmm.. how about requiring supporting banks to integrate Apple Pay provisioning with their existing online banking systems?

    If someone’s online banking has been compromised, then Apple Pay or not, the person’s account is toast.

  19. Great article on Apple Pay. Seems as safe/stable as any version 1.0 code that goes live.

    Where do you see the next attack vector?

  20. I love Apple Pay and have used it extensively for the majority of my purchases. The Post Provisioning tech is incredibly secure and I have full trust in it. DAN, tokenization, etc.

    Although the 6% at an unnamed bank is unverifiable the best real data point I have seen is from PNC 35 out of thousands. And I believe banks are recognizing the problem and getting better. That was certainly the case with the latest card I entered from a new Apple Pay bank.

    However, I think Apple should work with the banks to get the provisioning right. Apple could do some white hat hacking on its accounts to find which ones might be vulnerable with weak passwords and send/flag those to the more difficult Yellow Path for provisioning.

    Apple should also indicate on their website that provisioning is up to your bank’s procedures. Yes the transactions are super simple but provisioning shouldn’t be. It needlessly besmirches the reputation of the whole system.

    Banks have phone numbers, home addresses, etc. There is an intersection of information that could be used. Also banks can issue new cards. They need to do so for Chip and Pin anyway.

    In the US, as consumers we have been wrapped around a security blanket of Anti-Fraud protection (we actually pay for it but not directly). Apple Pay on the transaction side is preventing new compromises at retail and in app but we still have a lot of compromised cards from online and Big Box fraud.

    • Chip and signature, SIGNATURE!!! :) The US EMV system (for now) is going to be chip and sig not chip and PIN. Significantly less secure, and oft confused.

  21. I thought this article last week was just as enlightening. It’s another social engineering function working against the good.

    Criminals target the weakest link in the Apple Pay chain
    CSO | Mar 2, 2015 2:45 PM PT

    http://www.csoonline.com/article/2891673/loss-prevention/crooks-targeting-call-centers-to-further-apple-pay-fraud.html

    • Yes, it’s another report… that simply repeats the same source. This whole flood of claims of “yellow path” fraud (where Apple can’t be sure if the account is good and hands it to the bank to validate the card) comes from the same source.

      I’ve read maybe 10 articles. They ALL come from the same source, who has not publicly disclosed any verifiable information about the extent of the fraud (although the post above noted a rate that works out to about 0.01% of cards at one bank, a figure I’ve heard similar at another big institution).

      Rewrites of the same source, with no skepticism or attempts to find independent verification, are more a red flag than a confirmation.

      • The point to showing this article, was the social engineering factor behind the fraud. Fraud is fraud – not matter what the Nth percentages equate to. It proves that should the article be accurate, the system in place does not follow standard policies and protocols at the moment. It more than likely will happen to others as well as they startup the same scheme.

        Articles, generally are propaganda information. There are a few sources that take the time to research the data, but not many.
        (Yes Brian, your on the good list IMHO). Overall, generic news articles aren’t the best place to derive accurate results on fraud. Go to a source that tracks this type of fraud and it may well open your eyes. Crooks go to a source where there are many fish can be caught. Once the corporation irons out its process and the crooks cannot utilize that scheme anymore, their tactics will change. Its going to be another bleed it until it bleeds no more act. Stereotypically, if there is more of a profit margin than loss, its considered a “win” for the business.

  22. The use of CVVs is rather common fraud. I’ve heard one employee where I used to work got a call from a fraudster (claiming they are a bank) and asked her for her CVV and they confirmed it. That person found it odd and called the bank on it and noticed a charge has been initiated. Noticed that cc# was not divulged simply because they already had it to begin with.

  23. “…much of the fraud stemming from crooks signing up stolen credit cards with Apple Pay was tied to purchases of high-dollar Apple products at Apple’s own brick-and-mortar stores!”

    Nelson Muntz says: “HAA-ha!”

  24. Have the banks get a fingerprint of their users and have Apple verify it. Or just verify it by having the bank contact their customer in some manner. Problem solved. Seems like the banks are not implementing standards, color me surprised.

  25. DYNAMIC UPDATE OF VICTIM’S -REPLACEMET- CARD TO THE BADDIES APPLE PAY
    I got a TEXT when they used my credit card via Apple Pay at an Apple Store NEAR ME.
    When I had my card immediately shut down, my bank reissued me a new card, and that card number DYNAMICALLY UPDATED in the baddies Apple Pay. They then made a new purchase at another Apple store a little further away from me.

  26. Excellent article and well-written! And the comments, too, are very informative. Former federal bank regulator here (right now, an independent researcher and a grad student). My two cents – even when these fraudsters exploit the new ApplePay or Google Wallet-like e-payment system, consumers will not lose any money under the federal regulation (Electronic Fund Transfers Act implementing regulation – Regulation E). If there is an unauthorized transaction on your account, just tell your credit issuer or your bank about the transaction and you will get your money back – the law places the burden of proof and the responsibilities to investigate these fraudulent activities on the banks which ultimately leaves the bank paying out of its own pocket (banks rarely catch crooks, especially the ones who know how to use stay anonymous by using VPN, Proxy, etc.). But this is no news to anyone here, I suppose.

    The industry will continue to innovate and try to make the most out of new technologies. Problem is that the supervising government entities, all of which should educate themselves and try to stay ahead of the curve, remain oblivious to the outside world. At least in the financial sector. When I was working for the government, I got laughed at when I tried to explain potential systemic weakness with the overall concept of “mobile banking” back in 2010 and the concept behind “bitcoin”. I wasn’t calling for more bureaucracy but rather to have my colleagues stay current with the real world and be prepared to provide guidance to FIs that we regulated.

    Try asking some basic questions about current financial instruments and I guarantee you that you won’t find no more than a dozen individual who can at least come off sounding as if they know what they are talking about. Consumers won’t be harmed as long as they know the simple procedure of reporting any suspicious activities to their banks (and there is no statute of limitation on unauthorized electronic-related transactions). Banks have and will continue to get hammered by hackers, scammers alike. And chances are that government won’t be able to be there to help when needed. Just my thoughts based on my frustrating years at the government during the late financial crisis and onward.

  27. If the phone app allows a thief to load credit card data, then it would seem reasonable to tie the phones emei number to the itunes account and credit card number, allowing only one card number per phone. The app could verify emei of the phone. It could also check location data when the cc is registered with the app to verify that the users address matches the billing address of the card. Neither step would stop fraud, the point is to reduce it significsntly. What do you think?

  28. I work for a large card issuing bank. The industry has made several attempts over the past two decades to migrate from Mag-Stripe to an alternative. Apple’s solution leverages the new EMV Tokenization specification and provide a highly secure means of payment.

    Like so many other technologies it is speed to market and adoption of that technology that provide the opportunity to take and perhaps hold a lead position. Google had their NFC solution in market for several years prior to Apple’s announcement. It how ever was clunky and consumers needed to complete numerous steps to not only to load the card, but to use the card. Apple was able to introduce a design that allowed them to initiate an estimated 100 million cards they had on file for iTunes almost immediately.

    The proposition to the banks was, X Bank has signed a deal to put their card on our phone for use at over 200k terminals in use today and an estimated 2 to 3 million more that were NFC capable, but needed to be turned on at various merchants.

    A target date for the launch of the iPhone 6 had been set and one large value proposition was going to be Apple Pay. That left the banks very little time to build and integrate the technology. Risk areas of each of the banks attempted in vein to work with Apple on gaining deeper insights into the accounts and devices that were requesting to be enabled for Apple Pay.

    This is a classic “First to Market” scenario. So the pressure is on to get the product in place and begin acclimating the consumer to use their phone to pay. The gap is “who’s phone?”,

    Banks had many of the existing mobile phone numbers on file and many did not. Apple simply provided a “Street Light” model of Red, Yellow, Green. Red meaning they recommended to the bank not to issue a token, Yellow meant proceed with caution and Green meant they recommended to move forward.

    No precise data was supplied to banks. General rules and guidance were provided, but the onerous was on the bank to calculate the risk. Apple was not very interested in sharing detailed data relative to the phone or the iTunes accounts.

    Stories are saying banks wer given the geo location. The geo provided was a value with a radius of over 50 miles. In large cities this information is entirely worthless. Sort of like saying the request is coming from the state of New York. Decide if its a risk. Ok?

    Most banks have or are implementing out-of-bank verification requiring consumers to respond to a code sent to a trusted phone they have on file. If the device is not trusted no token will be activated.

    Banks are also working to build (without support from Apple) a consortium with the mobile carriers to gain better clarity of the smartphones provenance. Is it a pre-paid phone (favored by criminals) or a traditional phone with an extended contract. Does the record of ownership match the ownership on the card, etc.

    As we move away from the 4 analog “c’s” of payments (coins, cash, checks and cards solutions will continue to evolve. There are substantial savings for all when this occurs.

    Lastly, it should be pointed out that the entirety of all the fraud generated from Apple Pay in the past 4 months, would equal roughly two days of losses from credit and debit counterfeit cards. This is still a much safer and more secure mode to pay.

    • @TKOFraud wrote, “A target date for the launch of the iPhone 6 had been set and one large value proposition was going to be Apple Pay. That left the banks very little time to build and integrate the technology.”

      A contact has written me with info saying that banks have been working on what was originally an anonymous capability, for well more than a year.

      Whether that is “very little time” to set up security or not, it is hardly “internet time” compression of what financial institutions expect for an extension of an existing product. I suppose it’s possible that two-bit shops were caught somewhat flat-footed by all the ways that fraudsters might attack their implementations of a more secure system, but it’s also true that very similar attack vectors already existed for theft of cards sent in the mail, etc.

      In any case, it’s obvious that implementation had to have been undertaken well before Apple announced its launch partners, who had to have expressed their own desire for when the launch should take place, for maximum PR impact.

  29. I’d like to start by saying thanks for writing “are data” since data is the plural of datum.

  30. Hi all,

    While you all debate bank vs. Apple … Google is buying Softcard,and Google wallet is going to make a major push back into the market. The fight is on. And I can’t wait for the reports to come out (-:

    For those of you not familiar with who Softcard is/was,they were formally ISIS and had to change their name for obvious reasons. They are the ones developed buy the retailers who shut down Apple pay just after it launched last year. Like Cvs, and I think Walmart,had contracts that prevented them from using or accepting a competing pay system. It will be interesting to see if Google does a better job of validation,with the banks.