ApplePay Fraud? Nope, Identity Theft! Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 03/04/2015 6:50:47 PM PST by Swordmaker
Apple Pay is so secure criminals so far have only been able take advantage of it by taking advantage of the banks behind it.
Sadly, identity theft and credit card fraud are nothing new. While Apple Pay does an enormous amount to secure the transaction process itself — merchants are given a one-time number instead of the card number to prevent expose in the case of data breach, for example — securing the banking process against basic social engineering attacks is something else entirely. When reached for comment, Apple told me:
"Apple Pay is designed to be extremely secure and protect a user's personal information," an Apple spokesperson told iMore. "During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank."
Apple provided the same comment to the The Guardian following an article which reported:
Criminals in the US are using the new Apple Pay mobile payment system to buy high-value goods – often from Apple Stores – with stolen identities and credit card details.
Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system.
There's absolutely no way banks have been "caught by surprise" by any of this, though. Not unless they thought Apple Pay was "elfin magic", and even then that would speak to far greater problems in the banking industry than with Apple Pay. These are the same old social engineering attacks being used in the same old way.
It's absolutely a problem for banks and retailers and for people whose identities are stolen, but there's nothing to indicate it has anything to do with Apple Pay specifically. Furthermore, no one should be alarmed about Apple Pay in this context. Just the opposite — Apple Pay appears to be so secure the only thing criminals can do is try and trick the banks at the other end of the chain.
What's more, Apple does a lot to help banks avoid approving illegitimate cards. Apple securely transmits encrypted iTunes account information from the iPhone to the bank. That includes the device name, phone number, last four digits of the card, etc.
Using that information, banks can determine whether or not they'll authorize the card for Apple Pay. Banks can also choose to require a text message, email, customer service call, etc. before authorizing. All of this is publicly detailed in Apple's iOS Security Guide.
Banks are responsible for determining the appropriate balance of convenience and security for their customers. The goal is to keep fraud at an acceptable level while ensuring customers aren't inconvenienced by jumping through a bunch of hoops to use a credit card. If the amount of fraudulent card activation occurring with the banks current authorization mechanisms is too great, they will correct this by adding additional steps to the manual authorization process when customers call into the bank.
As long as banks and retailers understand and implement the system and safeguards provided, there shouldn't be a problem.The Guardian, to its credit, points this out:
US banks are using a "green path" for cards they approve straight away on such data, and a "yellow path" for cards requiring more checks. But some banks have made the task too simple by asking callers to verify their identity with the last four digits of their social security number (SSN).
Though meant to be secret, SSNs are commonly stolen in identity theft, and on average 11.5 million Americans are victims of identity fraud annually, according to US data, with the average incident costing $4,930. In 2013 total losses from ID fraud in the US totalled $24.7bn. Nearly two-thirds of cases involve credit card details.
The paper cites a Drop Labs post on "green" vs. "yellow" path which also includes the following:
Though what follows was written in the context of Apple Pay, much of it translates to any other competitor – irrespective of origin, scale, intent, or patron saint."
Again, this has nothing to do with Apple Pay. Hopefully the banks targeted, however, will figure out how to better make the call on who and how they authorize cards.
If you want on or off the Mac Ping List, Freepmail me.
ROTFLOL!
WSJ reported just yesterday that Apple Pay has 60 times the rate of fraud as regular credit card swiping because crooks have found ways to exploit the vulnerabilities of Apple Pay:
“Some banks are seeing a growing incidence of fraud on Apple’s mobile-payment service as criminals exploit vulnerabilities in the verification process of adding a credit card, according to people familiar with the matter.
Banks are tightening the verification process in an attempt to curb the fraud, these people said, declining to be identified citing a confidentiality agreement with Apple.
The fraud issue was brought to light by Cherian Abraham, a payment expert who works with banks and retailers on mobile-payment strategies, in a blog post in late February. He said fraud “is growing like a weed, and the bank is unable to tell friend from foe.”
Abraham said it’s not “an anomaly” to see fraud accounting for about 6% of Apple Pay transactions, compared to about 0.1% of transactions using a plastic card to swipe. He noted that fraud rates vary by issuing bank.”
http://blogs.wsj.com/digits/2015/03/03/fraud-comes-to-apple-pay/
Where are the APPLE-HATER TROLLS blaming Apple-Pay for this terrible breach of Apple’s system of payment?! ... LOL ...
OH ... WAIT A MINUTE ... they have arrived already! ... :-) ...
LOL ... you’re the hilarious one here!
Quoting ... “... criminals exploit vulnerabilities in the verification process of adding a credit card, according to people familiar with the matter.”
— — —
AND DOES APPLE PAY verify the card when adding it?! NO ... not at all ... the BANK DOES THAT! ... LOL ...
You should be reporting that the BANK GOOFS UP when verifying cards, and allows STOLEN INFORMATION from compromised credit cards be used to make purchases! STUPID BANK is about all you can say about that!
It’s real simple:
1. Ordinary credit card swiping is .1% fraud.
2. Apple Pay is 6% fraud.
It really doesn’t matter what part of the Apple Pay system is flawed or why. Bottom line, Apple Pay has 60 times more fraud than ordinary credit card swiping. It’s a fact.
And that’s from the Wall Street Journal, not me. So go argue with the WSJ, not me.
The problem with that is it’s not an Apple Pay problem ... it’s a few banks who are the problem ... BUT I’ll guarantee you ... this will cause these banks, who have failed in their own security, to solve their problem immediately ... AND “Apple Pay” will do ABSOLUTELY NOTHING ABOUT IT ... since it’s not something they have a thing to do about it!
Did you bother to read the article above before you posted your negative FUD? I thought not.
Apple requires banks to use the YELLOW path for card verification. . . but you, as usual ignore the facts to get in your snide hits:
US banks are using a "green path" for cards they approve straight away on such data, and a "yellow path" for cards requiring more checks. But some banks have made the task too simple by asking callers to verify their identity with the last four digits of their social security number (SSN).
Though meant to be secret, SSNs are commonly stolen in identity theft, and on average 11.5 million Americans are victims of identity fraud annually, according to US data, with the average incident costing $4,930. In 2013 total losses from ID fraud in the US totalled $24.7bn. Nearly two-thirds of cases involve credit card details.
My banks call ME on a phone number I have on file with them when I added my cards. . . or use two-factor ratification of the cards I added to ApplePay. The banks that are having difficulty are those who are using the "Green Path" and willy-nilly approving cards. You can bet the fraudsters know which banks are doing it.
The statement Abraham made was NOT that all banks were experiencing 60 times the rate but that SOME were experiencing up to 60 times their normal rate. In addition, it is not a problem with ApplePay but with any such program because it is identity theft. ApplePay itself is still completely secure.
Even your citation from the WSJ was quoted as saying "some banks" because it is a BANK CENTRIC problem. Blame the banks, not Apple. Sorry, your negative FUD fest just doesn't hold up to scrutiny.
My Reply #32 including "Why The Dangers Of Apple Pay Fraud Are Overhyped"— by Paula Rosenblum — Forbes Magazine, March 4, 2015
BTTT ...
Gosh, you Apple-Can-Do-No-Wrong-Fan-Bois are funny!
Exactly what is funny about providing links ACCURATE publish information instead of your FUD spin?
The fact is that the banks who are at fault in this, not Apple, who told the issuing banks a month before the ApplePay roll-out that the only weak spot in ApplePay is at the credit-card sign-up validation which was the issuing bank's responsibility and that the very minimum required security is what is called the "Yellow Path," which requires that the card's issuing bank contact the owner of the card and confirm they are indeed intending to install their card in ApplePay on their personal iPhone.
Abraham noted this form of fraud in his January 5, 2015 blog, and over 500 additional banks have signed up since then. It is not that big a threat in overall scheme of things, nor is it hard to over come. It is, however, the banks' problem the solve by following the Yellow Path in validating their own cards are still actually being in the control of their customers before allowing them to be placed on any device. This problem is NOT caused or within Apple's control.
You anti-Apple troll bois, who believe that Apple-can-do-nothing-right are pathetic. Parasitic thread trolls.
I’m trying to sort through all of this in my mind...
I have not tried to set up Apple Pay yet on my iPhone, but from what I gather, it is in a way similar to PayPal... you register your account(s) with Apple Pay, then use Apple Pay in place of swiping your card at a retailer (?)...
So this “security issue” is much as if someone opened a fraudulent PayPal account, signed up a stolen credit card, then used it until caught...? Would that be PayPal’s fault, or the bank that issued the card/account being used fraudulently?
I’m trying to figure out how Apple is the responsible party... by any view. Does Apple Pay offer an easy vector for this kind of theft/fraud? Maybe I just need to dig into how Apple Pay works and see if that explains it to me.
Except that verification of added accounts to Apple Pay is NOT Apple’s responsibility, it is the issuing banks’ who verify. Apple transmits the data the financial institution requests for verification. Thieves are not “exploiting a weakness” in Apple’s system, it is the failure of issuing banks to actually VERIFY where their accounts are being linked.
Pretty much, except the issuing bank is supposed to contact the card holder to confirm the set up on the iPhone is a legitimate action by the cardholder and intentional and they are aware it's being done. Some banks in the interests of expediency skipped that step, going with the "Green Path" and just approved the card being OK based on the fact they input the CCV number on the back of the card.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.