ApplePay Fraud blame Ping!
If you want on or off the Mac Ping List, Freepmail me.
Posted on 03/17/2015 2:00:55 PM PDT by Zhang Fei
A raft of headlines over the last week about unusually high fraud rates from thieves using stolen credit numbers on Apple Pay has exposed what many of the banks privately acknowledge they have been trying to fix for months.
An industry consultant, Cherian Abraham, put the fraud rate at 6 percent, compared with a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. Mr. Abraham wrote in a blog post, one of the first to spotlight the issue, that the Apple Pay fraud “is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked.”
(Excerpt) Read more at nytimes.com ...
TL;DR - banks are so eager to get card users onto Apple Pay that they’re failing to completely confirm that the card owner is the Apple Pay user, often routing problems to customer support (instead of fraud prevention) where crooks can talk their way into getting a card confirmed.
Takeaway - there’s nothing wrong with what Apple is doing with Pay, it’s the banks willing to risk increased fraud just to get more customers on board with Pay.
Of course, “it’s Apple’s fault!”-implying headlines are better clickbait.
From the comments section:
“Secondly, I believe this the majority of fraud has to be caused by one or two “weak link” banks on the network. When I activated my Chase card, I received a text message and had to enter a code to allow the card to be set up. With American Express, I immediately received an email stating my charge card had been added. For Citibank, I received nothing...”
Apple ... wanted to make the sign-up process “frictionless,” the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early.”
Oops.
Consumers are at no risk. Credit card consumers are not responsible for fraudulent transactions. So users of Apple Pay can quit worrying.
Secondly, yes, the credit card companies/banks are rushing into this Apple Pay thing as they don't want to miss the boat. But they bear the responsibility to validate the users and as a result of the fraudulent transactions, you can bet they are putting in some fail-safes to better validate the Apple Pay users. After all, THEY are the ones who pay the cost of fraud.
Apple Pay consumers need not worry. Install the app and charge away!
“After all, THEY are the ones who pay the cost of fraud.”
ROTFLOL!
You think the credit card companies have magic pools of money to pay for fraud? Credit card users ALWAYS end up bearing the cost of fraud through higher interest rates and fees since that’s the sole source of funds for the credit card companies.
“It’s the most secure thing. You aren’t the product. Go ahead. Bulletproof. Even God can’t sink Apple Pay.”
Corrupt a$$holes.
BTW, Credit card companies earn money through merchant fees - the transaction fee that retailers pay. It is true that consumers provide additional "profit centers" to credit card companies by rolling over their balances and other transactions such as "cash withdrawal" (which is basically a loan). But the savvy consumer will pay his balance down each month.
“Credit card companies earn money through merchant fees - the transaction fee that retailers pay.”
And guess who ultimately pays those merchant fees? Not the merchants! Nope, those fees get paid for by the credit card users too in terms of higher prices. And when merchant fees go up to help pay for fraud, then the credit card users pay on that end too.
If you want on or off the Mac Ping List, Freepmail me.
No, you're wrong. Apple required the banks to take the "Yellow" road or above in validating cards put into ApplePay. That means doing more than just accepting willy-nilly that the card belonged to the user. . . and at the least contacting CARD OWNER directly to assure that they were intending to put their card into an ApplePay device. Basically a two-factor authentication.
Many banks decided that instead of "bothering" their card holders, they'd go the "Green" road. . . and just accept that it was OK. THERE is where the grand is occurring.
Apple did provide the banks with data. . . but the BANKS HAD the addresses and phone numbers of the card holders. THEY WERE THE ISSUING BANKS, not Apple. Apple would not have that data for the card holder. Apple DID provide the means of contacting the iPhone holder by iPhone number. . . but that was NOT the way they were supposed to confirm ownership of the card. The bank was supposed to contact the owner of the card through THEIR contact information. Anything supplied through the sign-up process by its very nature would be suspect. . . anything provided in sign-up might come from the fraudster. The issuing bank has the phone number of the card owner and their email and, according to the Yellow Road, is supposed to use that information they already have to affirm the sign up.
And don’t forget the cash paying customers also pay those higher prices thereby subsidizing the credit card users.
ApplePay has not been compromised. The BANKS have been compromised by not following the rules of authentication. This would happen on any secure pay system where the bank does not confirm that it is the OWNER of the card that is installing the card into the device. If they do not do their job, the system's security will fail even when the device itself is un-hackable and secure from theft and the transactions are also secure from theft and unbreakable.
That is what has happened here. It is social engineering at its worse. . . and stupidity on parade from people who should have known better.
You aren’t the product.
That still applies. No private customer data is transferred to anyone. So what is your beef? What are YOU complaining about? To use Google Wallet, they required your Social Security Number and your mother's maiden name and other personal information. . . and they got between you and your card issuing bank, operating as a credit card clearing house, charging the merchant much higher rates than did the merchant's own credit card clearing service charged. . . and keeping records of your purchases, of what, where, and when you purchased them. ApplePay does none of those things.
Corrupt a$$holes.
Demonstrate where Apple failed in this problem. Everyone who has looked at it has found the problem is at the card issuing bank end, not with Apple. The only ones trying to blame Apple claim that Apple didn't stress strongly enough that the banks should use the "Yellow Road". . . but how strongly is strong enough? It's in all their contracts with the banks who signed up. . . all 3000 plus. Apple cannot go into the banks' operations and FORCE them to do it right.
Apple, nor anyone else, said Pay was perfectly secure.
Funny thing is, nothing about it has been shown insecure insofar as Apple is involved. Like the article made clear: it was the banks that were authorizing card use without confirming the owner/user. Chase did it right: they sent a text to a known phone number of the account holder and required the provided code be answered back, confirming the card actually was with the holder. Other banks, however, just went ahead and linked the card without checking - akin to handing someone an unsigned credit card, telling them to sign the name on the card onto the back, then “confirming” it by checking that it has indeed been signed with the name on the front.
The banks (well, some of them) were corrupt a$$holes. Apple wasn’t; for those cards which were confirmed properly, no fraud has followed and as of yet nothing in Apple Pay is shown insecure.
Your apparent position is like bitching at the voting process because they require voter ID, then bitching at the voting process when some bureaucrat doesn’t and someone votes in your name.
“...Consumers are at no risk. Credit card consumers are not responsible for fraudulent transactions. So users of Apple Pay can quit worrying.
...Apple Pay consumers need not worry. Install the app and charge away!”
****************************************************************************************************
Customers using Apple Pay as a secure means of using THEIR cards should have near zero possibility of fraud. Most of the cards with fraudulent charges made from Apple Pay are likely not even owners of an IPhone-—they are just random people for whom the criminals have obtained their credit card related data.
ROTFLOL!
Guess the bare facts in the NYT are just too much click bait for a Apple fan-boi like you! Gotta defend Apple at all costs, don’t you? I’m starting to wonder if you’re simply a paid Apple Troll.
Not true ... are you familiar with PCI (payment card industry) compliance requirements?...
The Credit card company’s have requirements if your going to be part of the system.. you can not be a business that collect CC data... and leave it exposed to be hacked and expected the card company to pick up the tab..
Same goes for the 3th party system vendor.. in this case Apple.. if it due to a flaw in Applepay security
While the consumer not be responsible ..
In many cases neither is the card company..
it may well be the retailers or network that collect and transported the cc data....
It’s VERY clear you have little or no knowledge of cyber security practices.
My wife uses Apple Pay and it is flawless and our bank employed good security practices when authenticating her and registering her card in Apple Pay. Apparently one or more other banks or credit unions that are involved with Apple Pay use poor security practices and they paid a price. I’m sure these inept banks are tightening their authentication procedures now.
I guess you’ll call me an Apple Troll now or an Apple “fan-boi” because I just posted some facts and not fiction.
I guess the recitation of actual facts are too much for an anti-Apple troll like you. Tell me how what I told you is in any way a contradiction of the innuendo was reported in the New York Slimes? If you got it, good. That was what I intended it to be.
The BANKS are not doing their job in properly vetting the people who are putting stolen card data into iPhones. That is the be-all and end-all of what is happening. I explained why. What is YOUR problem with that? You distill the New York Times article down, removing the innuendo, and that's all that's left that is truly factual.
Andrew Ross Sorkin is a long time Anti-Apple blogger. I can think of no time in which he has had anything positive or accurate to say about Apple.
This article in the NYT is a reprise of an article that was published over a month ago—and posted by me on FreeRepublic—and I linked to the Cherien Abraham Blog which was from January 6th with an addendum added on January 27th, also linked. . . yet 2400 more banks have signed on since Abraham published his blog! incidentally, Abraham admits he is a paid consultant for Samsung's new Samsung Pay, which is due for release in the first part of April.
Abraham's 6% is a gross distortion because what he actually wrote back in January was that "at some banks" he estimates it "may be as high as 6000 basis points" which translates to 6%. . . but at no time did Abraham claim it was ALL banks using ApplePay.
This portion of the article posted is pure Sorkin's opinion, unattributed to any source:
"The vulnerability in Apple Pay is in the way that it — and card issuers — “onboard” new credit cards into the system. Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process “frictionless,” the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early."
However, it flies in the face of the contracts and the statements of everyone else concerned. No one but Sorkin has made this claim. . . and it is false. However, even Sorkin couldn't be seen to be completely negative. He had to include this, which is exactly true and to the point, based on the agreements Apple has executed with the banks:
"In a statement, Apple put the problem squarely on the shoulders of the banks: “During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.”
Some banks took shortcuts in the verification process. . . and for you and Sorkin to attempt to put the blame on Apple is reprehensible. . . and Sorkin distorts the issue by claiming Apple is somehow keeping data away from the banks which they already have. Idiotic. This is either industrial strength ignorance or deliberate disingenuousness. My vote is on the latter. There has been too much information on how ApplePay works for Sorkin to be so ignorant in the face of what's been published.
Apple simply doesn't have the information on the card owner to provide to the bank. The way ApplePay works is that all of the installation arrangements are between the iPhone user and the card issuing bank that has signed up with ApplePay. That was one of the security features of ApplePay: Apple would never have any of the credit card data; it remains on the user's iPhone in the Secure Element portion of the Processor.
Ask yourself "Why would the issuing BANK need to have Apple provide an address or a phone number for one of the bank's credit card CUSTOMERS?" Sorkin doesn't ask that question. He leaves that out of his hit piece. The reason he left it out is that is how the bank is supposed to contact its own customers.
You cannot be so stupid that you would prefer the banks use phone numbers and addresses supplied by someone signing up a stolen card to assure they have a right to sign up that card? I certainly would really trust everything they tell me. . . NOT! But perhaps you would be that stupid.
The card registration process is simple. . . and "frictionless." I have put in six debit and credit cards in my iPhone's ApplePay system. The banks i use merely either called me in real time when I put the cards into my iPhone. . . using the means I had provided to me. Or they sent me an email to my registered email confirming I had intended to register my card on ApplePay, also in real-time, with a six digit PIN number to activate the card in ApplePay. Not a single one of them just willy-nilly accepted me putting the card into my iPhone without confirming with me that I was doing it. Those six banks are having no problems with fraud related to ApplePay because they are doing it the way that APPLE told them to.
Finally, you've been told time-and-time again, that I am not a paid anything for Apple. I just know the facts and I abhor false information masquerading as facts, like this FUD article from Sorkin. . . who jumps on any FUD he can find and republishes it.
It is not a flaw in ApplePay security. That has been established. The flaw is at the banks who accept the installation of stolen cards and do not do the verification of card ownership that Apple requires they do under their participation agreements.
I think you are not really aware of how this particular fraud is being accomplished. The crooks are stealing credit card information for specific bank cards, making a fraudulent card, then installing it into an iPhone purchased with a fake ID, and the banks (the crooks know which bank cards are not being diligent in verification), and then charging until someone notices the fraudulent charges on their accounts. . . at which point the card is deactivated. Rinse Repeat until the fraudulent iPhone is deactivated. Get another iPhone under another fake ID, rinse repeat. . . using the same or another equally lazy bank.
However, the security of ApplePay is unbroken. The transactions are secure. Apple never has any consumer or transactional or credit card data to be compromised. It is never transmitted in the transaction. ApplePay generates a one-time, one-use token known to the credit-card bank and it will be recognized as a legitimate credit card for that one time only. When the transaction is made, the merchant only knows he has made a sale, but not to whom. . . and only the buyer, the credit card service company, and the credit card company are involved, and only two of those know who's who.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.