The weak link in Apple Pay's security chain
by David Divitt, product marketing manager, Alaric Systems Ltd.
Since its launch last year, Apple Pay has seen significant uptake in the markets where it is available, no question. Latest figures show 42 percent of iPhone 6 owners have used the service, while JP Morgan says that over a million of its customers have uploaded their card details to use on the mobile payment platform.
But it's not all been plain sailing for the Cupertino firm, with reports indicating that Apple Pay is in fact acting as a backdoor for fraudsters.
While Apple Pay has been hailed as one of the most secure mobile payment options because of its use of tokenization and biometric authentication, there is a weak link in the chain that has caused a surge in fraudulent transactions.
As ever in payments, criminals adore a weak link, especially in a system that is otherwise very secure — this makes it all the more likely their fraud will go unnoticed.
Gartner's Avivah Litan explained how this problem is allowing fraudsters to bridge the gap between traditional, or card-present, transactions and the card-not-present world. It seems the issue is with banks' verification processes.
"Turns out the bad guys are loading iPhones with stolen card-not-present card information (which is much easier to steal than card-present mag stripe data) and essentially turning that data into a physical card à la Apple Pay," Litan said.
It's not a problem inherent in Apple Pay, but more a matter of banks struggling to apply super-tight verification when a customer asks to load a card onto a phone. In some cases they just ask for the last four digits of the user's Social Security number — just the kind of details stolen by fraudsters in a series of retailer data breaches last year.
"This isn't necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card," Litan said.
Partly this is due to the speed of change, with banks having just a couple of months to prepare apps for the new service.
The problem it highlights is that once you have what you think is a secure system, it's much more likely that transactions will be approved. If there's a weakness somewhere up the chain, we have serious problems.
So when a transaction comes from a biometrically authenticated Apple Pay stream, the bank is likely to treat it as low risk and for the fraudster to complete the theft without raising alarm bells.
No system is 100 percent secure. Breaches will occur. But tokenization and biometrics count for naught if the account or card is compromised before these technologies can make a difference.
According to Litan, the answer lies in applying intelligent fraud detection methods to counter this risk.
"The key is reducing reliance on static data — much of which is PII data that has been compromised by the crooks — and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements," Litan said in a blog post.
Banks also have a part to play in beefing up their verification methods, which is exactly what they are starting to do.
The Wall Street Journal reported that institutions will send out a one-time authorization code to the customer's email or mobile phone as a stronger verification method. Other banks will require customers to phone in to establish their identity through a series of typical know your customer checks. Some might even require that the customer authorize their Apple Pay card request by logging into their online bank account.
Apple Pay's fraud problem reveals some of the weak links in the payments chain. It's hardly surprising that Apple makes it as easy as possible for users to upload a card. It's up to the issuers to make sure the card matches the phone.