Apple (AAPL +0.17%) has made its move to take over mobile payments, but its Apple Pay service may have major security problems.
The problem comes when cards are verified for use with the service by the issuing banks. The process sends users down either "Green," "Yellow," or "Red" paths. Green path is when the information provided by the user matches what Apple has sent the card issuer. Red path is an outright denial. Yellow path is where the bank asks for more info to verify the card -- and that is where problems are occurring.
Apple Pay fraud has "graduated from an itch to a raging infection" due to security flaws in the mechanism for adding a payment card, wrote Cherian Abraham, a payments consultant for banks and retailers on DropLabs.co.
At this point, EVERY issuer in AP has seen significant *ongoing* provisioning fraud via customer account takeover. The levels of fraud has [sic] varied since launch, but 600bps is now seen as hardly an anomaly. Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one, is bold enough to call the emperor naked.
Traditional credit cards generally keep their losses under 10bps (i.e., losses of $0.10 or less per $100 of transactions), according to Abraham. He added that it's not "an anomaly" to see fraud accounting for about 6% of Apple Pay transactions, compared to about 0.1% of transactions using a traditional credit card swipe.
It's important to note that the fraud occurs due to identity theft, not bad guys hacking into Apple's system, but it's happening and that could kill momentum for the service.
The fraud occurs when people verify their credit card with Apple Pay. Source: author
How the fraud occurs
To commit the fraud, criminals are setting up new iPhones using stolen credit card information then verifying the card with the victim's banks using information easily found online. This tricks the bank into approving the fraudster as the authorized user, making it possible for him or her to use the new card.
Apple is not completely without blame, but it's the banks' verification systems that are the breaking point.
"Both sides play a role because Apple could have done more," Samuel Bucholtz, co-founder of Casaba Security told CNBC. "But where the fraud is really coming from is the bank's verification of those cards. It's not a compromise of any Apple security system that Apple has put in place."
Apple declined to specifically comment on the fraud rates, but a spokesperson told The Wall Street Journal Apple Pay is "designed to be extremely secure and protect a user's personal information." She added that "banks are always reviewing and improving their approval process, which varies by bank."
Why is this happening?
Abraham believes that Apple Pay is a tempting target for fraud because it offers "instant gratification."
He explained that online retailers that shoulder liability in the occurrence of fraud have become increasingly sophisticated in fighting it.
"The 24 hours or more delivery window offers them a sufficient window of opportunity to deploy a number of fraud fighting measures (velocity, device fingerprinting, category checks) -- and that's too much of a coin-toss for a fraudster," he wrote. "AP is proving to be a lot simpler."
How big a problem is this?
Banks have actually pushed consumers to adopt Apple Pay because it adds more security at the actual point of transaction. That has led to quick adoption of the technology by customers from a number of leading banks.
JPMorgan Chase (JPM 1.31%) recently said that it already had one million customers who have added cards to Apple Pay, and Bank of America (BAC 1.11%) said that it had 1.1 million cards registered for the service by the end of last year, CNBC reported.
"Banks jumped the gun, they wanted to make it easy, but it is a trade-off between usability and security and they trended toward the side of usability rather than security," Bucholtz said.
The problem can still be fixed, but the challenge for Apple is that the solution has to come from the banks. Bucholtz suggested that banks mail customers a one-time security code to lock down the process. That would solve the problem, but it would add a delay while customers wait for the mail.
Still, while convenience is great, a 6% fraud rate is astounding and it could kill Apple Pay before it truly gets going. Apple needs banks to take this on and eliminate holes in the security process.
