Ever since its launch, proponents of Apple Inc.’s Apple Pay mobile-payments service have touted the wallet’s high-tech security features, including tokenization of card credentials, a secure element in the phone locking down those credentials, and fingerprint authentication.
But now, only four months after that much-heralded launch, banks that support Apple Pay are reporting what appears to be rampant fraud tied to a relatively low-tech channel: stolen card credentials.
Indeed, the millions of pieces of stolen consumer data sold online have caught up to issuers who provision cards in Apple Pay. Amid fingerpointing between Apple and the issuers contracted to support Apple Pay, experts are already at work trying to devise fixes for the problem.
Three different analysts have separately noted unexpected incidences of fraud stemming from faulty verification of the consumer’s identity.
“While no issuer has disclosed public figures on Apple Pay fraud levels, our channel checks indicate that some issuers are experiencing higher-than-average rates of fraud, many times higher than the general-purpose industry average of about 0.1%,” says Ben Brown, senior consultant at First Annapolis Consulting, an Annapolis, Md.-based payments advisory firm. In a research note, Brown says this fraud comes primarily from criminals with stolen data provisioning compromised card accounts to phones.
Apple stands in as the initial gatekeeper before a user can provision an account for Apple Pay, leading some issuers to cast at least some blame on the computing giant. But experts disagree. “It looks like Apple’s responsibility, but it’s not,” Avivah Litan, analyst at consultancy Gartner Inc., tells Digital Transactions News. “The criminals have figured out how to leverage this identity-proofing process. The banks are going to be scrambling to improve the process now.” Litan learned about the issue at a recent conference where bankers spoke about it.
“Apple can help the banks, but they don’t own the data,” Litan says. “It’s up to the banks to know this is the right cardholder.”
The problem for issuers is that so much of the data banks might use for identity verification could be in the hands of criminals, who combine that with compromised payment card data they bought online to falsely set up what appears to be a legitimate account.
This provisioning weakness, called Apple Pay’s “soft underbelly” by Cherian Abraham, a mobile-payments and fraud expert at Experian Decision Analytics, a division of Ireland-based Experian Information Solutions Inc., comes despite the use of tokenization, biometrics, and on-device secure storage, he says.
“At this point, EVERY issuer in [Apple Pay] has seen significant *ongoing* provisioning fraud via customer account takeover,” Abraham wrote in a recent blog post. “The levels of fraud [have] varied since launch, but 600 [basis points] is now seen as hardly an anomaly.” Six hundred basis points is equivalent to losses of 6% of payment volume.
Apple’s own stores appear to be a favorite target for some of the criminals, Abraham says in his post. Apparently, the fraudsters are attracted by the twin prospects of nabbing high-value merchandise and obtaining brand-new iPhone 6 models that can then be loaded with yet more fraudulent accounts. “There is a certain irony in one compromised Apple Pay device paying for another—only to be drafted subsequently into the fraudster’s service,” Abraham says.
The fix is not an easy one. First Annapolis’s Brown notes that some best practices, such as not just validating static account data, have emerged. “It is also useful to leverage mobile-authentication services like Payfone, and look for patterns in the mobile-account lifecycle,” he says. New York-based Payfone Inc. provides network authentication services for companies that provide mobile services using data from mobile network operators.
Litan, too, suggests reducing the reliance on static data, such as birth dates and information from credit reports and email addresses, in favor of dynamic data that provide insight into the consumer’s behavior. Dynamic data could include mobile-device information, such as location, and indications of heavy activity within an application in one geographic region.
The goal is to assemble as much information as possible that criminals can’t easily replicate or don’t have, she says.
“There is not one vendor to solve the problem,” Litan says, “because the criminals have been beating the data. You have to really stitch together different solutions.”