Apple blames the banks for an Apple Pay loophole that is reportedly leading to fraudulent transactions
Apple has blamed banks for alleged Apple Pay vulnerabilities that leave the mobile payment system open to fraud.
Criminals are using the system to purchase high-priced goods using stolen personal ID information, with losses already estimated to be running into the millions, according to Cherian Abraham, a mobile-payments specialist who is a consultant to US finance groups.
Apple’s own retail stores are among the high-profile victims hit by the scam, which is now the subject of feverish research by banks as they try and stop fraudulent transactions.
In order to carry out the scam, criminals load stolen personal information, which includes banking details, onto new iPhones, before then calling banks to activate the victim’s card on the device.
The issue lies in a loophole when adding credit cards for Apple Pay, as issuing banks need to verify any card being used with the service (known as ‘provisioning’). Authentication can then be carried out in one of two ways – either ‘green path’ or ‘yellow path’ to approve a card for use.
In the former, Apple sends encrypted data from your card, along with information like the name of your device, its current location, and whether or not you have an extensive transaction history with iTunes, to your bank. It then has the option to add an extra verification step to the process, like a text message, email or using their app, but many do not.
If this isn’t enough information to get a card verified, however, ‘yellow path’ approval then requires one of those additional verification methods to get the card approved, which is where the way in for criminals is found.
This down to many banks choosing to use a customer service call as their verification method, and then asking only for the last four digits of a US social security number, which is often easily found if your identity is stolen.
Therefore, anyone who has possession of a stolen identity and credit card information has everything they need to get that card verified by the banks who have chosen to use customer service calls as their ‘yellow path’ verification method.
Who’s to blame?
In a statement, Apple appeared to lay the blame purely with the banks themselves.
“Apple Pay is designed to be extremely secure and protect a user’s personal information. During setup Apple Pay requires banks to verify each and every card, and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank,” a company spokesperson said.
As mentioned above, Apple’s own stores have become a primary target for scammers, as it accepts Apple Pay and sells high-value items which can be easily sold on for cash.
It’s worth nothing too that the fraud doesn’t in any way use Apple’s fingerprint-activated TouchID wireless payment system, which features secure encryption, a method often used by other companies for additional verification.
However some industry observers predict this is only the beginning of growing issues for payment providers.
“This problem is only going to get worse as more mobile payments solutions are released,” Gartner analyst Avivah Litan commented. “The vendors in the mobile user authentication space have consistently answered that they are leaving account provisioning policies to the banks or other consumer service providers provisioning the apps. It’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps. Whoever does this well is surely going to win lots of customer support… and revenue.”
Launched in September alongside the iPhone 6 and 6 Plus to customers in the US, Apple Pay has proved a runaway success so far, with around two million users already signed up.
The system, which uses near field communication (NFC) technology, has run into some difficulties, however, due to the lack of merchants with the integrated systems to process such payments.
The service has also been banned by big name American brands including CVS Health and Rite Aid, which have around 8,000 stores across the United States between them, have officially disabled Apple Pay from working at their stores nationwide, although neither company would provide a complete reason for the change.
Other major chains such as Best Buy and Walmart are also unable to support Apple Pay for the time being, as retailers look to upgrade their systems and taken advantage of consumer needs.
All clued up on mobile payments? Try our quiz!