eCommerceePaymentMarketingMobile AppsMobilitySmartphones

Does Apple Pay Pose A Security Risk?

Michael Moore joined TechWeek Europe in January 2014 as a trainee before graduating to Reporter later that year. He covers a wide range of topics, including but not limited to mobile devices, wearable tech, the Internet of Things, and financial technology.

Follow on: Google +
Google + Linkedin Subscribe to our newsletter Write a comment

Apple blames the banks for an Apple Pay loophole that is reportedly leading to fraudulent transactions

Apple has blamed banks for alleged Apple Pay vulnerabilities that leave the mobile payment system open to fraud.

Criminals are using the system to purchase high-priced goods using stolen personal ID information, with losses already estimated to be running into the millions, according to Cherian Abraham, a mobile-payments specialist who is a consultant to US finance groups.

Apple’s own retail stores are among the high-profile victims hit by the scam, which is now the subject of feverish research by banks as they try and stop fraudulent transactions.

Apple-PayVerification

In order to carry out the scam, criminals load stolen personal information, which includes banking details, onto new iPhones, before then calling banks to activate the victim’s card on the device.

The issue lies in a loophole when adding credit cards for Apple Pay, as issuing banks need to verify any card being used with the service (known as ‘provisioning’). Authentication can then be carried out in one of two ways – either ‘green path’ or ‘yellow path’ to approve a card for use.

In the former, Apple sends encrypted data from your card, along with information like the name of your device, its current location, and whether or not you have an extensive transaction history with iTunes, to your bank. It then has the option to add an extra verification step to the process, like a text message, email or using their app, but many do not.

If this isn’t enough information to get a card verified, however, ‘yellow path’ approval then requires one of those additional verification methods to get the card approved, which is where the way in for criminals is found.

This down to many banks choosing to use a customer service call as their verification method, and then asking only for the last four digits of a US social security number, which is often easily found if your identity is stolen.

Therefore, anyone who has possession of a stolen identity and credit card information has everything they need to get that card verified by the banks who have chosen to use customer service calls as their ‘yellow path’ verification method.

identity deception fraud social engineering security © Pretty much everyone knows that passwords aren't supposed to be shared. Passwords exist to protect your information and your employer's information from being seen by people who shouldn't see it and who could cause serious damage if they do access it. This is why you have a strong password on your banking information (you DO have a strong password on your bank account, don't you?) So how is it that Edward Snowden managed to get the passwords that gave him access to thousands of secret documents? According to a story from Reuters, Snowden did it in the easiest way possible. He asked for it. But of course there's more to it than that. What Snowden did was tell a couple dozen of his coworkers that he needed their passwords because he was a system administrator. Those coworkers, knowing that Snowden was fully cleared, figured it was safe, and gave him the passwords. Snowden used that trust to raid the NSA files of everything he could find. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Leaving aside the propriety of what Snowden did, the fact that he was able to get the information he did with other people's login information speaks volumes. Perhaps more important, it speaks those volumes directly to you and your employer. Snowden exploited a weakness that exists at nearly every company or organization and which can be overcome only by having the right security policies and the right training. That weakness is trusting the wrong people at the wrong time. The obvious question is how this applies to you and your organization. After all, the chances are pretty good that you're not sitting on a pile of state secrets. But the chances are that your company has plenty of information that has value to your competitors, to criminals, or to people who want to use that information for other dubious purposes. Do you really want the outside world to see your customer list? Your financial statements? Your supply chain or manufacturing details? Probably not. Unfortunately, if you lose control of your organization's passwords, you're doing just that. But you can limit the problem by implementing some basic practices, making sure your staff is trained and then retrained frequently. Here are some things you can do: 1. Require passwords that are hard to guess, but don't go overboard. If you require passwords that are too complex, nobody will remember them. You know what happens next—yellow sticky notes on their monitors. That doesn't really help security. 2. Control what happens if a password is shared. It's easy to say that your staff should never under any circumstances share a password. But that's not how things work in the real world. Sometimes a system administrator really does have a reason to request a user's log-in credentials. 3. When that happens, what should the user do? That depends, but at the least they should know that they should then immediately change the password. You might also want to require that any password-sharing request be reported on a routine, easy-to-fill-out form that will disclose the action to whomever you designate to handle this, such as your IT manager. 4. Make password changes easy to accomplish, and automate the reporting process so that every such change is logged. 5. Don't depend on complex control software as a primary means of user verification. It might be useful, but nothing works as well as good practices properly followed. Remote Data Replication: Combat Disasters And Optimize Business Operations Watch It Now Require two-factor authentication for access to information that's really important. Many companies use a smartcard that doubles as an access card and organizational ID card. This reduces the problem of stolen log-in credentials. More complex methods of access control certainly exist and should be used under extraordinary situations, but are not always appropriate. It's important to remember that maintaining access security requires the willing cooperation of your staff. This means that you have to tell them what needs to be protected, the means they should follow to protect that information and what they should do if they suspect that protection has been compromised, even by someone who claims a plausible reason to do so. Here's one way such a procedure might work: One of your workers with access to something sensitive, such as human resource data, requests help with a problem logging in to the network. Somebody from the help desk asks for the log-in credentials to see what the problem is and to try to fix it. The person being helped provides the information and then immediately sends an email to a designated manager saying something like this: "I provided my log-in info to Sam Smith from the help desk to fix a log-in problem. My extension is 123." Once the log-in problem is solved, the employee should immediately change their password. That change will be recorded by your network management system where it can be verified by a manager or security staffer. Will that eliminate all data loss? Of course not, but it will eliminate some of it. It requires little in the way of resources and it allows management follow-up since problems—including an administrator who seems to be asking for a lot of passwords—will show up quickly. While you can throw automation at such a problem, at some point the most basic answer is training and management. It's hard to be more effective than that unless you already have training and management practices to enforce password discipline in place already. ShutterstockWho’s to blame?

In a statement, Apple appeared to lay the blame purely with the banks themselves.

“Apple Pay is designed to be extremely secure and protect a user’s personal information. During setup Apple Pay requires banks to verify each and every card, and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank,” a company spokesperson said.

As mentioned above, Apple’s own stores have become a primary target for scammers, as it accepts Apple Pay and sells high-value items which can be easily sold on for cash.

It’s worth nothing too that the fraud doesn’t in any way use Apple’s fingerprint-activated TouchID wireless payment system, which features secure encryption, a method often used by other companies for additional verification.

However some industry observers predict this is only the beginning of growing issues for payment providers.

“This problem is only going to get worse as more mobile payments solutions are released,” Gartner analyst Avivah Litan commented. “The vendors in the mobile user authentication space have consistently answered that they are leaving account provisioning policies to the banks or other consumer service providers provisioning the apps. It’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps. Whoever does this well is surely going to win lots of customer support… and revenue.”

Runaway success

Launched in September alongside the iPhone 6 and 6 Plus to customers in the US, Apple Pay has proved a runaway success so far, with around two million users already signed up.

The system, which uses near field communication (NFC) technology, has run into some difficulties, however, due to the lack of merchants with the integrated systems to process such payments.

The service has also been banned by big name American brands including CVS Health and Rite Aid, which have around 8,000 stores across the United States between them, have officially disabled Apple Pay from working at their stores nationwide, although neither company would provide a complete reason for the change.

Other major chains such as Best Buy and Walmart are also unable to support Apple Pay for the time being, as retailers look to upgrade their systems and taken advantage of consumer needs.

All clued up on mobile payments? Try our quiz!