The Candid Voice in Retail Technology: Objective Insights, Pragmatic Advice

The Fraud Of Apple Pay Fraud

						Username: 
Name:  
Membership: Unknown
Status: Unknown
Private: FALSE
					

Last week I received four or five different emails advising me that “Fraud is Running Rampant on Apple Pay. ” This is a pretty provocative statement and I felt obligated to research the particulars. The results were published in my blog on Forbes, but I thought it worthwhile to re-post here.

I spent enough time researching the thing that I’m wanting to get at least something out of the time I used up on this little project.

It’s important to say right up front that this is a tempest in a teapot, especially given that the payment method is only available in the United States. The primary affected parties at this point are banks; not retailers, and not consumers.

It seems the story was originally brought forward by consultant and blogger Cherian Abraham in a blog post on January 5, 2015. He published a brief update on February 22, and that’s when news outlets like MarketWatch picked up on the story.

No one doubts that Apple Pay’s security methods are adequate. In fact, they are about as state of the art as you can get. The problem instead is ostensibly with fraudulent credit cards, or stolen credit cards being entered as an Apple Pay method of payment. Certainly this is not Apple’s problem. If it is a problem at all, it lies with the banks and the way they verify the credit cards.

Banks are ostensibly tightening up their verification processes to avoid fraud, although adding a credit card this morning was, for me, as easy as adding the first one several months ago. But let’s take a look at the exposure and who is at risk.

In order to add a credit card to an Apple Pay account, the user has to know the credit card number, expiration date and what’s called a “CVV ” (card verification value). These numbers are three digits located on the backs of MasterCard and Visa cards, and four digits printed on the front of American Express cards. The CVV numbers visible on the card are never used at in-store Point of Sale check-out stands, and are not included in the magnetic stripe. All those credit cards stolen via data breaches from companies like Home Depot or Sally Beauty Supply, for example, aren’t in the picture.

It is true, however, that if a consumer’s entire identity is stolen, and the bad guys get as far as setting up a fraudulent credit card, there’s some degree of risk.

Tim Sloane, Vice President of Payments Innovation for the Mercator Advisory Group points out that “the largest fraud on Apple Pay is indeed not a concern to merchants, it is however harming banks. The primary fraud vector being witnessed is not card fraud, its identity fraud. Bad guys clone a phone and use stolen information to ask the issuing bank to enable Apple Pay. The banks Identity verification process was thrown together in the last two or three months and failed to detect all the different fraud vectors. As a result, many Apple Pay devices were provisioned to a fraudster that then went on a shopping spree, often apparently at Apple stores! “

Theoretically, this could happen to customers whose data was stolen from Anthem, for example. But that’s way more work than most fraudsters go through. They sell stolen information in bulk. That’s typically how retail data breaches get exposed to the public – someone finds them for sale on illicit exchanges.

Beyond the identity thefts Mr. Sloane describes above, there is little risk for consumers. Richard Mader, former Director of ARTS, the National Retail Federation’s technology standards group, points out the very same kind of fraud can be accomplished with a PayPal account, a Starbucks payment card, or just about any other application that asks you to put your credit card on file.

The story would be very different if EMV (Europay, Mastercard, Visa) standards were already in place in the US. Countries that have adopted the standard (which would be virtually everywhere outside the US) have seen increased on-line fraud, even as in-store fraud drops to near zero. Data theft has been called a balloon…squeeze one side down, and it just pops out somewhere else.

But we are not there yet, and I fully expect the banks to tighten down verification processes before EMV becomes ubiquitous in the US, or before Apple Pay comes to other countries outside the US. That’s when the real malfeasance will start to occur in bulk.

So the facts around “Apple Pay Fraud ” are that it’s a very idiosyncratic and sporadic occurrence, affecting banks. Banks must get better at preventing identity theft in general, and making sure they don’t issue credit cards to fake people. It strikes me that Apple Pay fraud is the least of their problems until that time.

The fiction is that the American consumer or retailer has anything to worry about any time soon. I so, so wish that our media was a bit more careful before running with some of these stories.

 

Newsletter Articles March 10, 2015
Related Research