Sam Oliver
Apple Pay has proven to be a venue of convenience for criminals focusing on identity fraud, a new report suggests, with many fraudsters taking advantage of lax customer verification controls put in place by Apple's partner banks to make brick-and-mortar purchases using stolen credit cards via the growing mobile payment service.
Apple Pay itself has not been exploited, according to The Guardian, with issues instead arising at the issuing banks. The problem centers around the processes those banks use to verify customers' identity when adding a card to Apple Pay.
When adding a card, banks can reportedly choose to accept it immediately — using a so-called "green path" — or require additional verification, via a "yellow path." Apple provides the banks with contextual information, such as the name of the device Apple Pay is being configured on, the device's current location, and data about the length of iTunes transaction history, during setup to help identify cases where more stringent checks are required.
The yellow path processes have apparently been found lacking in some cases, with unnamed partner banks asking only for relatively easily-obtainable information, such as the last four digits of the customer's social security number. Once approved, criminals can then use Apple Pay to purchase products at retail, later selling them for cash — with Apple retail stores apparently a particularly attractive target.
Apple is said to have initially made the yellow path optional for banks, changing its mind to require such a process less than one month before Apple Pay's debut. That left banks little time to sort out a solution, with many falling back to call center-based procedures.
As part of their Apple Pay agreements, issuing banks agreed to accept liability for fraud through the platform. Thus far, that amount is thought to have risen into the millions of U.S. dollars, and banks are working on fixes.
"These are probably just some teething problems," Tim Sloan, an executive at financial consultancy Mercator Group, told the paper. "If the banks can nail down the authentication, they should see less fraud on Apple Pay," he continued, adding that "battle plans always look great until you meet the enemy."
AppleInsider Staff
Malcolm Owen
Oliver Haslam
Andrew O'Hara
Wesley Hilliard
William Gallagher
Christine McKee
109 Comments
So do they have examples of people that were actually targeted? One would assume if this was the case we would be hearing a lot more about it? Local news would be all over a story like this.
"battle plans always look great until you meet the enemy." Just don't be the first wave to become ashes. Stand with the general at the far far back.
They only have themselves to blame really (the banks), the problem is if someone's credit is ruined, I mean it sort of okay if only the card is compromised since its easy to find that out what is more difficult if someone uses my identity to open new cc accounts that I don't know about and run up a huge bill as a result and collection proceedings are started that is a real problem, but for that to happen my identity must be stolen including SS# etc and repairing that if its gone on for years is very very hard
Bottom line; Why would anybody cite anything from The Guardian (or any UK rag)?
This is interesting this is happening, and I wonder how big of an issue it is or was it more in lines that someone attempted this and it did not go too far. Visa just announced a service they will be offering people a higher level of security who do not have ApplePay. You load an app, register you phone with visa they link you card to your phone in their system and any time you make a transaction at a physical location, they verify the cell phone is in the same location if not they will deny the transaction since they are assuming the phone and card should be in close proximity of one another. Also if you do an online order it has be done within in a certain range of the phone's home location. When I register my cards I got an email from my banks asking me to verify that I added the card to apple paid. I guess these other banks are not doing that you could anyone's card to your phone if they are not verifying it.