Apple Pay Fraud Cases Caused by Sloppy Bank Credit Card Tracking
This can include the card-verification value (those three numbers on the back of a Visa or MasterCard, the four numbers on the front of an American Express card) or the last four digits of the user's Social Security number. Once that information is provided, the addition to Apple Pay is approved and the fraud can take place. This doesn't happen in every case, and many times, the verification process doesn't involve easily found information. For example, one verification method that a couple of banks have used when I added a card to Apple Pay was to send a text message to my cell phone containing a code that has to be entered to complete the verification. When this is done properly, the bank uses a cell phone number it already has on hand, not one provided by whoever is trying to set up Apple Pay. Other methods include sending verification codes via email, or providing information to the call center, such as a debit card's PIN number, that the criminals can't easily find out. But unfortunately, there are also some credit card issuers that don't bother to verify anything—they simply approve when asked. These issuers are known to the criminals, of course, and that's where the fraud is focused.So, you're probably asking yourself why those banks with the loose verification standards aren't tightening up. Some of them are. But what you have to remember is that the verification process costs money, and some banks don't want to spend money on security. This is why so many banks fought against EMV cards and why so many are fighting the demand for EMV chips cards with PINs. The sad truth is that these banks would rather inconvenience their customers than spend an extra cent in security. They're willing to accept the relatively small losses from fraud—knowing that, in some cases, those costs will be picked up by customers or merchants, not by the bank. The same is true for verification. About the only thing that merchants can do is find a card processor that takes security seriously. One way to identify those card processors is to see if they also process EMV cards with PINs, rather than just signatures. That costs extra, of course, but in the long run, it's money out of your company's pocket if you don't take those precautions. Instead, you can take money out of the pockets of card issuers who aren't willing to invest in security by taking your business elsewhere. They deserve it.
What's happening as a result of this variance in verification methods is that some banks are seeing a lot of Apple Pay fraud, and some aren't seeing any at all.