The story that Apple Pay had been breached and was being used to commit fraud surged like lighting through Web news pages and social networks. But like many stories that go viral on the Web, the early accounts were less than fully accurate. Apple Pay and its security are just fine.
Unfortunately, the same thing can’t be said about the banks that are working with Apple Pay. What happened is that the card-verification process that some banks use to approve adding a credit or debit card to Apple Pay is very lax at some banks.
In fact, the verification process is so sloppy that, in some cases, credit card numbers stolen during the Target breach nearly a year and a half ago are still being approved because a few banks don’t even check the list of stolen cards.
To understand how this weakness came about, it’s worth taking time to talk about how Apple Pay’s approval process works. The normal process for adding a payment card to Apple Pay is to load the card information into an iPhone 6 or 6 Plus using the phone’s camera to grab a photo of the card. That photo is then examined by the Apple Passbook software, which extracts the account owner’s name and the card expiration date.
Apple Pay encrypts and transmits that data to Apple. Once Apple receives the data, it checks to see if the card is already on file in iTunes and if the phone matches the one in iTunes. If that’s the case, the card is approved and added to the Passbook where it can be used for Apple Pay transactions.
Of course, most cards aren’t in iTunes already. So Apple sends the card data, plus data on the phone and on the iTunes account to the bank that issued the card. It’s then up to the bank to decide whether the card is valid and is being used by the right person. If the card is verified and approved, then it’s added to Apple Pay and appears in the Apple Passbook.
In some cases, taking a photo of the payment card doesn’t work, either because the card is too worn for the numbers to be visible or because the card design obscures the numbers. In those cases, the user can enter the information from the card manually. This is when the fraud can happen, because criminals can easily insert the card information gathered from a data breach instead and hope that the bank will verify it anyway.
The verification process depends on the bank. In many cases, a third-party call center will make a verification call and ask for information that could easily have been gathered by cyber-criminals during the same breach that yielded the card number.
Apple Pay Fraud Cases Caused by Sloppy Bank Credit Card Tracking
This can include the card-verification value (those three numbers on the back of a Visa or MasterCard, the four numbers on the front of an American Express card) or the last four digits of the user’s Social Security number. Once that information is provided, the addition to Apple Pay is approved and the fraud can take place.
This doesn’t happen in every case, and many times, the verification process doesn’t involve easily found information. For example, one verification method that a couple of banks have used when I added a card to Apple Pay was to send a text message to my cell phone containing a code that has to be entered to complete the verification. When this is done properly, the bank uses a cell phone number it already has on hand, not one provided by whoever is trying to set up Apple Pay.
Other methods include sending verification codes via email, or providing information to the call center, such as a debit card’s PIN number, that the criminals can’t easily find out.
But unfortunately, there are also some credit card issuers that don’t bother to verify anything—they simply approve when asked. These issuers are known to the criminals, of course, and that’s where the fraud is focused.
What’s happening as a result of this variance in verification methods is that some banks are seeing a lot of Apple Pay fraud, and some aren’t seeing any at all.
So, you’re probably asking yourself why those banks with the loose verification standards aren’t tightening up. Some of them are. But what you have to remember is that the verification process costs money, and some banks don’t want to spend money on security. This is why so many banks fought against EMV cards and why so many are fighting the demand for EMV chips cards with PINs.
The sad truth is that these banks would rather inconvenience their customers than spend an extra cent in security. They’re willing to accept the relatively small losses from fraud—knowing that, in some cases, those costs will be picked up by customers or merchants, not by the bank. The same is true for verification.
About the only thing that merchants can do is find a card processor that takes security seriously. One way to identify those card processors is to see if they also process EMV cards with PINs, rather than just signatures.
That costs extra, of course, but in the long run, it’s money out of your company’s pocket if you don’t take those precautions. Instead, you can take money out of the pockets of card issuers who aren’t willing to invest in security by taking your business elsewhere. They deserve it.