About two weeks ago, reports began to emerge that enterprising criminals had found a simple, low tech way to bypass Apple’s state of the art, biometrically authenticated, tokenized, NFC-secure element housed payment platform.
Instead of trying to hack Apple, thieves instead are merely swiping credit card information and fraudulently creating Apple Pay accounts with them.
A credit or debit card can only be added to Apple Pay when its issuing bank beams over an encrypted version of the card details to store on the phone – which it should only do when certain the real owner is using it. U.S. banks are using a “green path” for cards approved immediately without concerns and a “yellow path” for cards requiring more checks. It is that “yellow path” verification that is causing a problem, since in some cases banks are not asking enough questions and in other cases they are allowing callers to verify their identity with nothing more than the last four digits of their social.
“At this point, EVERY issuer in AP has seen significant *ongoing* provisioning fraud via customer account takeover. The levels of fraud have varied since launch, but 600bps is now seen as hardly an anomaly. Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked,” wrote Cherian Abraham, a mobile-payments specialist, on the DropLabs blog.
Abraham also stacked that fraud rate of 6 percent against a traditional credit card fraud rate that is relatively minuscule, 10 cents for every $100 spent. However, it might also be worth noting that 6 percent of a tiny number – is a much, much tinier figure.
However, it seems that The New York Times is coming around to MPD CEO Karen Webster‘s or Cortex MCP CEO Shaunt Sarkissian‘s view that these claims about the emperor’s nudity may be somewhat overstated at this point.
The Times does note that Apple could have given its banking partners more instruction or information (like consumer addresses and phone number data) to make fraud easier to detect.
However, The Times also notes that banks – motivated by a desire to be customers’ default card on Apple Pay — simply did not do enough to create barriers to identity fraud, nor did they push Apple for better detailed information about customers.
Some bank executives have since noted that fear of Apple motivated their silence, as they didn’t want to run the risk of not being in the initial issuer group launching with Apple Pay.