For much of past year, the debut of Apple Pay was eagerly anticipated to be the solution to a litany of credit card payment problems. And certainly the new method of transacting is game-changing in that it employs not only a cryptogram (much like EMV credit and debit transactions use), but also a dynamically generated 16-digit token, ensuring that merchants never directly receive or have the ability to store customers’ actual credit card numbers - which would go a long way toward preventing the large payment card breaches that have dotted the landscape for the last several years.
In addition to the tokenization, transactions are also authorized using either Touch ID (fingerprint) or through a PIN number, providing an extra layer of security to ensure that purchases are verified through the iPhone owner, in case the device gets lost or stolen.
But the problem isn’t with the transactions themselves - it’s with the card set up process.
Where’s the Fraud Taking Place?
While there’s quite a bit of finger pointing taking place in determining who is ultimately at fault, we do know that the problem sits with the onboarding process of getting a customer’s card set up on Apple Pay.
To understand the fraudulent activity taking place, we have to first look at what types of credit card data hackers typically steal and how it’s being used. From Brian Krebs’ blog:
“So in summary, dumps are stolen from main-street merchants, and are sought after by crooks mainly for use at main street merchants. CVVs, on the other hand, are stolen from online stores, and are useful only for fraud against online stores.
Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs.”
Simply, hackers are taking this cheap and easily accessible CVV data and setting up the stolen cards on Apple Pay on their own iPhones, with few authentication or identity verification processes currently standing in their way.
How is This Happening? Isn’t There a Process to Verify the Cardholder’s ID?
There is, but it isn’t consistent across all issuers, and it’s a big problem. From Drop Labs:
“All Apple Pay participating card issuers are required to build a “Yellow Path” for when card provisioning in to Apple Pay requires additional bank verification. Implementation of the “Yellow Path” and corresponding customer experience has varied per Card Issuer. Today, depending on your card issuer – you could expect much variance – such as being directed to their call center, being asked to authenticate via the bank’s mobile app, or an entirely other 2FA verification. As one can expect – each has varying levels of success and friction – with just a couple of banks opting to authenticate via their mobile apps, that would have provided a far easier and customer friendly provisioning experience. Where as, those that opted for call center verification traded efficiency for friction and by most reports – the corresponding experience has been subpar.”
While Apple does provide quite a host of information to the issuing bank to help verify cardholders (including device name, location and iTunes transaction history), banks have argued that it’s not enough to support their current fraud processes.
But Apple isn’t taking the bait, issuing the following statement:
“During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank.” - NYTimes
What Needs to Be Done to Rectify This?
CNNMoney tested Apple Pay set up with cards issued by several large banks, including Bank of America, JPMorgan Chase, and Wells Fargo, and found all processes to be comprehensive and robust, but there are many more banks whose identity proofing processes are leaving much to be desired.
This post by Gartner suggests banks possibly tap into the mobile networks themselves to get the billing address associated with a given phone to verify against the billing address of the credit card, though shared friends and family plans would likely throw a wrench in its effectiveness. The key point they made however, was that we have to think differently differently about how we verify identity in order to make mobile payments succeed
“The key is reducing reliance on static data – much of which is PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements.
The vendors in the mobile user authentication space have consistently answered that they are leaving account provisioning policies to the banks or other consumer service providers provisioning the apps. Well maybe it’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps.”
To learn more about Rippleshot’s take on emerging payment technologies and the fraud ecosystem to come, download our whitepaper: