The FLEX Connexion Blog

Mobile Payments Fraud: A Blame Game Between Apple Pay and Financial Institutions

Written by Preston Packer | Apr 7, 2015

In the last few weeks, there has been a spike in mobile payments fraud with Apple Pay. Despite the robust security built into Apple Pay, criminals have quickly found a work around. They are setting up new iPhones with stolen credit card information, then impersonating the actual credit card account holder using additional information easily found online about the person, thus tricking the financial institution into thinking they are the authorized user in order to verify the new card.

Since credit unions are anxious to be an Apple Pay user's primary credit card, they are authenticating and verifying these card payments without additional levels of verification.  They want to keep the process simple for account holders to add their cards, in keeping with Apple's philosophy of simplifying processes for its users.  But in this instance, this push for simplification opened up a security hole - and criminals jumped right through it!

Who is to blame: The financial institutions or Apple?

According to an article on cnbc.com last month: "Both sides play a role because Apple could have done more," said Samuel Bucholtz, co-founder of Casaba Security. "But where the fraud is really coming from is the bank's verification of those cards. It's not a compromise of any Apple security system that Apple has put in place."

The fraud that is occurring is not in the Apple system, but is in the authentication process of the credit card.  And Apple doesn't own this piece of it... the bank does.  Patrick Moorehead of Forbes details this process:

Unknown to most, Apple actually sends additional information to the banks to help with authentication as outlined in the Apple Pay Security and Privacy Overview. It says, “…Then [Apple] sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.”

According to the Apple iOS Security Guide’s section on Apple Pay, it very clearly states that in addition to location and iTunes activity, Apple encrypts and shares information like the last four digits of the phone number and the device name. The bank then determines if the card is approved for use with Apple Pay. All of this information can be helpful in verifying, but only if the banks use it and if they are not, they may have to fix their process as part of this.

Is it entirely the card issuing banks fault?  Should Apple have required more information to be shared for verification on all cards used? Would doing so have eliminated a perceived advantage by the consumer to use a card that required less information, at the risk of less security? Or perhaps, as one bank executive claimed, "they were were so scared of Apple that they didn’t speak up. The banks didn’t press the company for fear that they would not be included among the initial issuers on Apple Pay."

All blame and finger pointing aside, it is time to fix the problem, because, honestly, Apple Pay and Mobile Wallets are... well... cool!  They are convenient, have the potential to be the ultimate in security when done correctly, and can win your credit union the love and affection of members to your credit union's card products.