Who's at Fault in Apple Pay Fraud, Apple or Banks?
Criminals are finding ways around Apple Pay's safeguards.
Banks are reportedly getting hit with a growing number of fraud cases involving the mobile payment system. But recent reports involving the service have more to do with identity theft than breaking into Apple's (AAPL) encrypted biometric enabled payment service.
What's happening is that criminals are setting up new iPhones with stolen credit card information, then impersonating the victim using other information easily found online, thus tricking the bank into thinking they are the authorized user in order to verify the new card.
Given that criminals can easily purchase credit card details and other personal data off black market sites, this type of workaround isn't that difficult, security experts said.
Apple or the Banks to Blame?
While these fraud cases stem from identity theft rather than a hack into the Apple Pay system, it shows that there are still kinks in the service's verification process that both Apple and the banks need to address, security experts said.
%VIRTUAL-pullquote-Both sides play a role because Apple could have done more.%"Both sides play a role because Apple could have done more," said Samuel Bucholtz, co-founder of Casaba Security. "But where the fraud is really coming from is the bank's verification of those cards. It's not a compromise of any Apple security system that Apple has put in place."
According to Apple's support page, when a user adds a card to Apple Pay, Apple encrypts the data then sends it to the bank along with other information, including data about your iTunes account activity and information about the device you are using, such as its current location or the name of the device. It is then up to the bank to decide whether to approve that card for transactions.
The bank may request additional information to prove the card belongs to the user, but often the information that is asked for is easy for criminals to obtain online. Also, bankers may not require any additional information because they want the process to be as painless as possible, experts said.
Banks have made a push to get customers to adopt the service because of the added layer of security provided the tokenization technology it involves. And their efforts seem to be working, given the adoption figures some financial firms have touted. JPMorgan Chase (JPM), for example, recently said that it already had one million customers who had added cards to Apple Pay, and Bank of America (BAC) said that it had 1.1 million cards registered for the service by the end of last year.
"Banks jumped the gun, they wanted to make it easy, but it is a trade-off between usability and security and they trended toward the side of usability rather than security," Bucholtz said.
One thing the banks and Apple could require to make the process safer is a PIN issued by the bank to register a new card, Bucholtz said. This could be a PIN the bank mails to the user or one they have to log into their bank account to access for a one-time registration, he said.
While banks are ultimately responsible for authorizing a card, Apple could do more to increase security in the verification process, said Joe Loomis, founder and CEO of the security firm CyberSponse.
"The verification process of Apple is somewhat inferior because you are dealing with a consumer mindset that convenience is most important in their life so if you make something cumbersome, they aren't going to use it," Loomis said.
"So Apple has to balance this perspective of making it secure enough so that it's difficult to compromise or circumvent but also easy enough so that grandma can set up her credit cards on her iPhone. Unfortunately, that doesn't always jibe."
Security researcher Cherian Abraham, who originally wrote about the Apply Pay fraud last month, pointed out in a tweet on Wednesday that Apple could do more to force banks to improve the process.
"If Apple can mandate [that] banks pay 15 basis points to Apple for every transaction, couldn't they mandate a better-provisioning process by banks?" he asked.
Loomis said that Apple has a history of bypassing comprehensive security verification processes in favor of making things easy for consumers. For example, the celebrity iCloud hacks that took place last year may have been prevented if Apple had stronger verification requirements, like two-factor authentication, in place to authenticate users. But then again there is always a trade-off, Loomis said.
Apple didn't respond to a request for comment.
"You have to have some kind of assumption that there will be some type of fraud, and the more security you have in there the less your adoption rate is. So as long as your adoption rate outpaces the fraud rate it's considered a win. That's just how the world works today. It's an accepted risk," Loomis said.
"Apple knows all of this stuff, it's part of their risk modeling. A product that allows you to have secure verification, it's not going to have fast adoption. So in the perspective of trying to raise money for your shareholders and trying to generate revenue, it's definitely not something that any trendsetter is going to do."