Apple Inc.’s rollout of its Apple Pay mobile payments app has been fraught with expensive card payment fraud, according to news reports. The much-vaunted iPhone tap-and-pay system’s state-of-the-art tokenization payment security is working fine. But a spike in mobile payment fraud with stolen credit card numbers has reportedly occurred when a few large credit card issuers let down their guards while handling cardholder enrollment during Apple Pay’s chaotic initial rollout.
Information about the fraud is limited. But one mobile commerce and payment consultant, Cherian Abraham of Drop Labs, has publicly estimated that Apple Pay’s card fraud rate reached a hefty 6 percent of transactions at some large issuers, about 60 times the average credit card fraud rate.
No Apple Pay card fraud happened once legitimate customers loaded their card data into their iPhones. The fraud occurred when criminals loaded previously stolen card numbers into iPhone 6s to use Apple Pay for mobile in-store purchases.
“We did our own testing,” reports Hugh Gallagher, principal at First Annapolis Consulting, a payments consulting firm in Annapolis, Md. “And we were able, over the course of several dozens of tests, to load cards that were not the property of the owner of the phone.”
Apple has been using information it already has about its iPhone customers—including email addresses, iTunes account passwords and transaction histories, and cellphone numbers—to approve mobile transactions for card issuers. When discrepancies in its information arise, however, Apple Pay users are sent to the card issuer for further authentication and transaction approval.
“We did our own testing, and we were able, over the course of several dozens of tests, to load cards that were not the property of the owner of the phone.”
—Hugh Gallagher, payments consultant
Apparently pressed with fraud transaction calls during the Apple Pay rollout, some banks have funneled Apple Pay fraud inquiries to their call centers, where stressed agents ask for little more than a Social Security number—something that cybercriminals can often easily obtain when they buy stolen card numbers, Gallagher says. And confusion can multiply with mobile devices and accounts involved in the transaction authorization mix, says Bob O’Donnell, president and chief analyst at Technalysis Research LLC, a technology consulting firm in Foster City, Calif.
Many community banks, while they know their customers better than their competitors do, are still registering with their card portfolios with Visa and MasterCard for the Apple pay system. Gallagher recommends that community banks preparing to register their portfolio of cards for Apple Pay payments review their authentication scripts and security protocols. “Try to go a little bit deeper [when asking cardholders authenticating questions] than one might ordinarily do,” he advises.
As an authentication measure, O’Donnell and Avivah Litan, an analyst at Gartner Inc., a technology consulting and research firm in Stamford, Conn., say community banks can send their cardholders transaction authorization codes by email or text message, which would require criminals to have the customer’s smartphone and card information. Cardholders can also be directed to log into their online banking account, leveraging that strong authentication process for Apple Pay transactions.
Gallagher cautions that another round of mobile fraud could be lurking ahead as Samsung prepares to roll out its own mobile payment system. Unlike Apple Pay, which only works with next-generation near-field communication card readers, Samsung Pay will work with magnetic stripe readers as well, making those mobile card transactions much more widely accepted by retailers. But, unlike Apple, Samsung doesn’t have its own iTunes data history to help with cardholder authentications.