Apple Pay fraud 'rampant' says payments expert

Could security issues stall mobile payments just as they are getting off the ground?

Fraud is "rampant" on Apple Pay, according to Cherian Abraham, mobile commerce and payments lead specialist at Experian Global Consulting, who reported the issue on his "Drop Labs" blog.

"At this point, every issuer in AP has seen significant ongoing provisioning fraud via customer account takeover," Abraham wrote. The issue is affecting banks on the path from POS to payment approval, but consumers and retailers have not yet been impacted, according to reports.

Banks use a "green path" for card accounts approved immediately and a "yellow path" for those needing more scrutiny. "[Apple Pay] fraud in the yellow path is growing like a weed, and the bank is unable to tell friend from foe. No one is bold enough to call the emperor naked," he said.

Organized crime rings are involved in the fraudulent activity and total losses are already in the millions of dollars, reported the Guardian, which compared that number with the total for smartphone-based retail payments of around $5 billion this year.

"Banks have been caught by surprise by the level of fraud, and the Guardian understands that some are scrambling to ensure that better verification and checking systems are put in place to prevent the problem running out of control, with around two million Americans already using the system," wrote Charles Arthur for the Guardian.

The fraud is primarily targeted toward brick-and-mortar locations. Why? "AP fraud offers instant gratification. Further, online retailers who shoulder liability in the occurrence of fraud have become increasingly sophisticated in fighting it. The 24 hours or more delivery window offers them a sufficient window of opportunity to deploy a number of fraud fighting measures—velocity, device fingerprinting, category checks—and that's too much of a coin-toss for a fraudster. AP is proving to be a lot simpler," Abraham wrote.

As noted in, "in a particularly fun irony, Apple Stores are favorite locations to target because they take Apple Pay and sell high-price goods with large resale values."

The crooks have not broken the secure encryption around Apple Pay's fingerprint-activated wireless payment mechanism, Arthur said. Instead, they are setting up new iPhones with stolen personal information, and then calling banks to "provision" (add credit account information) the victim's card on the phone to use it to buy goods.

An Apple spokesperson told the Guardian that the secure mechanism for paying with card details stored on the phone had not been breached. "Apple Pay is designed to be extremely secure and protect a user's personal information. During setup Apple Pay requires banks to verify each and every card, and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank."

Those security features—tokenization, on-device secure storage and biometrics—separately and together are formidable, "but the soft underbelly proved to be provisioning of cards in to AP," Abraham wrote. Apple should have pushed banks harder to improve their yellow path procedures, which they were apparently advised to do, he said.

In many cases, this provisioning was handled by call centers.

"Call centers are a poor approach for two reasons," he wrote. "One, fraudsters are better at social engineering than call center reps are at sniffing out fraud. In some cases, fraudsters are calling the call center themselves to 'alert the bank about a trip out of town' so that fraud restrictions designed to pinpoint transaction anomalies—such as a customer living in California and buying in Miami—do not trip them up."

But second, and perhaps more importantly, the payment systems are proliferating. "Apple Pay is just the first among the hundreds of token requestors that will come to dot the tokenization landscape," Abraham wrote. "Remember folks, fraud scales. Call centers do not."

Fore more:
-See this Drop Labs blog post
-See this article in The Guardian
-See this story

Related stories:
Samsung's LoopPay acquisition means big things for mobile payments
Apple's Cook promotes privacy, government Pay functions at summit
Softcard joins former competitor Google to face Apple
Apple Pay and CurrentC shine light on mobile payments
Apple Pay is here