Banks' rush to embrace Apple Pay resulted in fraud: 'NY Times'

Offering more clarification in the problem of Apple Pay fraud, The New York Times has reported that the problem started with the big banks' rush to participate in the service.

Reporting in the Times on Monday, Andrew Ross Sorkin wrote: "Apple's news release announcing Apple Pay had gushing quotes from Jamie Dimon of JPMorgan Chase, Brian Moynihan of Bank of America and Kenneth Chenault of American Express, along with a list of other companies as launch partners, including Wells Fargo, Citigroup and Capital One." Six months on, the banks were privately complaining about Apple Pay, "but the banks may largely have themselves to blame."

This mostly confirms the original source of the report of Apple Pay fraud, Cherian Abraham, mobile commerce and payments lead specialist at Experian Global Consulting, who reported the issue on his Drop Labs blog.

In a matter of emphasis, Abraham blamed Apple for not pressing the banks for stricter provisioning procedures, while the Times says it is the banks' fault. No one questions the security features built into Apple Pay itself.

The banks were "desperate to become their customers' default card on Apple Pay" thinking that most consumers would only add one to their iPhones, and did not sufficiently build their own defenses or push Apple for more detailed information about the customers. "Some bank executives acknowledged that they were so scared of Apple that they didn't speak up. The banks didn't press the company for fear that they would not be included among the initial issuers on Apple Pay," Sorkin wrote. A second group of banks joined Apple Pay shortly afterward: Barclays, Navy Federal Credit Union, PNC Bank, USAA and U.S. Bank.

"It also appears that banks set up a flawed process to deal with the credit cards that it did flag," Sorkin continued. "Affected users were directed to a customer care phone center, not a fraud prevention center. A customer care center's mission is to help customers use their cards, leading more fraudulent cards to be approved for use on Apple Pay."

Meanwhile, security expert Brian Krebs, writing in his Krebs on Security blog, said: "Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud."

The banks' use of call centers to validate new users was a core problem, Krebs confirmed. "The irony here is that while Apple Pay has been touted as a more secure alternative to paying with a credit card, the way Apple and the banks have implemented it actually makes card fraud cheaper and easier for fraudsters," he said.

But some banks have begun to make changes in the way they activate credit card accounts for Apple Pay, reported American Banker, citing industry consultants.

"This is a black eye that needs to heal through improved authentication procedures," Richard Crone, CEO, Crone Consulting LLC, told American Banker. Some banks are now requiring users to call them to activate Apple Pay, to ensure that their identities haven't been stolen, he said.

For more:
See this article in The New York Times
See this Drop Labs blog post
See this Krebs on Security blog post
See this American Banker article

Related stories:
Samsung's LoopPay acquisition means big things for mobile payments
Apple's Cook promotes privacy, government Pay functions at summit
What mobile means for retail: Observations and insights from Mobile World Congress
This will be the year of Apple Pay
Apple Pay is here