Bloggers are fighting back against reports of Apple Pay fraud.
Last week, many prominent media sources, including the Guardian, the Wall Street Journal and FierceRetailIT, reported on statements by an Experian executive that Apple Pay fraud is "rampant." The bloggers are questioning the extent of the fraud, the reliability of the evidence supporting the contention and how clearly it was reported that Apple Pay itself is not responsible.
"It's important to say right up front that this is a tempest in a teapot, especially given that the payment method is only available in the United States," wrote Paula Rosenblum, a contributor to Forbes. "The primary affected parties at this point are banks; not retailers, and not consumers."
The primary source of the original report was Cherian Abraham, mobile commerce and payments lead specialist at Experian Global Consulting, who reported it on his Drop Labs blog. After noting that he would be in India for "a few weeks," Abraham's Feb. 22 posting contained many of the cautions about the Apple Pay fraud mentioned by the bloggers. That is, Apple Pay's security procedures were not breached, and this issue mainly affected banks and not retail or consumer users of Apple Pay.
However, he also said it was "growing like a weed," involved organized crime, and was partially the fault of Apple which should have heeded advice it was given to push banks harder to improve their procedures.
Rosenblum told FierceRetailIT that despite two days spent researching the issue, the only source of the inflammatory accusations she could find was Abraham's blog, which did not cite where he got his information.
Writing in the Trustev blog under the headline, "Nope, there's no Apple Pay fraud," Rurik Bradbury said: "What has happened is that Apple Pay itself is basically fraud-proof, so fraudsters have turned their attention to the next weakest link: credit cards before they're added to an Apple Pay wallet. This is classic fraud via social engineering. Criminals use stolen credit card details, which can easily and cheaply be bought on sites like Rescator.cm, and then trick banks into allowing them to be loaded onto an iPhone. Once loaded onto a phone, they can make purchases until the card is cancelled."
Bradbury noted that Abraham is "a respected security researcher."
Rene Ritchie wrote in iMore.com that "Apple Pay is so secure criminals so far have only been able take advantage of it by taking advantage of the banks behind it."
Apple Pay is being used for fraudulent activities by criminals with stolen identities and credit cards, as first reported by the Guardian, wrote Micah Singleton in The Verge. "While Apple Pay encryption has not been breached, the mobile payments system has seen an increase in fraud as criminals exploit a hole in the verification process when you add a new card to Apple Pay, allowing them to add stolen credit cards to their iPhones, according to sources familiar with the situation."
But the issue has more to do with the banks than with Apple itself, he said. "There is a loophole in the way some issuing banks verify credit cards before they are added to Apple Pay. Though the fraud appears not to be as widespread as early reports indicated, it raises questions about how banks should handle the growing number of mobile payment systems like Apple Pay."
Banks are already acting to stop this fraudulent activity by tightening their verification procedures to load card data into Apple Pay, reported Robin Sidel and Daisuke Wakabayashi in a Wall Street Journal article on Friday. "Our member banks are reacting as quickly as possible to ensure their verification processes are adequate to thwart this new kind of fraud," David Pommerehn, VP and senior counsel at the Consumer Bankers Association, told the Journal. The association represents lenders that issue credit and debit cards.
"So the facts around 'Apple Pay Fraud' are that it's a very idiosyncratic and sporadic occurrence, affecting banks." Rosenblum said. "Banks must get better at preventing identity theft in general, and making sure they don't issue credit cards to fake people. It strikes me that Apple Pay fraud is the least of their problems until that time."
She concluded: "The fiction is that the American consumer or retailer has anything to worry about any time soon."
- See this Forbes blog post
- See this Drop Labs blog post
- See this Trustev blog post
- See this iMore.com article
- See this article in The Verge
- See this article in the Wall Street Journal
Samsung's LoopPay acquisition means big things for mobile payments
Apple's Cook promotes privacy, government Pay functions at summit
What mobile means for retail: Observations and insights from Mobile World Congress
This will be the year of Apple Pay
Apple Pay is here