If Apple Can't Stop One Fraudster, Can It Ever Challenge Visa?

Apple's status as the Great Fruit Hope for alternative payments took a hit this week, after it failed to stop a Russian hacker who broke the iPhone's security for many in-app purchases. It's roughly the equivalent of customers somehow tweaking their payment cards, and then swiping them at an in-store PIN pad, which tells the POS the transaction has gone through—except the card is never charged.

Apple's billion-dollar third-party payments business takes a larger than Visa cut, sets less flexible than Visa operating rules, and then offers less help than Visa in securing transactions. And this is the company that's supposed to rescue retail from Visa's interchange rates?

The in-app purchase security hole was exploited by a Russian hacker named Alexey Borodin, who went public with his attack on July 11. The exploit is unusual in that the customer isn't the one victimized. In fact, the iPhone user has to actively cooperate with the man-in-the-middle attack by using fraudulent security certificates and even a specially rigged DNS server that misdirects transactions away from Apple to Borodin's own server.

Then when a customer makes an in-app purchase, the transaction is sent to Borodin's server, which generates fake receipts that tell the app to deliver whatever has been purchased. (Apple doesn't allow in-app purchases of physical goods or services outside the app, so purchases are typically upgrades, game currency or items used inside a game or other app.)

The fraud doesn't work with all in-app purchases—to avoid it, app developers can set up their own servers (at their own expense) to confirm receipts. But even that's not foolproof.

And considering that Apple set up the easy-to-exploit process and rakes in 30 percent of the proceeds from each valid in-app transaction, developers might expect a little more help in securing it—especially because estimates of how much in-app transactions now bring in are well above $1 billion per year.

For retail chains hoping Apple might offer a real alternative for in-store payments, this should be something between disheartening and terrifying. Apple already does a huge business in third-party transactions—far more than Google Wallet and PayPal in-store combined. But it's so insecure that customers and a lone fraudster can gang up on in-app retailers to spoof transactions with impunity.

Even more disappointing (or frightening) is the fact that Apple has been unable to shut down the fraud.Even more disappointing (or frightening) is the fact that Apple has been unable to shut down the fraud. Apple blocked Borodin's IP address and asked his ISP to shut down the server over the weekend, but Borodin just shifted the server to another country and kept going. The exploit is simple enough that there appears to be no easy way for Apple to stop the fraud without rearchitecting its transaction process.

In itself, that type of overhaul wouldn't be a bad thing. As much as it would complicate life for app developers and users, it means Apple would have a much more secure transaction system. If Apple can lock down in-app transactions, it can credibly claim to be able to do in-store mobile payments securely, too.

But as things stand now, Apple's credibility is eroding just as the company is dipping a toe into mobile payments. The actual number of fraudulent transactions isn't high. But what everyone remembers is that with every faked transaction, the seller isn't getting paid. If Apple's goal is to convince retailers it should handle the money, this isn't the way to do it.

Then there's the collateral damage to Apple's technical cred. It turns out that account IDs and passwords are being sent unencrypted—which wasn't really safe even when Apple thought the only place they were going was to Apple's servers. The fact that Apple requires app developers (read that as "retailers") to essentially provide their own transaction security to confirm receipts sounds simultaneously cheap and unrealistic.

And Apple's assumption that no users would make adjustments to their iPhones or iPads to steal from those retailers seems incredibly naive.

There's bound to be a learning curve with mobile payments, especially when it comes to security. Google has had its fumbled demonstrations and security holes, and PayPal is still depending on its insecure phone-number-plus-PIN system in-store. (ISIS still hasn't officially started its mobile payments trial scheduled for this summer, but there are still a few weeks of summer left.) However, hardly anyone is using any of these mobile payment services, so the risk has been minimal.

But for Apple, mobile payments are already a billion-dollar business—and that's before an NFC-enabled iPhone makes in-store payments possible.

Everyone's assumption is that if anyone can convince mobile users to use tap-to-pay with their phones, it's Apple. That's still the most likely scenario, no matter how long Apple waits for the best time to launch in-store mobile payments.

But if Apple can't clean up its current mobile payments mess—and fast—it will effectively shoot itself in the foot, with both retailers and customers. If that happens, no matter how much we like the idea, we'll never get the chance to see whether or not Apple really does represent competition with Visa.