
Pointing Fingers in Apple Pay Fraud - zt
http://www.nytimes.com/2015/03/17/business/banks-find-fraud-abounds-in-apple-pay.html
======
detaro
TL;DR:

Apple wanted getting on Apple Pay to be as easy as possible. Banks decided
supporting Apple Pay was more important than being able to implement good
fraud protection. Banks now have to deal with a magnitude higher fraud rates.

~~~
bydo
Are these particularly high fraud rates for NFC transactions, though? Or
online transactions? Or even telephone (as in reading one's card number out
loud) transactions?

I would imagine that anything abstracting the physical card away ends up with
a significantly higher fraud rate, but the only numbers we're given are for
Apple Pay specifically and for all credit card transactions in total.

~~~
gambiting
Regular NFC(Visa PayWave/Mastercard PayPass) are limited to a certain amount
per transaction(25 pounds in UK, not sure how much in US), and you can only do
5 until it asks for your PIN. So there is simply very little incentive to be
stealing NFC data for those systems,because you can't use it to steal high-
value items. With Apple Pay, you can pay for anything, and there is pretty
much no verification. You can use any card number to purchase items in
stores,so there is nothing stopping you from using a stolen card to walk out
of Wallmart with a $1000 TV.

~~~
madeofpalk
Interesting. In Australia, I think the limit is $50 (which is about the same
in pounds) but there's no entering your PIN number every 5 transactions.

This is in the country that has the highest adoption of contactless payments.

~~~
keeperofdakeys
Last I checked the limit was now $100, or could be different per provider. I
have been asked for my pin on some occasions, mainly when doing a large
transaction (IIRC).

------
jakobegger
I can't believe that buying a device for several hundred dollars, signing up
for a cellular contract, entering a stolen credit card number, and then
tricking a customer service rep is supposedly easier than just swiping a card
with a fake magnetic strip?

Shouldn't it be trivial for Apple to block devices with fraudulent
transactions from using Apple Pay?

~~~
hurin
You don't need a cellular contract - and the simcard is presumably stolen as
well or a pre-pay account created under a fake name.

~~~
madeofpalk
You don't even need an active sim card to activate a phone. As long as there's
a sim card in the tray, the iPhone will activate.

------
skywhopper
This all certainly makes for an interesting case study in security tradeoffs.

I wonder if the numbers cited in the article about the rates of "traditional"
credit card fraud (said to be 0.1%) include the massive costs borne by
retailers, banks, and customers after the Target and Home Depot breaches and
other similar compromises, scenarios that Apple Pay was well-designed to
prevent.

Of course, the 6% Apple Pay fraud rate is also magnified by the fact that the
fraudsters of course took to this new system far far faster than regular
consumers. Once more retailers and banks support Apple Pay, the relative
proportion of fraud will drop. In the next two years as most Americans replace
their existing Android and iOS phones with ones capable of low-friction NFC
payments and awareness increases, the use of this technology will likely take
off.

Ultimately it sounds like best practice for individuals is to use a new credit
card for Apple Pay, and not one that you ever use online or particularly in
restaurants.

~~~
nicky0
I don't see how you arrive at your "best practice" advice, given the
information in the article. How would it address the problem in any way?

~~~
skywhopper
_smacks forehead_ You're right, it wouldn't. Nevermind. :)

------
vilmosi
I think Apple is getting too much slack. They made it way to easy to add a new
credit card.

~~~
37prime
Some Credit Card issuing banks actually went through verification process when
a card was aadded to Apple Pay. For example, a colleague added her United
Airlines MileagePlus Club Card. She had to verify her identity before the card
was approved for Apple Pay.

Meanwhile, another credit card issuing bank which shall remain unnamed, did
not go through the verification process when the card was added to Apple Pay.

~~~
BaconJuice
why would it be un-named? are you employed by them or something? It would be
nice to know who has no verification more than anything.

~~~
37prime
No, I am not employed by any financial institutions.

At that time my colleague added her Wells Fargo card to Apple Pay and it went
through without any notifications from the bank. She has been using this card
with iTunes store though.

Another colleague added her F&A Federal Credit Union card and went through
with little notifications.

First National Bank of Omaha notifies the email address on file that that the
card is added to Apple Pay.

US Bank actually sends a letter via mail that the card was added to Apple Pay.

This could change by now.

------
brudgers
The lesson is the same: Apple doesn't partner with other companies. Large as a
bank wanting to cash in on Apple pay or small as a developer in their garage
panning for a bonanza in the app store, it's Apple's ball and bat and wickets.
Even if Real Madrid and Manchester United show up, Ronaldo and Rooney are
getting innings not stoppage time.

~~~
crusso
Like many disruptors, Apple isn't offering a 100% complete business and
technological model for their partners. They're offering a new way of thinking
about traditional services and a family of integrated computing products with
which to deploy those services.

The business partners can't just expect to do nothing to be a part of a game-
changing service. They'll need to adapt their technologies, business models,
expectations, etc.

~~~
brudgers
Cricket is hardly disruptive. Apple's market position allows it forgo B2B
relationships based on the goal of mutual success.

~~~
crusso
What is Cricket? I googled "apple cricket" and nothing interesting came up.
I'm not sure what point you're trying to make.

~~~
brudgers
May I suggest reading my top comment beyond the first sentence now?

~~~
crusso
Oh, sorry, that latter sentence of your original post made absolutely no sense
to me. First time through, I had even read it several times but figured it was
some obscure sport reference and I just stuck with stuck with my contention of
your statement that 'Apple doesn't partner with other companies'.

~~~
brudgers
It is good to see that kind of go getter attitude. I wish more people would
argue against things they don't understand.

~~~
crusso
It wasn't my fault that your statement was easy to refute.

After that, I just chalked the poorly-worded obscure sport reference up to
poor communication skills.

------
rtpg
kind of interesting that fraud is about 0.1% of revenue. Kind of says a lot
about the margins behind being a payment processor.

~~~
baldfat
Fraud rate is 0.1% Fraud rate of Apple Pay is 6% that is 600 times higher. The
NYT places the Banks at a higher fault because they should know better. I
place blame on the strong arm tactics that Apple uses on every deal they make.

~~~
crusso
In this thread there are two accounts describing how some banks require extra
verification before their cards can be added to Apple Pay... and sombe banks
don't.

Apparently, Apple gave the banks the hooks they needed to eliminate the type
of fraud the article describes but they didn't do it.

How is this Apple's fault?

~~~
baldfat
To quote someone that the article links to:
[http://www.droplabs.co/?p=1231](http://www.droplabs.co/?p=1231)

"Isn’t this a Bank problem? And don’t that absolve Apple and Networks of their
responsibility in this?

"It is unconscionable that Apple did not, and was not strongly advised by its
partners – to make the Yellow Path implementation (by an issuer) mandatory
sooner than it did – which was 4 weeks before AP launch. "

~~~
crusso
"unconscionable" that banks should be expected to understand security well
enough to know that not using any verification was stupid?

It was mandatory 4 weeks before the launch, so it's been 6 months since
then... and yet we're seeing how banks haven't bothered to fix it?

I think Apple could have said something sooner, but in order to throw the word
"unconscionable" around, I think that they would have to have done something
deliberate or secretive.

I view that 90% of this rests directly on the banks' shoulders for not
implementing good security in the first place, then sitting on not
implementing it for months.

------
LunaSea
In a new edition of our recurring series: "Apple sacrifices shit for
usability", we will explore why Apple fucked up security once again.

~~~
plava
Did they, though?

I have two cards in Apple Pay, a Capital One credit card and a Wells Fargo
debit card. When I added my Capital One card I was asked to log into their
mobile app to verify the card. This seems highly secure. Someone may have my
stolen credit card details, but they're not going to have my banking passwords
(if they did, I'd have bigger things to worry about).

Wells Fargo didn't even offer that as an option. They had me ring up a call
center. Apple provided secure ways to verify identity, but only one of my two
banks seems to have been bothered to implement them.

------
Shivetya
Owner of several Apple products. I never cared for the idea of Apple pay for
one reason. I did not need one more touch point to deal with. People claim
Apple pay simplifies buying but I am of the opinion I don't want any more
people with that access to my credit information than I already have.

Yeah it might be able to provide a layer of anonymity that Paypal does for
online purchases but I still end up with a service authorized to use my card.

What I do want and some CC services can provide is instant messaging of when
the card is charged.

~~~
ghshephard
You seem to fail to recognize that every time you make a payment with your
credit card, you create "one more touch point to deal with" \- every shady
taxi driver, every hole in the wall restaurant, every employee making $5/hour
who just started that day - you are handing your credit card information (and
cvv) to them. And, if they ask for ID, there is a non-zero chance that you are
giving them your billing information as well.

The value to users of Apple Pay, is that all disappears. They don't get
anything useful, you never give them your credit card information, and the
token they do get, is only good for that purchase.

Apple pay is a _huge_ leap forward in security, _for the card holder_ \- not
necessarily for the banks though, if they don't actually verify that the
number going into the phone is owned by the cardholder.

