When Tim Cook announced Apple Pay last fall it was pitched as a better and more secure way to make mobile payments, and so far that is proving to be true. It’s months later and the only solid complaint against Apple Play is that Apple’s business partners aren’t using an adequate level of security.
The security researchers at DropLabs reported on their blog yesterday that the banks and credit card companies who have signed up to support Apple Pay are seeing a high incidence of fraud – one as much as 60 times higher than the norm:
Credit card issuers in general have a good handle on fraud. They manage it under 10bps (i.e. losses of $0.10 or less per $100 of transactions) on transactions made with a dumb plastic card lacking any additional context. So Issuers wishing for Apple Pay fraud to fall between 2-3bps was not totally out of character, considering the protections in place by Apple and Networks to keep fraud away – including Issuer support during provisioning, NFC, Tokenization, a tamper proof Secure Element and TouchID. But fraud seems to have followed a different trajectory here. About a month post-launch, it seems like fraud has come to Apple Pay. (in one case – as high as 600bps for an issuer that I cannot name).
The problem here is that credit card fraudsters have caught on to the fact that the banks and credit card companies aren’t using an appropriate level of security to confirm that the person setting up an Apple Pay account is actually the person who owns the account.
Had user info been lost when Apple Pay competitor CurrentC was hacked last fall, or when the US Office of Personnel Management (added fun: they do security background checks) was hacked, the criminals would be able to load the info into Apple Pay and con some banks into authorizing it.
And Apple is getting dinged for it.
Folks, as much as I would like to slap Apple around on this issue, I’m not sure why the blame for other companies neglecting to adopt secure procedures should be laid at the feet of Apple.
Sure, Apple is partly to blame, but in my mind they are less responsible for this than the financial institutions who really should have know better.
Or did I miss something?
image by TheTruthAbout