On 2 March 2015, The Guardian reported that Apple Pay suffered from unusually high rates of credit card fraud. The Guardian’s report seems to be based on a February blog post by Cherian Abraham, and I was initially skeptical of both. But contacts with deeper ties to the financial services industry quickly verified there was increased fraud… and no shortage of finger pointing.
This is a fascinating issue for two seemingly contradictory reasons. Apple Pay is one of the most secure payment methods in the United States, if not the most secure method, yet its very existence highlights massive weaknesses in the payment system. Let’s explore why and how some lesser known features of Apple Pay could dramatically reduce fraud, if more banks enabled them.
Credit cards in the United States are different from those in nearly every other country. In the U.S. we have what’s known as zero liability. Under federal law, credit card holders are liable for only $50 of fraudulent purchases, while debit card users are liable for only up to $500. But most banks offer greater protection than what’s legally required. If someone uses your card (or card number) fraudulently, assuming you notice it within a generous time period, you aren’t held liable for the fraud. Instead, the merchant and payment processor who handled the transaction pay the costs of the fraud (nearly always the merchant). So if someone steals your card number, uses it to buy something online, and you notice it within a couple of months, you reverse the charge and the online retailer pays the costs.
The same is also true if the card company (Visa, MasterCard, American Express, etc.) or the issuing bank catches the fraud with their internal systems, at least if the transaction wasn’t stopped at the point of sale. Those fraud-detection systems have managed to keep fraud rates at near-historic lows despite massive breaches, but based on discussions I’ve had with some executives in the industry, the rates have been growing for the first time in over a decade.
This is the exact opposite of most other countries where the cardholder is responsible for the fraud. Few other countries have guaranteed zero liability, although many banks do offer fraud protection as an enticement to use their cards. This is one of the main reasons most other countries use more advanced credit card security technologies, including card-based Chip and PIN systems and mobile payments. Meanwhile, the United States continues to rely on simple magnetic-stripe signature cards, which are incredibly easy to counterfeit. When consumers carry greater liability, security becomes an essential selling point.
I am of course simplifying the issue. There are actually multiple different kinds of payment transactions, each with different requirements for processing. A Chip and PIN card isn’t necessarily any more secure for an online purchase (“cardholder not present” in industry terms) than a magnetic stripe card and most U.S. Chip and PIN cards also have magnetic stripes as well. The systems account for that with different validation requirements, payment limits, fraud analysis, and transaction fees. That’s why when you buy online you typically have to provide your billing address and the CVV (card verification value) number printed on your card, which aren’t stored on the magnetic stripe or in the payment chip. This, ideally, proves you have the card in hand and know information otherwise not available if someone skimmed the card.
From Target to Apple Pay — Apple Pay is incredibly secure because it never stores or uses your actual credit card information. Instead, when you register your card, a disposable token is sent to your iPhone or (soon) Apple Watch, and stored inside the same super-secure Secure Element chip used by other mobile payments and some cards. After that, there’s little exposure for a stored credit card. Even if someone steals your iPhone, your bank can cut off the token without having to send you an entirely new credit card (see “Apple Pay Aims to Disrupt Payment Industry,” 9 September 2014).
The weak link, it turns out, is the process of registering your card with Apple Pay (“onboarding” in industry terms). Apple built a framework, not a new payment system, and Apple only mediates the connection between your iPhone and your bank. Your bank is supposed to validate that you are who you say you are, based on the Apple Pay registration process.
When you enter your card information, Apple encrypts it, sends it to an Apple server, figures out your credit card company (based on the card number), re-encrypts the data, and finally sends it to your bank for verification. As documented on Apple’s Support site and detailed in the iOS Security Guide, Apple also provides other information to your bank. Here’s an excerpt from the iOS Security Guide describing the process:
Additionally, as part of the Link and Provision process, Apple shares information from the device with the issuing bank or network, like the last four digits of the phone number, the device name, and the latitude and longitude of the device at the time of provisioning, rounded to whole numbers. Using this information, the issuing bank will determine whether to approve adding the card to Apple Pay.
Your bank can immediately approve your card for Apple Pay or decide it needs additional verification, such as sending an email or text message to an address on file. The onboarding decision is completely controlled by the bank, but it’s a new process that has never been previously tested at scale here in the United States.
Credit card theft is rampant, with tens of millions of card numbers exposed over the past couple of years. In many cases, the lost information is never used for a fraudulent transaction. Stolen credit card numbers are sold all over the Internet, with higher prices for cards with more-extensive information, like the address and the CVV number (usually stolen from merchant databases or skimming transactions, even when they aren’t supposed to be stored). Thus the banks always gamble a bit after the big security breaches. They weigh the cost of replacing cards (the printing and mailing costs, the costs of losing a customer, and the inconvenience of re-registering cards for recurring transactions) versus the chance of fraud.
Banks are responsible for determining the rules of their registration process. Some are strict, others less so, and some, it seems, didn’t plan well for handling onboarding fraud. This is similar to the same problems Apple suffers with iCloud account takeovers (see “You Are Apple’s Greatest Security Challenge,” 14 October 2014). Knowing someone is who they say they are is hard enough in person, much less over the Internet.
The entire core of the claims of fraud surrounding Apple Pay comes down to the onboarding process and all those stolen cards. The bad guys don’t need to print up fake cards; they just need to get enough information to register the fake cards with Apple Pay. Some banks are more at risk than others, based on how well they set up their onboarding process. Since Apple Pay is a more secure and trusted form of payment, once a fake card is in the system, the actual fraud is easier to carry out.
This situation was entirely predictable; even the most rudimentary threat modeling exercise would have highlighted the potential problem and solutions. And clearly the direct fault lies with the banks for leaving all those stolen cards active, and for making mistakes with the Apple Pay registration process.
However, some in the payments world claim they were “railroaded” by Apple; rushing to get their banks enrolled without being able to implement additional security controls. There is bitterness among the banks, justified or not. But it wouldn’t surprise me if it was the bank’s executives pushing their internal departments to jump on Apple Pay before they had the onboarding processes fully under control.
In short, Apple Pay’s security, speed, and convenience became a stress test for the banks that could expose otherwise manageable weaknesses in their processes and decisions.
A Temporary Situation — Apple is already trying to work with banks to see how they can improve the process and reduce fraud. Not all banks suffer the same rates of fraud, so the problems are clearly avoidable. It likely won’t take much longer for all banks to tighten the screws and reduce fake registrations to a manageable level.
But banks could also turn on additional features to not only prevent stolen credit cards from being registered with Apple Pay, but also reduce credit card fraud overall. I currently have three cards registered with Apple Pay, but my American Express card stands out. Whenever I make a payment, American Express sends me a push notification. This occurs nearly instantly, making it impossible for someone to charge my card without me immediately knowing about it. These notifications occur for all transactions, not just those mediated through Apple Pay.
Although the bad guys have a window of opportunity now, it likely won’t last for long. Banks will tighten up their registration processes, Apple Pay will reduce card and card number theft, and more banks will enable push notifications for every transaction. The end result will be lower fraud rates across the board.