Apple Pay Exposes Insecure Bank Policies
On 2 March 2015, The Guardian reported that Apple Pay suffered from unusually high rates of credit card fraud. The Guardian’s report seems to be based on a February blog post by Cherian Abraham, and I was initially skeptical of both. But contacts with deeper ties to the financial services industry quickly verified there was increased fraud… and no shortage of finger pointing.
This is a fascinating issue for two seemingly contradictory reasons. Apple Pay is one of the most secure payment methods in the United States, if not the most secure method, yet its very existence highlights massive weaknesses in the payment system. Let’s explore why and how some lesser known features of Apple Pay could dramatically reduce fraud, if more banks enabled them.
Credit cards in the United States are different from those in nearly every other country. In the U.S. we have what’s known as zero liability. Under federal law, credit card holders are liable for only $50 of fraudulent purchases, while debit card users are liable for only up to $500. But most banks offer greater protection than what’s legally required. If someone uses your card (or card number) fraudulently, assuming you notice it within a generous time period, you aren’t held liable for the fraud. Instead, the merchant and payment processor who handled the transaction pay the costs of the fraud (nearly always the
merchant). So if someone steals your card number, uses it to buy something online, and you notice it within a couple of months, you reverse the charge and the online retailer pays the costs.
The same is also true if the card company (Visa, MasterCard, American Express, etc.) or the issuing bank catches the fraud with their internal systems, at least if the transaction wasn’t stopped at the point of sale. Those fraud-detection systems have managed to keep fraud rates at near-historic lows despite massive breaches, but based on discussions I’ve had with some executives in the industry, the rates have been growing for the first time in over a decade.
This is the exact opposite of most other countries where the cardholder is responsible for the fraud. Few other countries have guaranteed zero liability, although many banks do offer fraud protection as an enticement to use their cards. This is one of the main reasons most other countries use more advanced credit card security technologies, including card-based Chip and PIN systems and mobile payments. Meanwhile, the United States continues to rely on simple magnetic-stripe signature cards, which are incredibly easy to counterfeit. When consumers carry greater liability, security becomes an essential selling point.
I am of course simplifying the issue. There are actually multiple different kinds of payment transactions, each with different requirements for processing. A Chip and PIN card isn’t necessarily any more secure for an online purchase (“cardholder not present” in industry terms) than a magnetic stripe card and most U.S. Chip and PIN cards also have magnetic stripes as well. The systems account for that with different validation requirements, payment limits, fraud analysis, and transaction fees. That’s why when you buy online you typically have to provide your billing address and the CVV (card verification value) number printed on your card, which aren’t stored on the magnetic stripe or in the payment chip. This, ideally, proves
you have the card in hand and know information otherwise not available if someone skimmed the card.
From Target to Apple Pay — Apple Pay is incredibly secure because it never stores or uses your actual credit card information. Instead, when you register your card, a disposable token is sent to your iPhone or (soon) Apple Watch, and stored inside the same super-secure Secure Element chip used by other mobile payments and some cards. After that, there’s little exposure for a stored credit card. Even if someone steals your iPhone, your bank can cut off the token without having to send you an entirely new credit card (see “Apple Pay Aims to Disrupt Payment Industry,” 9 September 2014).
The weak link, it turns out, is the process of registering your card with Apple Pay (“onboarding” in industry terms). Apple built a framework, not a new payment system, and Apple only mediates the connection between your iPhone and your bank. Your bank is supposed to validate that you are who you say you are, based on the Apple Pay registration process.
When you enter your card information, Apple encrypts it, sends it to an Apple server, figures out your credit card company (based on the card number), re-encrypts the data, and finally sends it to your bank for verification. As documented on Apple’s Support site and detailed in the iOS Security Guide, Apple also provides other information to your bank. Here’s an excerpt from the iOS Security Guide describing the process:
Additionally, as part of the Link and Provision process, Apple shares information from the device with the issuing bank or network, like the last four digits of the phone number, the device name, and the latitude and longitude of the device at the time of provisioning, rounded to whole numbers. Using this information, the issuing bank will determine whether to approve adding the card to Apple Pay.
Your bank can immediately approve your card for Apple Pay or decide it needs additional verification, such as sending an email or text message to an address on file. The onboarding decision is completely controlled by the bank, but it’s a new process that has never been previously tested at scale here in the United States.
Credit card theft is rampant, with tens of millions of card numbers exposed over the past couple of years. In many cases, the lost information is never used for a fraudulent transaction. Stolen credit card numbers are sold all over the Internet, with higher prices for cards with more-extensive information, like the address and the CVV number (usually stolen from merchant databases or skimming transactions, even when they aren’t supposed to be stored). Thus the banks always gamble a bit after the big security breaches. They weigh the cost of replacing cards (the printing and mailing costs, the costs of losing a customer, and the inconvenience of re-registering cards for recurring transactions) versus the chance of fraud.
Banks are responsible for determining the rules of their registration process. Some are strict, others less so, and some, it seems, didn’t plan well for handling onboarding fraud. This is similar to the same problems Apple suffers with iCloud account takeovers (see “You Are Apple’s Greatest Security Challenge,” 14 October 2014). Knowing someone is who they say they are is hard enough in person, much less over the Internet.
The entire core of the claims of fraud surrounding Apple Pay comes down to the onboarding process and all those stolen cards. The bad guys don’t need to print up fake cards; they just need to get enough information to register the fake cards with Apple Pay. Some banks are more at risk than others, based on how well they set up their onboarding process. Since Apple Pay is a more secure and trusted form of payment, once a fake card is in the system, the actual fraud is easier to carry out.
This situation was entirely predictable; even the most rudimentary threat modeling exercise would have highlighted the potential problem and solutions. And clearly the direct fault lies with the banks for leaving all those stolen cards active, and for making mistakes with the Apple Pay registration process.
However, some in the payments world claim they were “railroaded” by Apple; rushing to get their banks enrolled without being able to implement additional security controls. There is bitterness among the banks, justified or not. But it wouldn’t surprise me if it was the bank’s executives pushing their internal departments to jump on Apple Pay before they had the onboarding processes fully under control.
In short, Apple Pay’s security, speed, and convenience became a stress test for the banks that could expose otherwise manageable weaknesses in their processes and decisions.
A Temporary Situation — Apple is already trying to work with banks to see how they can improve the process and reduce fraud. Not all banks suffer the same rates of fraud, so the problems are clearly avoidable. It likely won’t take much longer for all banks to tighten the screws and reduce fake registrations to a manageable level.
But banks could also turn on additional features to not only prevent stolen credit cards from being registered with Apple Pay, but also reduce credit card fraud overall. I currently have three cards registered with Apple Pay, but my American Express card stands out. Whenever I make a payment, American Express sends me a push notification. This occurs nearly instantly, making it impossible for someone to charge my card without me immediately knowing about it. These notifications occur for all transactions, not just those mediated through Apple Pay.
Although the bad guys have a window of opportunity now, it likely won’t last for long. Banks will tighten up their registration processes, Apple Pay will reduce card and card number theft, and more banks will enable push notifications for every transaction. The end result will be lower fraud rates across the board.
The banks aren't getting enough usable information to validate the card holders. Whatever the cause of the problem, they need the customer name and address(longitude-latitude is not much use in a city) at a minimum; information not visible just from a copy of the card. Any restaurant that runs a card can get enough to register the card on Apple Pay at the moment.
Apple is providing the customer name, so why wouldn't the bank be able to contact the customer for validation using information on file?
The push notification system is a powerful tool. My bank notifies me within minutes of any of their credit or debit cards being used anywhere for any purpose. Since a debit card must be used even for in-bank services (you must log in at the teller's window) these notifications include teller transactions. Seems pretty foolproof to me.
You can be sure that some very smart crooks are working on ways to fool push notifications. Expect more phishing scams claiming to be push notifications.
American bank credit card customers can be paradoxically difficult; demanding fraud protection and displaying anger over the inconvenience more rigorous protection offers at the point of sale. Algorithms for transaction analysis often hold transactions "out of profile" until verification - a phone call, text or email response. This could delay receipt of goods and/or a hold on all card transactions until verification is complete.
Americans express the same irritation to heightened security by TSA at airports. Inconvenience occurs most acutely when not anticipated and time is critical. Not only do some banks need to tighten their procedures and on boarding process, but the public, too, must plan for and accept some inconvenience for the cost of their protection.
The banks may grumble about Apple Pay that ultimately will force them to improve their processing and protection procedures. Since some banks appear to do a better job of this than others and within the revenue generated by the merchant charges, models already exist.
Banks didn't created consumer fraud. But they can be held accountable to their internal security measures and card processing methodology since they promote their cards so heavily and sometimes questionably to the wrong audiences - teenagers, for example, with no credit history.
Credit card convenience and protection are counterintuitive. Apple Pay creates a bridge between these opposing forces. It will be useful, so long as the banking industry cleans up their act. To me, it seems a win all around.
Great post, thank you Rich Mogull
Rounding the latitude and longitude to whole numbers seems.. well stupid. At the equator you're only getting accuracy up to about 60 miles / 70 km. This is one spot where I think Apple should send the most precise latitude and longitude available. If a bank is really security conscious they could ask folks to register Apple Pay at their homes. (Which the bank should already know!)
I can also think of additional info that might be helpful, if the phone is on wifi or not, and if its on wifi, what is the public IP? The bank could compare this to their other login records, etc.
Well, I'm glad I don't have a debit card; just an ATM-only card.
As for the magnetic strip on cc, that will be gone within a couple of years due to the mandatory change to chipped cards.
I bought a new iPhone 6 just to get ApplePay. I've had my AmEx card hacked 4 times in the past year. AmEx caught them at the time of usage and contacted me, but it did mean getting a new card each time and spending a couple of hours going onto the web sites of all the places I use automatic deductions (Netflix etc). A nuisance.
It's SO easy to just blame Apple when it is the banks to blame. "I didn't understand how it works and was too intimidated to ask" is considered a valid excuse by high level banking officers? "I didn't know the gun was loaded and I'm SO sorry now" sort of keeps going through my head.
BTW, AmEx has the best fraud detecting ability of all. And I love those messages when I make a purchase!