Mobile Commerce Daily is now Retail Dive: Mobile Commerce! Click here to learn more!

Apple Pay fraud reflects weakness with credit cards, not platform

Fraudulent purchases are a possible stumbling block in Apple Pay’s ascent that has been receiving a lot of attention recently, but the problem appears to lie more with how some banks issue credit cards than with any inherent weakness in the mobile payments platform.

According to reports, hackers are using stolen credit card data to make fraudulent purchases using Apple Pay. With Apple Pay receiving significant attention as an important new payment method, it is no surprise that industrious hackers have turned their focus to the platform to look for weaknesses.

“This is an interesting story and very likely to be blown out of proportion,” said Daniel Ingevaldson, CTO of Easy Solutions, Doral, FL.  “The problem with Apple Pay is not Apple Pay itself, but that Apple Pay created a new payment channel.

“Whenever a new channel is created, an opportunity for fraud is created along with it,” he said. “We have no indication that Apple Pay itself has been breached or its fundamental security technologies such as biometric authentication (TouchID) and tokenization (using one-time payment card information to prevent credit card theft) have been bypassed.”

Balancing risk, friction
Per Mr. Ingevaldson, what happened is that hackers found that some banks are issuing credit cards that are easier to register on Apple Pay with stolen identity information than others.

Apple Pay provides for two pathways for authorizing new cards on an Apple device; one for instant authorization and one that requires additional checks. Apple provides the same information to all issuers for risk qualification, and each issuer can interpret the data and assign a risk score on its own.

“Every bank or credit card issuer is constantly balancing risk of fraud with customer friction,” Mr. Ingevaldson said. “Every bank has a different approach to risk and are placed at different points on that spectrum.

“In this case, hackers have found that some issuing banks issue cards that are easier to register with stolen identity information than others,” he said. “This vulnerability is made more acute because the black market for purchasing credit cards and identity information allows hackers to quickly look for, purchase and test cards and identities from any bank in the world to see which ones they can exploit and which ones they can’t.

“This trial-by-error is the same iterative approach that hackers and carders have used for decades to exploit specific banks or retailers to optimize their returns.”

Shutting down hackers
The problem is solvable, with the most responsive victims expected to address the issue by closing up the vulnerability. This will off-load the risk to less responsive issuers, who should eventually respond as well, resulting in Apple Pay becoming an impractical route for hackers.

While the news of Apple Pay fraud is concerning, it is not likely to stall adoption as consumers find the convenience of mobile payments outweighs the potential for fraud, according to a recent survey conducted by Interactions Marketing.

The report found that the number of shoppers using mobile wallets is on the rise. The research also shows that a substantial amount of mobile wallet users are leaving retail stores that do not offer mobile payments as an option and not returning to these stores.

The findings include that one in three shoppers already use mobile wallets, and 62 percent of those who do not expect to use a mobile wallet within the next year.

According to the report, even though more than half of mobile wallet users have privacy concerns, that does not stop them from using their phones to pay for items. For these shoppers, the reward outweighs any possible risk.

Final Take
Chantal Tode is senior editor on Mobile Commerce Daily, New York