View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Leadership
  2. Strategy
March 25, 2015

How Apple Pay problems can point a way to better fraud prevention

What went wrong and what can be learnt from recent Apple Pay problems? Tony Larks, ThreatMetrix, investigates.

By Cbr Rolling Blog

We predicted some months ago that mobile fraud would reach around half of all recorded cases by the end of the year, and have been alerting organisations to the fact that account creation fraud is becoming increasingly popular amongst the criminal fraternity. It’s fascinating, therefore, to see all of these trends intersecting with the recent problems the Apple Pay ecosystem seems to be having with scammers in the US.

One issuer has reportedly seen its fraud rate go as high as 600bps. So what went wrong and what lessons can we learn?

What went wrong?
The reports have come in anecdotally thick and fast over recent weeks that fraudsters have found an Achilles heel to the mobile payment system: card provisioning. Virtually the first step a user must take to sign their card up to Apple Pay is have their identity validated by the issuing bank. To do this they can either take a photo of their card or input details manually. These are then sent securely to the issuing bank to check, along with some device usage and iTunes data.

The problem comes for those identity checks which need secondary authentication, because it’s down to the banks to decide what form this takes. Many are requesting static "card-not-present" personal information such as social security numbers. But these are easily obtainable, along with the stolen card data itself, on the kind of underground internet forums frequented by fraudsters. The problem is compounded by the fact that many issuers are forcing users to ring their call centres to validate.

Scammers are more than capable of socially engineering call centre staff into believing they’re talking to the real card holder.
So, hey presto, the fraudster has successfully authenticated some stolen card details onto their iPhone. All that remains now is to go on a high value retail binge – which many are reportedly doing at, you guessed it, Apple Stores themselves.

Least resistance
Don’t get me wrong, Apple Pay is a pretty robust platform, as mobile payments go. It has built in tokenisation, on-device encryption, NFC, Touch ID and more to keep the bad guys at bay. But we must always remember that if there’s even the slightest chink in the armour, they’ll find it. As with any type of online transaction, the key is for the bank, retailer, social network etc is to stop authenticating via the kind of data which can be easily sourced on underground forums.

Gartner distinguished analyst Avivah Litan said it best in her recent blog post:
"The key is reducing reliance on static data – much of which is [personally identifiable information] PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behaviour and relationships between non-PII data elements."

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

But more than this, using call centres to authenticate users is not just less secure, it’s completely unscalable and creates way too much friction for the individual user. As payments expert Cherian Abraham said in his commentary on the subject:
"In short, provisioning must become secure, invisible and scalable."

We couldn’t agree more..
Whoever’s to blame for the problems Apple Pay now finds itself in – and the issuers have certainly hit back of late by claiming they haven’t received enough support from Apple – we need to get smarter about fraud prevention.
The clock’s ticking…

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU