We predicted some months ago that mobile fraud would reach around half of all recorded cases by the end of the year, and have been alerting organisations to the fact that account creation fraud is becoming increasingly popular amongst the criminal fraternity. It’s fascinating, therefore, to see all of these trends intersecting with the recent problems the Apple Pay ecosystem seems to be having with scammers in the US.
One issuer has reportedly seen its fraud rate go as high as 600bps. So what went wrong and what lessons can we learn?
What went wrong?
The reports have come in anecdotally thick and fast over recent weeks that fraudsters have found an Achilles heel to the mobile payment system: card provisioning. Virtually the first step a user must take to sign their card up to Apple Pay is have their identity validated by the issuing bank. To do this they can either take a photo of their card or input details manually. These are then sent securely to the issuing bank to check, along with some device usage and iTunes data.
The problem comes for those identity checks which need secondary authentication, because it’s down to the banks to decide what form this takes. Many are requesting static "card-not-present" personal information such as social security numbers. But these are easily obtainable, along with the stolen card data itself, on the kind of underground internet forums frequented by fraudsters. The problem is compounded by the fact that many issuers are forcing users to ring their call centres to validate.
Scammers are more than capable of socially engineering call centre staff into believing they’re talking to the real card holder.
So, hey presto, the fraudster has successfully authenticated some stolen card details onto their iPhone. All that remains now is to go on a high value retail binge – which many are reportedly doing at, you guessed it, Apple Stores themselves.
Least resistance
Don’t get me wrong, Apple Pay is a pretty robust platform, as mobile payments go. It has built in tokenisation, on-device encryption, NFC, Touch ID and more to keep the bad guys at bay. But we must always remember that if there’s even the slightest chink in the armour, they’ll find it. As with any type of online transaction, the key is for the bank, retailer, social network etc is to stop authenticating via the kind of data which can be easily sourced on underground forums.
Gartner distinguished analyst Avivah Litan said it best in her recent blog post:
"The key is reducing reliance on static data – much of which is [personally identifiable information] PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behaviour and relationships between non-PII data elements."
But more than this, using call centres to authenticate users is not just less secure, it’s completely unscalable and creates way too much friction for the individual user. As payments expert Cherian Abraham said in his commentary on the subject:
"In short, provisioning must become secure, invisible and scalable."
We couldn’t agree more..
Whoever’s to blame for the problems Apple Pay now finds itself in – and the issuers have certainly hit back of late by claiming they haven’t received enough support from Apple – we need to get smarter about fraud prevention.
The clock’s ticking…
