Earlier this week we debunked sensational headlines mislabeling bank fraud as Apple Pay fraud. Now those same headlines are being repeated, but with a new twist.
This time Apple Pay has apparently been "stung" by people using false credit card numbers obtained from last year's Target and Home Depot breaches. Sadly, these headlines are just as inaccurate. Banks and retailers may have been "stung", but Apple Pay is still as secure as ever. The Wall Street Journal:
Apple Inc. 's new mobile-payment system has been hit by a wave of fraudulent transactions using credit-card data stolen in recent breaches of big retailers, including Home Depot Inc. and Target Corp. , people familiar with the matter said.
Apple Pay security actually prevents just that kind of data from being stored by retailers. It uses one-time numbers instead of the actual card number, so if anything is stolen, it has no value. In other words, it will keep customers, banks, and stores safer. By spreading fear, uncertainty, and doubt (FUD) about Apple Pay, it actively hurts rather than helps transactional security.
Many people are already nervous about new technologies, even inclusive, enabling technologies like Apple Pay. To make them afraid rather than inform or empower them does them an extreme disservice.
The effects of those incidents are being felt for some time after the breaches in large part because financial institutions that issue cards typically don't launch broad-scale replacements of the affected plastic after a merchant is hacked.
The card companies figure that the cost of potential fraud is often less than giving each customer a new card, according to payment experts and bank executives, and customers sometimes complain about the inconvenience of having to switch to new cards.
Meaning the banks chose not to invalidate or flag that credit card data, and still approved cards based on it for use with Apple Pay, but it's Apple Pay that was "stung"?
About 80% of the unauthorized purchases have been for big-ticket items bought with smartphones at Apple's own stores, one person with knowledge of the situation said.
Again, that's the banks and retailers, including Apple Retail, being stung, not Apple Pay. And what was the scope?
PNC Financial Services Group Inc. has seen 35 cases of fraud out of thousands of all Apple Pay customers, said a spokesman for the Pittsburgh-based bank. "We have looked at our processes and we believe we have very strong know-your-customer processes in place to prevent any additional cases," he said.
While PNC doesn't specify if it's out of 1,000 or out of 999,999, even 35/1,000 cases still makes up a tiny percentage of transactions and certainly nothing to justify the alarmist focus and language used across mainstream media reports.
Here's the comment Apple provided earlier this week:
"Apple Pay is designed to be extremely secure and protect a user's personal information," an Apple spokesperson told iMore. "During setup Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank."
This is the second wave this week of high-profile articles casting blame on Apple Pay for what appears to be ages-old social engineering attacks targeted at banks and retailers. The first wave all sourced the same industry analyst's blog post, with precious little indication of secondary or tertiary sourcing. The second seems no more than a rehash of the first, with some additional yet contradictory detail.
What rates Apple Pay getting this much of this kind of attention from these kinds of outlets this week?