Apple Pay still secure, FUD still flowing

The articles all follow the same pattern: They put Apple Pay in the headline and then describe old-fashioned social engineering attacks against banks in the bodies, conflating Apple Pay as much as possible, but pointing out specific flaws with Apple Pay not at all. The articles themselves thus become attacks — they spread fear, uncertainty, and doubt about enabling, accessible technology to people who deserve far better, more accurate, more empowering reporting. And it just won't stop.

Lost amid the media firestorm these past few weeks about fraudsters turning to Apple Pay is this stark and rather unsettling reality: Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.

Lost amid that lede is the starker and more unsettling reality that any digital transaction system, when banks approve stolen credit card information for use, makes this possible. So do traditional forms of credit card fraud.

Enter Apple Pay, which potentially erases that limitation of CVVs because it allows users to sign up online for an in-store payment method using little more than a hacked iTunes account and CVVs. That's because most banks that are enabling Apple Pay for their customers do little, if anything, to require that customers prove they have the physical card in their possession.

Which is a problem banks need to address, as it hurts customers, retailers, and Apple.

Interestingly, neither Apple nor the banks get any useful identity information out of the mobile carriers – at least that I know or heard of. And mobile carrier data could be particularly helpful with identity proofing. For example the banks could compare the mobile service's billing address with the card account holder's billing address.

Carrier participation would be, no doubt, most welcome. Apple does provide the last four digits of the iPhone's telephone number, however, which — and I'm just spitballing here — banks could compare to their records, and see if it's associated with the billing address?

The irony here is that while Apple Pay has been touted as a more secure alternative to paying with a credit card, the way Apple and the banks have implemented it actually makes card fraud cheaper and easier for fraudsters.

Apple Pay doesn't give retailers the actual card number but a one-time transaction number which, if the retailer is breached, is useless as a transport for future fraud. In other words, it prevents the very mechanism that leads to these attacks.

VPN Deals: Lifetime license for $16, monthly plans at $1 & more

And what about Apple's implementation is suspect here? Apple Pay is, thus far, so secure criminals are left to target banks with ages-old social engineering attacks. That's absolutely a problem that needs to be fixed, but it's a problem that can only be fixed by accurately reporting it.

Even more deliciously ironic, as noted in Cherian Abraham's insightful column at Droplabs, is how much of the fraud stemming from crooks signing up stolen credit cards with Apple Pay was tied to purchases of high-dollar Apple products at Apple's own brick-and-mortar stores! That banks end up eating the fraud costs from this activity is just the cherry on top.

Apple Retail and banks being defrauded is "deliciously ironic"? That's a curious choice of words for what's framed as a serious security piece.

"One of the biggest gripes I have heard from issuers is the lack of transparency from Apple (what did they expect?) and the makeshift reporting provided to issuers that is proving to be woefully inadequate," Abaraham wrote. "As long as issuers fall back on measures easily circumvented by freely available PII – this problem will continue to leech trust and large sums of cash. And alongside of the latter, there is much blame to go around as well."

Yet here's what the banks themselves admit is the source of the fraud:

The effects of those incidents are being felt for some time after the breaches in large part because financial institutions that issue cards typically don't launch broad-scale replacements of the affected plastic after a merchant is hacked.

The card companies figure that the cost of potential fraud is often less than giving each customer a new card, according to payment experts and bank executives, and customers sometimes complain about the inconvenience of having to switch to new cards.

And here's the kicker:

This problem is only going to get worse as Samsung/LoopPay and the MCX/CurrentC (supported by Walmart, BestBuy and many other major retailers) release their mobile payment systems, without the customer data advantages Apple has in their relatively closed environment.

One guess as to how many of the other mobile payment systems appear in the headline, or in the rest of the body of the article?

Spoiler: Zero.