Headlines still trying, failing to link fraud to Apple Pay

Wells Fargo
Wells Fargo (Image credit: Wells Fargo)

It's important to keep saying that because publications keep making it a point to link Apple Pay and "fraud" in their headlines. It's important because those publications are spreading fear, uncertainty, and doubt about Apple Pay — which makes mobile payments more accessible and secures the very data often used to actually commit fraud — to the people for whom it is most beneficial. That's why, as the FUD keeps coming up, we're going to keep addressing it. The latest example comes by way of the New York Times:

The vulnerability in Apple Pay is in the way that it — and card issuers — "onboard" new credit cards into the system.

There's no "vulnerability" in Apple Pay. Apple Pay remains so secure the only way criminals can take advantage of it is through traditional social engineering attacks against banks. The "vulnerability" here is the approval process used by the banks.

Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless," the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early.

Apple publicly documents (opens in new tab) the information it provides to banks, which includes the last four digits of the phone number, as well as the device name, iTunes account activity, and more. If my bank gets the last four digits of my telephone number, and compares them with what they have on file, they should easily be able to get my address and any other information on that file. Likewise the iTunes account information. They should then be able to match it to the card I'm trying to add and come to an informed decision as to what path needs to be followed for verification. If there's any doubt, for my own protection, they should "yellow path" me and pursue the additional verification options available to them.

Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up. The banks didn't press the company for fear that they would not be included among the initial issuers on Apple Pay.

The banks aren't beholden to Apple, they're beholden to their customers. If, in their rush to jump on Apple Pay for first-mover or any other market advantage, they failed to protect their customers, then shame on them. Even if we accept the allegation that they were "scared" of Apple, shame on them.

This very much feels like banks throwing Apple under the bus — or into the headlines — because they didn't take action to prevent fraud and now want to shift blame. Here's what was previously reported:

The effects of those incidents are being felt for some time after the breaches in large part because financial institutions that issue cards typically don't launch broad-scale replacements of the affected plastic after a merchant is hacked.The card companies figure that the cost of potential fraud is often less than giving each customer a new card, according to payment experts and bank executives, and customers sometimes complain about the inconvenience of having to switch to new cards.

In other words, the banks ran the numbers and chose not to take measures that would have prevented fraud because it was cheaper for them simply to handle the fraud. That's fine. That's their business and their choice. Their choice not to cancel the card data, their choice to approve it for Apple Pay, and their responsibility for the resulting fraud.

Back to the Times:

It also appears that banks set up a flawed process to deal with the credit cards that it did flag. Affected users were directed to a customer care phone center, not a fraud prevention center. A customer care center's mission is to help customers use their cards, leading more fraudulent cards to be approved for use on Apple Pay.

Again, banks.

Some Apple supporters have sought to discredit Mr. Abraham based on his affiliation as an adviser to a company that is based on Apple's main competitor, Android. While he may indeed be conflicted, he has rightfully raised an important security issue that all sides have acknowledged is a problem, though perhaps not to the extent he has contended.

It should have nothing to do with who is affiliated with whom. It should only have to do with accurate reporting of the facts.

Apple has now begun providing additional information to the banks that should help deter some of the fraud. The banks, which are responsible for the costs of the frauds, have toughened standards to review customer sign-ups on Apple Pay. No bank executive would speak with me on the record for fear of upsetting their company's relationship with Apple.

Apple Pay provides enormous usability and security benefits. If the process on the bank's end can be strengthened as well, that's great for them, and great for retailers. (Apple has created a new Apple Pay FAQ to help.)

It's still incredibly curious that so many headlines appeared so quickly, all based on one blog post. Single sourcing isn't usually what publications the stature of the Wall Street Journal or New York Times pride themselves on. It's also unfortunate that a problem facing banks and retailers was spun in a way that could, potentially, scare end-users who have absolutely no reason to be scared.

Worse, if there ever is a real problem with Apple Pay, something that people need to be made aware of, there's a risk of it getting lost in all the not-real noise.

The latest round reads like they're aware initial coverage has been recognized for the FUD that is was and they're simultaneously trying to back away while still maintaining as much cover under Apple as they can. My guess is that they're not backing away far enough, fast enough, and people are going to continue to realize the bad, potentially harmful coverage for what it is.

And that could be an even bigger problem for the people behind it.

Update 1: Newsweek riffed off the Times's headlines and narrative, but at the same time included:

A bank employee, who asked not to be named to avoid upsetting Apple, told Newsweek the actual percentage of fraud was much lower, but didn't provide any specifics.

Upsetting Apple by saying Apple Pay fraud was much lower than "reporting" would have us believe? Sounds like that would help, not hurt Apple. Or was it a typo and the author really meant it would upset banks or the media who've been misreporting it?

Update 2: CNN spoke to banks, which dismissed allegations tying Apple Pay to bank fraud.

[CNNMoney] spoke to the nation's largest banks, an association of community banks and Apple. The takeaway? This high level of fraud isn't really widespread.Banks also make this point: Banks get stuck with fraud costs. Yet dozens of small banks are in a long line to join Apple Pay by the end of 2015, according to L. Cary Whaley III, a technology policy expert at Independent Community Bankers of America. Why would they want to join if fraud is truly rampant?

It's beginning to sound like banks don't have their stories straight.

Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

  • Where there is smoke there is fire. It is obvious Apple and the banks need to work together to improve security. Rene, does Apple ever do or get anything wrong? It seems like your main job here is to deflect any criticism of Apple, no matter how trivial. Posted with my Sony Xperia Z3 via the iMore App for Android
  • The problem here is the banks; Apple Pay is shedding light on a problem only the banks and card issuers can solve. If a card number is not valid for whatever reason, so far as the bank is concerned, it should not be provisioned by the bank, period. The only thing Apple can do is not sell iPhones to criminals. Hard to solve that problem.
  • In fact I thought that was what the whole process of verifying the card with the card issuer in the first place? I know that if Apple Pay is 'insecure' then surely Google Wallet which I set up on my Nexus 5 is equally or more insecure. I didn't even have to go through a verification process for cards on that phone.
  • Totally not a fan of any mouse Apple has ever made. Feel better?
  • +1, neither am I
  • haha good one .... another +1 Sent from the iMore App
  • I just bought an apple mouse :-( I love it :-)
  • The newer Apple mice are much better - the zero button was is pretty cool, though a traditional 3 button, scroll wheel mouse that is accurate and responsive (with some feedback) is the best!
  • There seems to be a feeling that you are 'overly pro Apple’, for want of a better expression.
    Even before I read the article I knew it was by you just from the headline. Not that it’s a bad thing necessarily but can you see how others may think you have a bias?
  • well he is not the only one that has pointed this... so i don't think he is biased.
  • So if more than one person points something out it means they can’t be biased?
    Yes. That makes sense.
  • Sadly, as a society, we have come to a point that because someone writes a post pointing out the errors in other reports, that person is a "fanboy" - Sad, really. If you don't pre-judge this article because Rene wrote it, you would see that he points out the errors and misdirection the mainstream is reporting. Those errors and misdirections impact all of us in a negative way.
  • No we haven’t. There seems, (to my eyes), to almost be a tone to the way certain people write/speak/come across. This obviously affects how we perceive them.
    I didn’t know for sure until I got most of the way through it who wrote it. I can point out an error and put it in such a way as to appear objective, it doesn’t mean I will.
    I never suggested or said he was a Fanboy, merely wondered if he could see why people may think he was.
  • This is an Apple-centric blog. Even if there was bias...so what?
  • The problem is, for many of these people, anyone who says anything positive about Apple, and not actively taking them to the woodshed, is a sycophantic fanboy. When in fact, it's in reality their own knee-jerk reaction to hearing the word Apple.
  • EVERYONE has their bias -though some bias can be based or fully include reality (or their reality) - it is important to note that Steve Jobs was not the old one with a Reality Distortion Field® and often the ones with the actual RDF are sometimes not suspected of having one (and hence its greater effect). Also, many people simply do not understand a company that wants to design and make (and deliver) great products - vs one that is only concerned with making money (ROI and investor confidence). Of course any company ONLY focusing on profits/revenues will typically lose site of said business and eventually (if not correct) will lose all profits and revenues - ironic, but then we live in a backwards world. Just look at HP, Samsung and Amazon - for example. Apple moves forward and moves everyone else (including Android and Windows users). As they say, a rising tide lifts all boats.
  • Can we get an article ;)
  • @osallent If you can make a valid argument that Apple Pay is responsible for security weaknesses leading to fraudulent transactions, then by all means do so. Otherwise, keep your idiotic "fanboy" attacks to yourself and perhaps focus more of your attention on the malware magnet and personal information sieve you call a smartphone.
  • "Rene, does Apple ever do or get anything wrong? It seems like your main job here is to deflect any criticism of Apple, no matter how trivial." One might say that, as an Android user, your complaint has a clear anti-Apple bias. Just saying.
  • Or maybe the smoke & fire is caused by the hug pile of FUD that is being dumped on Apple Pay? Apple does get plenty wrong - you question just shows you are an insecure Fandroid. Fair and constructive criticism is not deflected and Apple has doing a great job of making electronic payments both simple and secure - more secure than they used to be and more convenient than deal with a wallet with a 22 card shuffle (not all credit cards, mind you).
  • @ osallent - Just as one might wonder, as an Android user, why would you, who can't use ApplePay and seemingly doesn't use an iDevice, visit an Apple-centric site? Are you just technologically bi-curious ; ) As regards the iMore comment section, why does a reply to a specific commenter end up in the middle of nowhere, rather than directly below the original comment?
  • Rene. Your stockholm syndrome is getting worse. Definitely your brain is raped by Apple ;)
  • Personal insults is way less effective than arguing facts, even with smileys :)
  • Your pathological obsession with apple and your hatred for Samsung is more of a fact than your personal opinions in this very article.
  • "My pathological obsession with Samsung and my hatred for Apple is more of a fact than your personal opinions in this very article." TFTFY
  • I think I'm good at staying up with current events, but I never see anything negative about Apple Pay on any site except for imore dot com. Lastly, I think imore is just fueling the so called hysteria surrounding Apple Pay.
  • +1 Sent from the iMore App
  • @CrzyP wrote: " I never see anything negative about Apple Pay on any site except for imore dot com." Pointing Fingers in Apple Pay Fraud
    http://www.nytimes.com/2015/03/17/business/banks-find-fraud-abounds-in-a... Fraud Rampant In Apple Pay
    http://apple.slashdot.org/story/15/03/17/1323258/fraud-rampant-in-apple-pay Apple Pay Sign-Ups Get Tougher as Banks Respond to Fraud
    http://blogs.wsj.com/totalreturn/2015/03/06/apple-pay-sign-ups-get-tough... Fraud Comes to Apple Pay
    http://blogs.wsj.com/digits/2015/03/03/fraud-comes-to-apple-pay/ Apple Pay actually makes it really easy to commit credit card fraud
    http://www.cultofmac.com/310173/apple-pay-actually-makes-really-easy-com... APPLE PAY BEING HIT BY A SURPRISING AMOUNT OF FRAUD
    http://www.popsci.com/apple-pay-being-hit-surprising-amount-fraud Apple Pay Fraud: Who's to Blame, Apple or Wall Street?
    http://www.newsweek.com/apple-pay-fraud-whos-blame-apple-or-wall-street-... Top iOS news of the week: Apple Pay fraud
    http://www.zdnet.com/article/top-ios-news-of-the-week-apple-pay-fraud-en... Turns Out Apple Pay Can't Solve Credit Card Fraud
  • Ah ha ha ha ....
    Nice response. +1
  • Nothing wrong with the banks blaming everyone but them! They did it back in 2008 and they always blame the customers when the bank screws up something on their account so why would it be any different for them to blame Apple for their incompetence.
  • Yikes! You don't deserve this vitriol, Rene. But, Internet. Comments. Anyway, I thought I'd throw in that the author of the NYT piece, Andrew Ross Sorkin is a notorious shill for the banks, going back to at least the 2008 financial crisis. While I'm generally a fan of the Times, anything with his byline is automatically suspect to me.
  • one good shill deserves another...
  • And a good comment doesn't deserve a dumb one...
  • I'll point to this article when all my droid friends say "dude, crapple pay is insecure dude."
    The banks don't want to be outdone. And the false reports want the attention. Sent from the iMore App
  • I added a card today. Then I received a call from my bank's fraud dept asking for a bit of info. Seems like an easy way to verify the "transaction". Treat it as a possible fraud.
  • Funny that. I get calls from my bank too.
    Off topic but, I find it funny that they call you and you provide info. Last time they did that to me I asked them how much I last spent in PCWorld and when. They refused to answer, so it was goodbye and thankyou.
  • Social engineering will always be an important factor in fraud. If someone gives up crucial info to an unverified source (such as your caller), where does the blame reside?
  • There are some great points made in this article but I do think the author is not seeing the forest through the trees. No doubt the banks are the biggest culprit for the fraud that is happening with Apple Pay but I feel like it's just as wrong to try to absolve Apple of any responsibility for it.. Apple has complete control of Apple Pay. They have it in their power to require a stricter on-boarding approach. The always brilliant Ben Thompson summed it up best in a tweet earlier today: "You can't on one hand praise Apple for brilliant system design and on the other completely absolve them for creating problematic incentives." Unfortunately I get the feeling from the article the author would completely absolve Apple for creating problematic incentives.
  • Ben and I discussed it on twitter earlier today as well, and I thought Kontra nailed it in his response: It's like blaming the iPhone for AT&T's poor network quality in years past. Yes, the iPhone existing shed light on the problem, but the problem existed regardless of the iPhone.
  • The big difference I see is that there is nothing we could reasonably have expected Apple to do to make the ATT network work better. The problem with the banks certainly goes a lot deeper than Apple Pay but am I wrong to think they could have created and enforced a more secure on boarding process? It seems to me that Apple be taking advantage of the fact that in the end any fraud comes out of the pockets of the banks. As a result the design of Apples on boarding process prioritizes getting accounts entered as easily as possible with security taking a back seat. In an alternate universe where Apple was on the hook for a portion of any fraud via Apple Pay would you agree the on boarding process would be dramatically different?
  • Great argument. Apple would probably make you go to an Apple store for that, in person, and taking some form of ID with a picture.
  • That response neglects Apple's position in the relationship, as pointed out by me in your last article about this and by medium on Twitter today - Apple could have established guidelines, or at minimum standards with penalties, for banks to follow in order to participate, just as they do for App developers. By virtue of their customer base, they had that power, and they certainly have not been afraid to wield it in any context. They they chose not to here - or, if they did, they did so ineffectively, bears some scrutiny. Laying 100% of the blame on the bank simply ignores ho Apple conducts business since Jobs' return - they *never* offer an interface and then wash their hands of its use. They *tell* people how to use it, and often with maddeningly vague restrictions, and penalize those who do not toe the line. That they departed from their own best practices here, again, is worthy of scrutiny. Sent from the iMore App
  • How is it Apple's responsibility to fix banks' security problems for which they are entirely responsible and solutions for which are entirely under their control ? Here, I'll do it for them... "Hey banks, stop putting your bottom line ahead of your fraud reduction efforts." There. Now that the banks know what's up, I'm sure they'll resolve the issue promptly.
  • It's not their responsibility. However they did design the on-boarding process to prioritize simplicity over security. They didn't get the balance perfect and as a result they'll rightfully take a few lumps in the press. The people at Apple are extraordinarily smart. I'm certain they knew when they were developing it that they could have had secure on-boarding requirements as a requirement for banks to use their platform. Since any financial loss isn't their problem the incentives for Apple were to prioritize speed and simplicity over security.
  • So, so close. Try this: "Hey, banks, stop putting your bottom line ahead of your fraud reduction efforts *OR WE WILL NOT ALLOW YOU TO PARTICIPATE IN APPLE PAY*" Apple uniquely had this authority, and chose not to use it, or used it ineffectively. Put another way: "Hey Apple, stop putting your need to sign up banks for Apple Pay ahead of your traditional establishment and enforcement of partner standards" If only you would hold Apple to the same standards as you hold the banks ...
  • Agree +1 Posted via the iMore App for Android
  • +1
  • And it was the iPhone that enticed people onto AT&T's network! It was also Apple that conceded a mandatory $30 data plan. Is Apple not an accessory to the whole scene?
  • But you're assuming facts not in evidence. How does Apple dictate to the banks how they approve a card's being added to the Apple Pay system? The system is obviously secure, because it's social engineering and theft of cards and buying brand new phones to use with those cards that is making this possible. Nothing in Apple's system was designed to deal with this fraud from Apple's end. You're asking Apple the vet the cards from the Banks after the banks have already vetted them. Sorry, that doesn't wash.
  • Nope. I'm asking for Apple to establish (or have established) standards or guidelines, and hold the banks accountable for failures to meet those standards - something which Apple does eagerly in every other arena. Sent from the iMore App
  • Remember that Apple Pay has not created a new security vulnerability. It has facilitated a process whereby existing cardholders can make payments via their iPhone and has actually increased security and privacy in the process. Additionally, the risk of credit card fraud is ultimately borne by banks and merchants, not the cardholders, so Apple has not harmed Apple Pay customers in any way. While it may be in Apple's interest to look into any existing bank-side vulnerabilities that have been brought to light, and perhaps propose corrective measures as an act of good faith, they should not be admonished for failing to identify and solve every existing, self-inflicted security gap for the entire credit card banking industry.
  • It's always a problem when someone tries to distill a complex issue into a simple one, especially when they're uninformed about the industry. The truth is that blame should be shared - it's not all on Apple and it's not all on banks. The payments ecosystem is complex and these things always have growing pains. The author makes the same mistakes as the articles he criticizes, simply in reverse. Apple has tremendous market power and is deservedly using it to pressure/entice card issuers to sign up for Apple Pay. The fear for card issuers to be left behind by their competitors is high. Apple has taken the best part of SE and tokenization to build Apple Pay, but basically left a huge void in the user authentication area. Telling banks to figure it out themselves and then saying it's not our fault is a poor excuse.
    So without any sort of standard, banks have been rushing all sorts of solutions to market - whether it be having customers call in (very expensive), getting letters in the mail, SMS PINs and so on. Howev