Skip to main content

Headlines still trying, failing to link fraud to Apple Pay

Wells Fargo
Wells Fargo (Image credit: Wells Fargo)

It's important to keep saying that because publications keep making it a point to link Apple Pay and "fraud" in their headlines. It's important because those publications are spreading fear, uncertainty, and doubt about Apple Pay — which makes mobile payments more accessible and secures the very data often used to actually commit fraud — to the people for whom it is most beneficial. That's why, as the FUD keeps coming up, we're going to keep addressing it. The latest example comes by way of the New York Times:

The vulnerability in Apple Pay is in the way that it — and card issuers — "onboard" new credit cards into the system.

There's no "vulnerability" in Apple Pay. Apple Pay remains so secure the only way criminals can take advantage of it is through traditional social engineering attacks against banks. The "vulnerability" here is the approval process used by the banks.

Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless," the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early.

Apple publicly documents (opens in new tab) the information it provides to banks, which includes the last four digits of the phone number, as well as the device name, iTunes account activity, and more. If my bank gets the last four digits of my telephone number, and compares them with what they have on file, they should easily be able to get my address and any other information on that file. Likewise the iTunes account information. They should then be able to match it to the card I'm trying to add and come to an informed decision as to what path needs to be followed for verification. If there's any doubt, for my own protection, they should "yellow path" me and pursue the additional verification options available to them.

Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up. The banks didn't press the company for fear that they would not be included among the initial issuers on Apple Pay.

The banks aren't beholden to Apple, they're beholden to their customers. If, in their rush to jump on Apple Pay for first-mover or any other market advantage, they failed to protect their customers, then shame on them. Even if we accept the allegation that they were "scared" of Apple, shame on them.

This very much feels like banks throwing Apple under the bus — or into the headlines — because they didn't take action to prevent fraud and now want to shift blame. Here's what was previously reported:

The effects of those incidents are being felt for some time after the breaches in large part because financial institutions that issue cards typically don't launch broad-scale replacements of the affected plastic after a merchant is hacked.The card companies figure that the cost of potential fraud is often less than giving each customer a new card, according to payment experts and bank executives, and customers sometimes complain about the inconvenience of having to switch to new cards.

In other words, the banks ran the numbers and chose not to take measures that would have prevented fraud because it was cheaper for them simply to handle the fraud. That's fine. That's their business and their choice. Their choice not to cancel the card data, their choice to approve it for Apple Pay, and their responsibility for the resulting fraud.

Back to the Times:

It also appears that banks set up a flawed process to deal with the credit cards that it did flag. Affected users were directed to a customer care phone center, not a fraud prevention center. A customer care center's mission is to help customers use their cards, leading more fraudulent cards to be approved for use on Apple Pay.

Again, banks.

Some Apple supporters have sought to discredit Mr. Abraham based on his affiliation as an adviser to a company that is based on Apple's main competitor, Android. While he may indeed be conflicted, he has rightfully raised an important security issue that all sides have acknowledged is a problem, though perhaps not to the extent he has contended.

It should have nothing to do with who is affiliated with whom. It should only have to do with accurate reporting of the facts.

Apple has now begun providing additional information to the banks that should help deter some of the fraud. The banks, which are responsible for the costs of the frauds, have toughened standards to review customer sign-ups on Apple Pay. No bank executive would speak with me on the record for fear of upsetting their company's relationship with Apple.

Apple Pay provides enormous usability and security benefits. If the process on the bank's end can be strengthened as well, that's great for them, and great for retailers. (Apple has created a new Apple Pay FAQ to help.)

It's still incredibly curious that so many headlines appeared so quickly, all based on one blog post. Single sourcing isn't usually what publications the stature of the Wall Street Journal or New York Times pride themselves on. It's also unfortunate that a problem facing banks and retailers was spun in a way that could, potentially, scare end-users who have absolutely no reason to be scared.

Worse, if there ever is a real problem with Apple Pay, something that people need to be made aware of, there's a risk of it getting lost in all the not-real noise.

The latest round reads like they're aware initial coverage has been recognized for the FUD that is was and they're simultaneously trying to back away while still maintaining as much cover under Apple as they can. My guess is that they're not backing away far enough, fast enough, and people are going to continue to realize the bad, potentially harmful coverage for what it is.

And that could be an even bigger problem for the people behind it.

Update 1: Newsweek riffed off the Times's headlines and narrative, but at the same time included:

A bank employee, who asked not to be named to avoid upsetting Apple, told Newsweek the actual percentage of fraud was much lower, but didn't provide any specifics.

Upsetting Apple by saying Apple Pay fraud was much lower than "reporting" would have us believe? Sounds like that would help, not hurt Apple. Or was it a typo and the author really meant it would upset banks or the media who've been misreporting it?

Update 2: CNN spoke to banks, which dismissed allegations tying Apple Pay to bank fraud.

[CNNMoney] spoke to the nation's largest banks, an association of community banks and Apple. The takeaway? This high level of fraud isn't really widespread.Banks also make this point: Banks get stuck with fraud costs. Yet dozens of small banks are in a long line to join Apple Pay by the end of 2015, according to L. Cary Whaley III, a technology policy expert at Independent Community Bankers of America. Why would they want to join if fraud is truly rampant?

It's beginning to sound like banks don't have their stories straight.

Rene Ritchie
Rene Ritchie

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.

81 Comments
  • Where there is smoke there is fire. It is obvious Apple and the banks need to work together to improve security. Rene, does Apple ever do or get anything wrong? It seems like your main job here is to deflect any criticism of Apple, no matter how trivial. Posted with my Sony Xperia Z3 via the iMore App for Android
  • The problem here is the banks; Apple Pay is shedding light on a problem only the banks and card issuers can solve. If a card number is not valid for whatever reason, so far as the bank is concerned, it should not be provisioned by the bank, period. The only thing Apple can do is not sell iPhones to criminals. Hard to solve that problem.
  • In fact I thought that was what the whole process of verifying the card with the card issuer in the first place? I know that if Apple Pay is 'insecure' then surely Google Wallet which I set up on my Nexus 5 is equally or more insecure. I didn't even have to go through a verification process for cards on that phone.
  • Totally not a fan of any mouse Apple has ever made. Feel better?
  • +1, neither am I
  • haha good one .... another +1 Sent from the iMore App
  • I just bought an apple mouse :-( I love it :-)
  • The newer Apple mice are much better - the zero button was is pretty cool, though a traditional 3 button, scroll wheel mouse that is accurate and responsive (with some feedback) is the best!
  • There seems to be a feeling that you are 'overly pro Apple’, for want of a better expression.
    Even before I read the article I knew it was by you just from the headline. Not that it’s a bad thing necessarily but can you see how others may think you have a bias?
  • well he is not the only one that has pointed this... so i don't think he is biased.
  • So if more than one person points something out it means they can’t be biased?
    Yes. That makes sense.
  • Sadly, as a society, we have come to a point that because someone writes a post pointing out the errors in other reports, that person is a "fanboy" - Sad, really. If you don't pre-judge this article because Rene wrote it, you would see that he points out the errors and misdirection the mainstream is reporting. Those errors and misdirections impact all of us in a negative way.
  • No we haven’t. There seems, (to my eyes), to almost be a tone to the way certain people write/speak/come across. This obviously affects how we perceive them.
    I didn’t know for sure until I got most of the way through it who wrote it. I can point out an error and put it in such a way as to appear objective, it doesn’t mean I will.
    I never suggested or said he was a Fanboy, merely wondered if he could see why people may think he was.
  • This is an Apple-centric blog. Even if there was bias...so what?
  • The problem is, for many of these people, anyone who says anything positive about Apple, and not actively taking them to the woodshed, is a sycophantic fanboy. When in fact, it's in reality their own knee-jerk reaction to hearing the word Apple.
  • EVERYONE has their bias -though some bias can be based or fully include reality (or their reality) - it is important to note that Steve Jobs was not the old one with a Reality Distortion Field® and often the ones with the actual RDF are sometimes not suspected of having one (and hence its greater effect). Also, many people simply do not understand a company that wants to design and make (and deliver) great products - vs one that is only concerned with making money (ROI and investor confidence). Of course any company ONLY focusing on profits/revenues will typically lose site of said business and eventually (if not correct) will lose all profits and revenues - ironic, but then we live in a backwards world. Just look at HP, Samsung and Amazon - for example. Apple moves forward and moves everyone else (including Android and Windows users). As they say, a rising tide lifts all boats.
  • Can we get an article ;)
  • @osallent If you can make a valid argument that Apple Pay is responsible for security weaknesses leading to fraudulent transactions, then by all means do so. Otherwise, keep your idiotic "fanboy" attacks to yourself and perhaps focus more of your attention on the malware magnet and personal information sieve you call a smartphone.
  • "Rene, does Apple ever do or get anything wrong? It seems like your main job here is to deflect any criticism of Apple, no matter how trivial." One might say that, as an Android user, your complaint has a clear anti-Apple bias. Just saying.
  • Or maybe the smoke & fire is caused by the hug pile of FUD that is being dumped on Apple Pay? Apple does get plenty wrong - you question just shows you are an insecure Fandroid. Fair and constructive criticism is not deflected and Apple has doing a great job of making electronic payments both simple and secure - more secure than they used to be and more convenient than deal with a wallet with a 22 card shuffle (not all credit cards, mind you).
  • @ osallent - Just as one might wonder, as an Android user, why would you, who can't use ApplePay and seemingly doesn't use an iDevice, visit an Apple-centric site? Are you just technologically bi-curious ; ) As regards the iMore comment section, why does a reply to a specific commenter end up in the middle of nowhere, rather than directly below the original comment?
  • Rene. Your stockholm syndrome is getting worse. Definitely your brain is raped by Apple ;)
  • Personal insults is way less effective than arguing facts, even with smileys :)
  • Your pathological obsession with apple and your hatred for Samsung is more of a fact than your personal opinions in this very article.
  • "My pathological obsession with Samsung and my hatred for Apple is more of a fact than your personal opinions in this very article." TFTFY
  • I think I'm good at staying up with current events, but I never see anything negative about Apple Pay on any site except for imore dot com. Lastly, I think imore is just fueling the so called hysteria surrounding Apple Pay.
  • +1 Sent from the iMore App
  • @CrzyP wrote: " I never see anything negative about Apple Pay on any site except for imore dot com." Pointing Fingers in Apple Pay Fraud
    http://www.nytimes.com/2015/03/17/business/banks-find-fraud-abounds-in-a... Fraud Rampant In Apple Pay
    http://apple.slashdot.org/story/15/03/17/1323258/fraud-rampant-in-apple-pay Apple Pay Sign-Ups Get Tougher as Banks Respond to Fraud
    http://blogs.wsj.com/totalreturn/2015/03/06/apple-pay-sign-ups-get-tough... Fraud Comes to Apple Pay
    http://blogs.wsj.com/digits/2015/03/03/fraud-comes-to-apple-pay/ Apple Pay actually makes it really easy to commit credit card fraud
    http://www.cultofmac.com/310173/apple-pay-actually-makes-really-easy-com... APPLE PAY BEING HIT BY A SURPRISING AMOUNT OF FRAUD
    http://www.popsci.com/apple-pay-being-hit-surprising-amount-fraud Apple Pay Fraud: Who's to Blame, Apple or Wall Street?
    http://www.newsweek.com/apple-pay-fraud-whos-blame-apple-or-wall-street-... Top iOS news of the week: Apple Pay fraud
    http://www.zdnet.com/article/top-ios-news-of-the-week-apple-pay-fraud-en... Turns Out Apple Pay Can't Solve Credit Card Fraud
    http://gizmodo.com/turns-out-apple-pay-cant-solve-credit-card-fraud-1681...
  • Ah ha ha ha ....
    Nice response. +1
  • Nothing wrong with the banks blaming everyone but them! They did it back in 2008 and they always blame the customers when the bank screws up something on their account so why would it be any different for them to blame Apple for their incompetence.
  • Yikes! You don't deserve this vitriol, Rene. But, Internet. Comments. Anyway, I thought I'd throw in that the author of the NYT piece, Andrew Ross Sorkin is a notorious shill for the banks, going back to at least the 2008 financial crisis. While I'm generally a fan of the Times, anything with his byline is automatically suspect to me.
  • one good shill deserves another...
  • And a good comment doesn't deserve a dumb one...
  • I'll point to this article when all my droid friends say "dude, crapple pay is insecure dude."
    The banks don't want to be outdone. And the false reports want the attention. Sent from the iMore App
  • I added a card today. Then I received a call from my bank's fraud dept asking for a bit of info. Seems like an easy way to verify the "transaction". Treat it as a possible fraud.
  • Funny that. I get calls from my bank too.
    Off topic but, I find it funny that they call you and you provide info. Last time they did that to me I asked them how much I last spent in PCWorld and when. They refused to answer, so it was goodbye and thankyou.
  • Social engineering will always be an important factor in fraud. If someone gives up crucial info to an unverified source (such as your caller), where does the blame reside?
  • There are some great points made in this article but I do think the author is not seeing the forest through the trees. No doubt the banks are the biggest culprit for the fraud that is happening with Apple Pay but I feel like it's just as wrong to try to absolve Apple of any responsibility for it.. Apple has complete control of Apple Pay. They have it in their power to require a stricter on-boarding approach. The always brilliant Ben Thompson summed it up best in a tweet earlier today: "You can't on one hand praise Apple for brilliant system design and on the other completely absolve them for creating problematic incentives." Unfortunately I get the feeling from the article the author would completely absolve Apple for creating problematic incentives.
  • Ben and I discussed it on twitter earlier today as well, and I thought Kontra nailed it in his response: It's like blaming the iPhone for AT&T's poor network quality in years past. Yes, the iPhone existing shed light on the problem, but the problem existed regardless of the iPhone.
  • The big difference I see is that there is nothing we could reasonably have expected Apple to do to make the ATT network work better. The problem with the banks certainly goes a lot deeper than Apple Pay but am I wrong to think they could have created and enforced a more secure on boarding process? It seems to me that Apple be taking advantage of the fact that in the end any fraud comes out of the pockets of the banks. As a result the design of Apples on boarding process prioritizes getting accounts entered as easily as possible with security taking a back seat. In an alternate universe where Apple was on the hook for a portion of any fraud via Apple Pay would you agree the on boarding process would be dramatically different?
  • Great argument. Apple would probably make you go to an Apple store for that, in person, and taking some form of ID with a picture.
  • That response neglects Apple's position in the relationship, as pointed out by me in your last article about this and by medium on Twitter today - Apple could have established guidelines, or at minimum standards with penalties, for banks to follow in order to participate, just as they do for App developers. By virtue of their customer base, they had that power, and they certainly have not been afraid to wield it in any context. They they chose not to here - or, if they did, they did so ineffectively, bears some scrutiny. Laying 100% of the blame on the bank simply ignores ho Apple conducts business since Jobs' return - they *never* offer an interface and then wash their hands of its use. They *tell* people how to use it, and often with maddeningly vague restrictions, and penalize those who do not toe the line. That they departed from their own best practices here, again, is worthy of scrutiny. Sent from the iMore App
  • How is it Apple's responsibility to fix banks' security problems for which they are entirely responsible and solutions for which are entirely under their control ? Here, I'll do it for them... "Hey banks, stop putting your bottom line ahead of your fraud reduction efforts." There. Now that the banks know what's up, I'm sure they'll resolve the issue promptly.
  • It's not their responsibility. However they did design the on-boarding process to prioritize simplicity over security. They didn't get the balance perfect and as a result they'll rightfully take a few lumps in the press. The people at Apple are extraordinarily smart. I'm certain they knew when they were developing it that they could have had secure on-boarding requirements as a requirement for banks to use their platform. Since any financial loss isn't their problem the incentives for Apple were to prioritize speed and simplicity over security.
  • So, so close. Try this: "Hey, banks, stop putting your bottom line ahead of your fraud reduction efforts *OR WE WILL NOT ALLOW YOU TO PARTICIPATE IN APPLE PAY*" Apple uniquely had this authority, and chose not to use it, or used it ineffectively. Put another way: "Hey Apple, stop putting your need to sign up banks for Apple Pay ahead of your traditional establishment and enforcement of partner standards" If only you would hold Apple to the same standards as you hold the banks ...
  • Agree +1 Posted via the iMore App for Android
  • +1
  • And it was the iPhone that enticed people onto AT&T's network! It was also Apple that conceded a mandatory $30 data plan. Is Apple not an accessory to the whole scene?
  • But you're assuming facts not in evidence. How does Apple dictate to the banks how they approve a card's being added to the Apple Pay system? The system is obviously secure, because it's social engineering and theft of cards and buying brand new phones to use with those cards that is making this possible. Nothing in Apple's system was designed to deal with this fraud from Apple's end. You're asking Apple the vet the cards from the Banks after the banks have already vetted them. Sorry, that doesn't wash.
  • Nope. I'm asking for Apple to establish (or have established) standards or guidelines, and hold the banks accountable for failures to meet those standards - something which Apple does eagerly in every other arena. Sent from the iMore App
  • Remember that Apple Pay has not created a new security vulnerability. It has facilitated a process whereby existing cardholders can make payments via their iPhone and has actually increased security and privacy in the process. Additionally, the risk of credit card fraud is ultimately borne by banks and merchants, not the cardholders, so Apple has not harmed Apple Pay customers in any way. While it may be in Apple's interest to look into any existing bank-side vulnerabilities that have been brought to light, and perhaps propose corrective measures as an act of good faith, they should not be admonished for failing to identify and solve every existing, self-inflicted security gap for the entire credit card banking industry.
  • It's always a problem when someone tries to distill a complex issue into a simple one, especially when they're uninformed about the industry. The truth is that blame should be shared - it's not all on Apple and it's not all on banks. The payments ecosystem is complex and these things always have growing pains. The author makes the same mistakes as the articles he criticizes, simply in reverse. Apple has tremendous market power and is deservedly using it to pressure/entice card issuers to sign up for Apple Pay. The fear for card issuers to be left behind by their competitors is high. Apple has taken the best part of SE and tokenization to build Apple Pay, but basically left a huge void in the user authentication area. Telling banks to figure it out themselves and then saying it's not our fault is a poor excuse.
    So without any sort of standard, banks have been rushing all sorts of solutions to market - whether it be having customers call in (very expensive), getting letters in the mail, SMS PINs and so on. However Apple has the most information about the consumer and the device and shares very little of that with the banks so make informed decisions (and no phone number is nowhere near enough)- resulting in the bad and fragmented solutions above.
    So Apple is taking some good steps - such as increasing the amount of data exposed to card issuers to make better automated decisions. Honestly, they should have taken it a bit further and have developed a parallel authentication standard with the card networks - something like Verified by Visa or MasterCard SecureCode on steroids, but a straight data service where Apple could control the UI and presentation of that data. Long term and especially globally, there's going to have to be a more controlled standard as the fragmentation and potential fraud is going to increase exponentially outside the US.
  • +1
  • Not sure that apple should share any of the blame on this. There will be certain points of failure, but those can be called out. Target had a point of failure...but it wasn't because of Visa. So let's not "share" the blame with visa. Sent from the iMore App
  • Exactly. According to some of these people, if Target decides to accept Apple Pay then it's Apple's responsibility to fix their internal security issues as well.
  • It's pointing out that the system is a bit broken to say the least and touting "Security" means nothing if that security is easily circumvented if not exploited. Apple and Google and Samsung and ALL of the rest with mobile payment systems, along with banks, need to come up with a better end to end solution. Posted via the iMore App for Android
  • So if you buy an S Class Mercedes requiring 95 octane gas, but choose to use 87, are you going to tell Mercedes that they should share the blame for poor performance/broken engine? Or if you have ADT install a security system, are you going to ask them to share the blame when your house gets broken into because you didn't arm the system before leaving?
  • Apple pay is so "insecure" that another 39 banks just signed up bringing the total in excess of 100. All we need now are more vendors
  • Uh. Credit cards are accepted at many more locations than Apple Pay....which are supposedly insecure...so they have NOTHING in common(# of accepted Apple Pay banks & security) Posted via the iMore App for Android
  • High time  Pay now spreads to International market... road ahead is difficult due to local regulations but once approved; will get more merchants to sign up Sent from the iMore App
  • I'm not sure about this issue. Not one of my card was just added, they all required two step verification, especially Chase, but it was no issue and took maybe 30 seconds. Posted via the iMore App for Android
  • What matters for Apple is getting people to use it. If the average person is already nervous about this, then seeing these type of articles will probably seal it for them in they'll pass on it. Doesn't matter whose fault it is. That makes it Apple's problem. If they can bring this about and sign on banks, then they can help solve these type problems as well. I don't see what purpose is served by pointing out who should get the blame. They're in it together. They all get the blame.
  • Bank signup is not a problem.
  • Always amazed by the shared insanity of Apple trolls. To actually waste their time on a site about a company they don't like, waiting for stories to pounce on....get a life.
  • Your spot on Rene! Thanks for a well written piece. The problem with The NYT and many other media outlets is they somehow seem to be influenced by Wall Street Market Mskers who want to push the stock in a certain direction. If you study the Apple options market and align that with sll the FUD it makes more sense. Just like some media outlets were influenced/bought off by Samsung they now are being influenced by W.$. Someone should get a trader on to discuss this and wake everyone up. Thanks!
  • This is not the banks complaining, this is a consultant with the opposition mobile payment processor companies trying to cast dirt on Apple, along with some lazy journalism.
  • The journalism has been hyperbolic for sure but we shouldn't pretend that Apple has completely clean hands. They own the platform and are allowing an on-boarding process that doesn't prioritize security. Since they feel none of the financial implications of the fraud their incentives were to design the platform for the simplest on boarding process possible. That's a business decision and honestly not surprising as in the end they'll make a lot more money by speeding up adoption. The one cost to Apple is that with a flawed on-boarding process there will be a bit of bad press. A trade-off they deem as worth making.
  • Not true. The "bad press" is coming from a single source. Note that no banks are talking about this and it's not because they fear Apple in any way. It's that they really don't have anything to talk about. Most have PR departments that have plenty of real situations to focus on. If they were talking, I'm sure they'd be pointing to extremely low fraud numbers comparatively. Apple put a solid provisioning process in place and the majority of cards are being yellow pathed. From there, it's really comes down to the security procedures for each FI, which isn't Apple's business. They provide plenty of info to the FI through the card networks. One other thing to consider - have we seen any consumers complaining about this at all? Don't you find it funny that you only have satisfied and enthusiastic Apple Pay users amidst this supposed plague of fraud? Kudos to Rene for calling the press out on this one. It's been shockingly bad. The consultant really hit a home run in terms of free advertising.
  • So Adam, do you believe that if Apple had to bear a portion of the financial responsibility for fraudulent Apple Pay transactions that the on-boarding process would be identical to what it is now? As for consumer complaints about this... I know you don't think there is a lot of fraud happening currently from your first paragraph but just as a thought experiment assume there is tons of fraud happening. In what scenario would you ever expect to see a consumer complain about Apple Pay fraud? If someones card is stolen and they find unauthorized charges the consumer would never know how those unauthorized charges are made. I can tell you for me personally, I love Apple Pay. At the same time I do think if Apple had more of an incentive to make the on-boarding process secure they are talented enough to do so. As a consumer, in the end I'm not worried about the fraud as even if I personally have a card stolen I'm not liable. No incentive for me to care. The one good thing about bad press is if it makes Apple think about improving the balance between security and simplicity everyone wins.
  • Can you tell us how the provisioning process is not secure? If cards are being provisioned via the FI's call center using the exact same ID verification process that the FI employs for activations, etc., how is Apple responsible for the FI's fraud? How could Apple perfect their role in the process? Apart from flagging a card and sending the user to their FI for verification, how exactly is Apple supposed to harden the process? They're already providing device level information via the card network provisioning portals. They require an Apple ID as part of the process and they do cross-reference multiple data points against Apple ID account info in determining status. I can tell you with certainty that most cards get sent on the yellow path so it's almost a given that if you're a bad guy trying to add a card to passbook that hasn't been used with your Apple ID, you're going to be on the phone with a bank. From there, the onus is on the FI. I do believe that the process is sound as-is, have seen nothing to lead me to believe it isn't and I don't believe Apple would be doing their part any differently regardless of who's bearing the burden for fraud losses. If break downs are happening, it's happening at the financial institutions that have lax protocol. I'm sure many are treating provisioning as a high risk transaction, making it very unlikely that many bad guys are making it through. You do have a good point about consumers not necessarily being aware of the source of card fraud. I would say, however, that if Apple Pay was driving a meaningful uptick in card fraud, you'd most certainly have stories originating from multiple sources because as you point out, there are liable parties involved. I'd be willing to bet that cumulatively across the entire industry, you're looking at losses in the hundreds of thousands since launch compared to the $7.1B lost in the US last year due to standard card fraud. While it will vary by FI given size and approach to verification, I'm sure there are plenty of Apple Pay partners with no AP-related losses due to their own good security practices.
  • Here, here Rene. I was a QSA doing PCI compliance work for 18 months. The crap I saw from little guys to big companies, including financial institutions, is mind boggling. To the point I want to get rid of my credit cards and hide all my cash in a mattress.
  • Any news on apple pay in the UK? Sent from the iMore App
  • What's really sad is, that NYT article is working. The comments read like "I won't trust my credit info with Apple after this" and "It's all Apple's fault, they built the system." Isn't it interesting that "Thieves start with a stolen credit card" turned into "I don't trust my OWN card in Apple Pay"? If I was Apple I'd start going after some of these news sites for slander (or whatever it is when someone writes false info about you) and make them change the story to include the FACTS, but maybe Apple figures it'll just go away quietly in the end.
  • Timing is also really interesting too. The first wave of articles based on Abraham's blog post was at Apple earnings time. The next wave hit during Mobile World Congress week, when Samsung Pay and Google Pay hit the news cycle. Not a single article with a source outside of Abraham and he himself could not produce a single named source for his information. The good part is that most rational people have seen through it immediately, recognizing that it's really ID theft that we're talking about, not a vulnerability. If the stories were indeed impacting Apple Pay adoption, I'm fairly certain you'd see some messaging coming from Apple and it's partners to reassure people.
  • Adam, it is all about incentives. No one is getting their credit cards stolen *because* of Apple Pay. There is no incentives for the banks or Apple to say a word about it regardless of how much fraud there is. Consumers don't have to worry either way, once a card is stolen whether it's used 1 time or a 100 times it makes no difference to them. I think the articles have been hyperbolic and exaggerated but not materially wrong. The only reason it is reported at all is because of Apple and again that is because this all has zero impact on consumers. Always look at incentives and as a result of what isn't said. When Apple touts the success of Apple Pay roll out take note how there is no messaging on how much it's reduced fraud. If fraud wasn't an issue with Apple Pay, that is the type of thing that they would be touting in press releases along with how quickly it is being adopted.
  • Agreed. Tokenization has absolutely taken a huge source of card fraud out of the equation when payments are made via solutions like Apple Pay and as acceptance increases, I'm confident that overall losses will shrink across the industry. Most card fraud happens via counterfeit plastic cards at the point of sale. About a third of it is CNP (Card Not Present) done over the web, phone or mail using skimmed or stolen card data. As a thought exercise, put yourself in the shoes of a bad guy who has some stolen card info along with some additional PII. Would you really go through the trouble of calling a bank in an attempt to provision a stolen card into a purely electronic spend instrument on a traceable device requiring an Apple ID? Or would you instead opt for a far more anonymous, terrestrial route that's also far more widely accepted at this point in time? More than that, if you've stolen an identity to the point where you can dupe a bank's call center into giving you account access, why would you fiddle with card provisioning when you have far more lucrative options such as account takeover, loan fraud, etc.?
  • I work for a bank that partners with Apple on this and can say that I personally have seen zero fraud related to ApplePay. That said, it seems that the most secure way to assign a card to ApplePay for a user is to take the setup suggestion and use the card that is already associated with iTunes. This would be a card that Apple already knows belongs to you. I'd like to see a secondary step with banks if you add a card that Apple doesn't already associate with you.
  • I get very tired of the tendency to tar someone's reputation because they are "biased." The article says that Apple Pay has a flaw, but they point to the process of sending a card to a verified person. Apple Pay itself has no known security holes as of this moment. On the other hand, many thousands of new cards are stolen from mailboxes every month. The banks seem to need some schooling on how to verify your cards. On the other hand, compare this to every-day fraud in the bank card industry, which writes off billions a year because they apparently can't be bothered to figure out how to verify the identity of their card holder and the fact that they sent that card to that person.
  • No system is flawless.
  • Careful, you may be labelled a troll!
  • Two things to note; 1. "The banks, which are responsible for the costs of the frauds,..." That's the biggest lie in the industry, it's the merchant that loses.
    2. You put your card, in your phone, you're an idiot!