Apple was recently in the news again, in a big way. Apple sold its billionth iPhone and had a quarterly profit of $18 billion, the largest ever reported by a public company. But while Apple was busy selling 30,000 iPhones an hour, an industry blog called Drop Labs raised an interesting point: ApplePay appears to provide a convenient vehicle for card-not-present (CNP) fraud. As summarized by Gizmodo:
"According to Drop Labs, people are buying credit card numbers online, then loading those same numbers into Apple Pay, in essence making themselves a handy fake credit card, without going to the trouble of making a physical fake. And it's not a small problem: Drop Labs claims that for some issuers, fraud levels are as high as 6% (meaning $6 of every $100 spent is fraudulent). That's bad even when compared to regular credit cards, whose fraud rate averages out at under 1%."
All it takes is a phone call
In addition to the traditional problem with mag stripe payment cards – it’s easy for fraudsters to execute transactions with stolen card numbers – Drop Labs points to a second problem that appears to be a flaw in the way Apple Pay is set up. Fraudsters are using stolen personal identification information (PII) to circumvent verification attempts, which are decidedly low-tech. From Gizmodo:
"In short, banks aren't taking the proper measures to ensure that the credit card owner is the one using the credit card in Apple Pay. According to Drop Labs, most banks use a phone call to authenticate when a card is loaded into Apple Pay, a method that's woefully inadequate."
Last month, after the Domino pizza delivery app was hijacked by criminals, I wondered, “Who will win the 2015 prize for fraudster innovation?” A few weeks later, whoever found this ApplePay loophole is certainly a contender. Why? It allows someone to use stolen card data for both online and in-person point-of-sale transactions.
Both the Dominos and ApplePay schemes show that fraudsters will exploit any weakness, especially well-publicized convenience innovations that are pushed out quickly for mass consumption. The impacted financial institutions were quick to work to re-evaluate their authentication methods, but it points out the rapid and creative ways in which fraudster can attack weaknesses.
Progress on the road to EMV
As I’ve mentioned many times before, CNP fraud spikes after markets shift from mag stripe card technology to EMV’s chip-and-PIN verification method. As one door closes with EMV (counterfeit cards at the point-of-sale), more fraudster energy will be spent on the CNP channel, finding ways turn stolen card data into stolen money.
But institutions can fight back. Check out my latest FICO Fraud Minute; in it I talk about CNP fraud and how to defend against it as EMV chip cards start to roll out. Don’t let a few bad, fraudulent apples spoil your day.
Your comments and social shares are welcome, thanks.