Who's to blame for Apple Pay fraud?

Apple Inc. has been slammed by a rash of fraudulent card payments at its retail outlets. The culprits are identity thieves who have been loading fraudulent card numbers into Apple Pay wallets and making high-value purchases (like iPads) that are easy to convert to cash. Much of the information being used was compromised during recent high-profile data breaches.

Cherian Abraham, a mobile commerce expert at Experian Information Services Inc.'s Global Consulting Practice, writes a blog called Drop Labs. He revealed in a post in February 2015 that identity thieves are buying the latest model of iPhones, loading stolen credit and debit card numbers onto Apple Pay wallets, and then using the wallets to purchase iPads and other high-ticket items.

As a result, fraud on Apple Pay, especially at Apple stores, is running as high as 600 basis points (or 6 percent), compared with an industry standard of less than 6 basis points. "At this point, EVERY issuer in [Apple Pay] has seen significant 'ongoing' provisioning fraud via customer account takeover," Abraham blogged.

Richard Crone, of Crone Consulting LLC, said during an interview with The Green Sheet that credit unions are getting hit the hardest by Apple Pay fraud. One reason: credit unions, in sheer numbers, dwarf the number of banks that have signed on with Apple Pay. Also, many credit unions lack the sophisticated fraud controls and customer screening procedures that larger banks employ. "The fraudsters know which financial institutions are most vulnerable," Crone said. "Those are the ones they are going after."

Red, yellow, green paths

The potential for fraud arises from the provisioning rules used by many financial institutions that signed on with Apple Pay. When a consumer adds a card to Apple Pay, Apple encrypts the information and sends it to the card-issuing bank or credit union along with other data Apple may have (such as device location and a history of the customer's iTunes transactions). The bank or credit union then uses the information to determine whether to approve adding the card to Apple Pay.

The bank or credit union can request additional customer verification steps, using emails, text messages or telephone calls. This is referred to as putting a card on a "yellow path," as opposed to a "green path" which deems the card OK for Apple Pay without additional verification. A red path indicates the card has been declined.

According to Crone, who has been mystery shopping Apple Pay, many financial institutions are using call center agents to further verify cardholders. Of 10 large Apple Pay issuing banks he recently shopped, only three required Crone to call the institutions' fraud departments before approving the card. For six, he had to dial in to the institutions' call centers. Call centers are easy to spoof, experts have noted. Most only ask for the last four digits of a customer's Social Security number (in addition to card numbers) which criminals with stolen identities have at the ready.

"Call centers are a poor approach" to verifying customers, Abraham said, adding "fraudsters are better at social engineering than call center reps are at sniffing out fraud."

Who's to blame?

Apple declined to comment on the issue for this article. But the Wall Street Journal reported recently that an Apple spokeswoman suggested the ball was in the issuers' court. The paper reported she noted that "banks are always reviewing and improving their approval process, which varies by bank."

Abraham rejects the notion that card-issuing banks and credit unions are at fault. So does Crone.

"One of the biggest gripes I've heard from issuers is the lack of transparency from Apple (what did they expect?) and the makeshift reporting provided to issuers that is proving to be woefully inadequate," Abraham wrote, adding there is a lack of "any kind of decent traceability to track fraudulent transactions back to their originating provisioning steps."

Crone, who worked with several clients evaluating Apple Pay, said many credit unions were strong armed into signing with Apple, which gave institutions less than a week to review the complex agreements the technology giant had drawn up. Most signed over fears of losing access to the millennials, Crone said. And despite the hefty fees Apple would impose on card issuers for transactions initiated using Apple Pay, "Apple accomplished in about five days what merchants could not accomplish in 10 years of litigation," Crone said. "Apple extracted a pound of flesh from issuers."

Editor's Note:

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.