[NewsPoster]

In the wake of erroneous reports in the mainstream media that Apple Pay was in some fashion vulnerable, compared to our more accurate analysis of the issue, they at least got one point right -- many banks had light security on Apple Pay card account establishment. Over the course of the week, and in light of the negative publicity, this appears to be changing. Reports are coming in that some of the more vulnerable banks are tightening up Apple Pay account establishment, with multiple identification steps required, where there may have previously only been one, poorly-secured, method of adding credit cards.

Some banks, it has been discovered, immediately accepted cards added by a user with no verification process - a so-called "green path" -- while some used information gathered by Apple at the time of the card being added. Data used for identification includes identity of the device being used to add the card, the device's location, and some information about how long the user has been an iTunes customer and whether they've been an active purchaser. This information is only available to the banks during the card-addition process.

Some banks, however, are not stringent about checking the identity of the user adding the credit card, allowing thieves to add stolen credit cards -- which are then authorized for use with Apple Pay. Ironically, the criminals then use the Apple Pay authorization to buy things mostly at Apple retail stores -- reports say about 80 percent of the fraud that happens as a result of the weakened bank security occurs in Apple Stores, since the company sells mostly highly-coveted and resell-able popular electronics.

Over the course of the week, banks have started sending one-time authorization codes to a customer's established email or mobile phone number that's entered during the Apple Pay setup. A credit card on file with iTunes is generally considered pre-authorized. Additionally, banks are asking customers to call a bank, where a representative verifies the identity of the person with a combination of security questions, as well as queries about recent purchases.

Cherian Abraham, a mobile-payments specialist, summarized the situation by saying that at this point, "every issuer [bank] in Apple Pay has seen significant ongoing provisioning fraud via customer account takeover. The soft underbelly [of mobile payments] proved to be [the] provisioning of cards" by the banks, rather than the online component.

[besson3c]

Why are the reports erroneous?

Who is to say that ID verification couldn't be in Apple's domain, rather than solely the bank's? There are a number of ways Apple can verify ID without cooperation from banks/EMV, by better verifying that individual. Better KYC (know your customer) generally helps reduce fraud, as in many cases an attempt to use a stolen credit card is not accidental, but with specific intent. There are ways to assess an individual's fraudulent history, such as via APIs that verify government ID, or verify ID via online and social data.

Granted, bank/EMV cooperation would be ideal, but this doesn't mean Apple can just point fingers and assume zero responsibility.

[Mike Wuerthele]

Originally Posted by besson3c 

Why are the reports erroneous?

Because saying that Apple Pay is insecure and using it will get your identity stolen gets more clicks than the truth, which is the banks are following shoddy security practices.

Who is to say that ID verification couldn't be in Apple's domain, rather than solely the bank's? There are a number of ways Apple can verify ID without cooperation from banks/EMV, by better verifying that individual. Better KYC (know your customer) generally helps reduce fraud, as in many cases an attempt to use a stolen credit card is not accidental, but with specific intent. There are ways to assess an individual's fraudulent history, such as via APIs that verify government ID, or verify ID via online and social data.

Apple can, and Apple does, and I mentioned how in this article. However, in absence of Apple's KYC, when the banks ask for nothing from the consumer, that's the bank's problem, not an inherent security issue for Apple Pay, which is what the non-tech press called (and calls!) it.

Granted, bank/EMV cooperation would be ideal, but this doesn't mean Apple can just point fingers and assume zero responsibility.

Apple isn't, I am.

The facts are clear.

[besson3c]

Originally Posted by Mike Wuerthele 

Because saying that Apple Pay is insecure and using it will get your identity stolen gets more clicks than the truth, which is the banks are following shoddy security practices.



Apple can, and Apple does, and I mentioned how in this article. However, in absence of Apple's KYC, when the banks ask for nothing from the consumer, that's the bank's problem, not an inherent security issue for Apple Pay, which is what the non-tech press called (and calls!) it.



Apple isn't, I am.

The facts are clear.

No, these aren't facts.

ID verification is a joint responsibility. If a terrorist were to board a plane would you blame the airport while letting the airlines off-the-hook completely, or vice versa?

That Apple Pay does not include its own ID verification is an inherent flaw of Apple Pay, period. There are a number of ID verification services available for use:

AuthenticID | Identity Authentication and Verification Solution
Socure - Identity Fraud Detection Software. Online ID Verification Service.
Jumio :: Scan and Validate Credit Cards and IDs

Apple could also build their own.

[besson3c]

I know this is an Apple fan site, but...

[Mike Wuerthele]

So, this is somehow an insecurity in Apple Pay, then? So, Apple needs to further query cards that the BANK accepts as valid and tells Apple so?

If its a duck, call it a duck. If there's a problem, it needs to be pointed at accurately, without sensationalism which is what the mainstream press is doing. The banks are screwing up, and fixing the problem. Their crappy validation isn't Apple's problem. Apple DOES have identity verification. A card that has been approved by either itself or the banks must have a TouchID or passcode entered before use.

If the flaw was on Apple's part, we'd say so. We frequently criticize Apple -- see our commentary on the 2011 MacBook Pro GPU issue for the last four years.

This isn't Apple's fault in any way. The Washington Post and the Wall Street Journal crying that Apple Pay is insecure is bullcrap, with a headline designed to garner clicks.

[besson3c]

Originally Posted by Mike Wuerthele 

So, this is somehow an insecurity in Apple Pay, then? So, Apple needs to further query cards that the BANK accepts as valid and tells Apple so?

If its a duck, call it a duck. If there's a problem, it needs to be pointed at accurately, without sensationalism which is what the mainstream press is doing. The banks are screwing up, and fixing the problem. Their crappy validation isn't Apple's problem. Apple DOES have identity verification. A card that has been approved by either itself or the banks must have a TouchID or passcode entered before use.

If the flaw was on Apple's part, we'd say so. We frequently criticize Apple -- see our commentary on the 2011 MacBook Pro GPU issue for the last four years.

This isn't Apple's fault in any way. The Washington Post and the Wall Street Journal crying that Apple Pay is insecure is bullcrap, with a headline designed to garner clicks.

Yes it is Apple's fault, in part. Stop the Apple fanboyism, it's silly. I've explained what Apple can do to provide ID verification of their own, and you are putting your fingers in your ears.

I'll grant you that there are sensational headlines, I'm not claiming otherwise. I would also agree that the bulk of the responsibility should be with the banks/EMV, but we don't live in a perfect world. I'm saying, again, that Apple shares responsibility in ID verification, it cannot simply skirt responsibility.

[besson3c]

If your argument is a semantic argument that Apple is not *literally* responsible for ID verification because they do not have full control over these credit cards, this is also a silly argument. Apple integrates with Google, Facebook, and a number of third party APIs within their OS. If there is a problem with these services they can't just say "not our fault, too bad, so sad", they have equally responsibility to somehow work around this issue until it can be resolved. At the end of the day it is their product offering.

This would also be a silly argument though, because it would be illogical to expect banks/EMV to provide the leadership needed in this space. Like I said, there are several services that will verify the security features and authenticity of government issued ID, and there also exists ways Apple could analyze social/online footprints of users.

Being a big company comes with it big responsibilities. If you want to play in this space you need to put your big boy pants on.

[koolkid1976]

besson3c, you not making much sense. Wouldn't have anything to with being Clinically Insane would it? You expect Apple to take control of the cards from the banks? Keep them out of the loop for how their customer use their card? (adding it to Apple Pay). Does that make sense? Or do you expect Apple to keep them in the loop, but when the bank approves the card addition to Apple pay, Apple will then say "no. we refuse this card because we access online social data, and it proves that you are not you? In he case of an error, does the customer then call Apple and provide the necessary information to prove who they are (Like apple is financial institution with everyone's financial history), or do they call the bank who already approved them, to tell Apple to approve the card addition?

[pairof9s]

besson3c...I'm with Mike and koolkid1976 (maybe just not in those words). Asking Apple to verify the legitimacy of a credit card issued by a financial institution is the same as expecting the restaurant or department store to verify it before each purchase you make with them...places where fraud is much more rampant and has been for years, yet the burden has never been placed at the feet of these businesses.

The actual security will come (hopefully) when you can apply with your bank to exclusively link a credit account to Apple Pay without the need of a credit card.

[Grendelmon]

Originally Posted by besson3c 

Yes it is Apple's fault, in part. Stop the Apple fanboyism, it's silly. I've explained what Apple can do to provide ID verification of their own, and you are putting your fingers in your ears.

You're not alone, besson.

The security is only as strong as the weakest link in the chain. If Apple is going to tout how effective and secure iPay is, then the banking authentication clearly needs to be addressed. What I don't understand is why Apple doesn't require certain security measures in their license agreements to use Pay in the first place.

If your bank doesn't utilize stringent security practices during the entire process of an electronic POS transaction (includingwhen a new card is added), then it shouldn't be good enough for iPay, yes? Seems to me that Apple may have lowered the bar a bit in order to acquire as many partners as possible to get their target adoption rate. *shrugs shoulders*

[koolkid1976]

You made a valid point Grendelmon, but it does not line up with what besson3c is saying. You are saying Apple should hold their partners to higher standard because Apple Pay is only as secure as their weakest link. Besson3c is saying Apple should be doing the banks authentication work for them, and listing tools they can use to do that work. Doing work that's not their responsibility is not a feasible solution.

[besson3c]

Originally Posted by koolkid1976 

besson3c, you not making much sense. Wouldn't have anything to with being Clinically Insane would it?

Your response is off to a needlessly confrontational beginning.

You expect Apple to take control of the cards from the banks? Keep them out of the loop for how their customer use their card? (adding it to Apple Pay). Does that make sense? Or do you expect Apple to keep them in the loop, but when the bank approves the card addition to Apple pay, Apple will then say "no. we refuse this card because we access online social data, and it proves that you are not you? In he case of an error, does the customer then call Apple and provide the necessary information to prove who they are (Like apple is financial institution with everyone's financial history), or do they call the bank who already approved them, to tell Apple to approve the card addition?

I expect Apple to do at least basic due diligence on cards added to their wallet initially. Granted, there may not be much that can be done about a card that was legitimate initially and then became compromised, but as far as due diligence on cards this could include:

- consulting blacklists. The three startups I provided above provide their own, I'm sure Apple can work this out.

- do some KYC of their customer by verifying their personal identity. Chances are much more slim that somebody will attempt to use a fraudulent card if this activity can be traced back to them

- provide some leadership. The banks/EMV do not really have some sort of shared blacklist or record sharing in part because they are not software companies. The world is converging between our natural world and software world, for example cars are being made by Apple and Google now. There are many companies working on this problem, why not Apple?


You'll note that I never made reference to Apple keeping banks in the loop or vice versa, because these first two methods don't require cooperation from the banks/EMV. If you are going to accuse me of not making sense, please address the specific arguments made.

[besson3c]

Originally Posted by pairof9s 

besson3c...I'm with Mike and koolkid1976 (maybe just not in those words). Asking Apple to verify the legitimacy of a credit card issued by a financial institution is the same as expecting the restaurant or department store to verify it before each purchase you make with them...places where fraud is much more rampant and has been for years, yet the burden has never been placed at the feet of these businesses.

The actual security will come (hopefully) when you can apply with your bank to exclusively link a credit account to Apple Pay without the need of a credit card.

I'm sorry, these are both poor arguments. I've already gone over why your first argument is flawed, IMO, as far as your second one, credit card companies will likely always exist because with a line of credit comes profits made on interest, rewards programs, and the privilege of being able to defer payments and pay in installments.

The real security will come when a credit card is not tied to your personal ID, when transactions are purely anonymous, and when it therefore isn't possible to commit fraud by stealing a physical instrument such as a plastic card. And yes, this is all technologically possible today.

[besson3c]

Originally Posted by Grendelmon 

You're not alone, besson.

The security is only as strong as the weakest link in the chain. If Apple is going to tout how effective and secure iPay is, then the banking authentication clearly needs to be addressed. What I don't understand is why Apple doesn't require certain security measures in their license agreements to use Pay in the first place.

If your bank doesn't utilize stringent security practices during the entire process of an electronic POS transaction (includingwhen a new card is added), then it shouldn't be good enough for iPay, yes? Seems to me that Apple may have lowered the bar a bit in order to acquire as many partners as possible to get their target adoption rate. *shrugs shoulders*

It isn't a matter of stringent or lax security practices, it is a matter of today's payment technology being fundamentally flawed and outdated. Fraud is a billion dollar annual issue, precisely because of this reason, our current systems are antiquated. There are many companies working on solving this problem. Apple Pay is a step in the right direction, but not a complete solution.

The most stringent security practices do not do much when your operating system is Windows 98, and honestly, the ol' magnetic stripe on a plastic card + PoS, non PCI compliant call centers is pretty much comparable to Windows 98. Online/CNP (card not present) payments may very well be the safest overall, which is ironic because the public seems least comfortable with them.

[besson3c]

Originally Posted by koolkid1976 

You made a valid point Grendelmon, but it does not line up with what besson3c is saying. You are saying Apple should hold their partners to higher standard because Apple Pay is only as secure as their weakest link. Besson3c is saying Apple should be doing the banks authentication work for them, and listing tools they can use to do that work. Doing work that's not their responsibility is not a feasible solution.

That is not what I said, please do not put words in my mouth. I said it is a shared responsibility. I'm not completely sure if this metaphor holds up, but what I cited earlier in this thread as an example is airport security. If a terrorist gets on a plane should the airline be held blameless? Should the airport be blameless? In this case, it's a shared responsibility.

[Flying Meat]

This is bank-side stuff. The airport security metaphor does not hold up, as there are much more appropriate similarities to common credit card usage. Throwing out ye ole terroriste does give some insight into how one thinks though.
I, for instance, think that in this case, the terrorists won.

If you must continue down the airport route, then consider Apple allows a person to add their boarding pass to their iDevices without consulting the DHS.

Moving on. This is not about the airport.

[besson3c]

Then don't make it about the airport if you don't care for this example. It was an example of a shared responsiblilty. The example doesn't have to be bulletproof for what I have been saying to be valid.