Instead of physically crafting counterfeit cards using old hotel room keys, fraudsters may be stealing consumers’ financial identities using a little information and an iPhone.
Last fall, Apple Pay was launched as a convenient way to keep consumer’s payment card information in one place in the phone’s virtual wallet. Despite Apple Pay’s encryption and fingerprint recognition technology, fraudsters may have found a way to slither their way into the Apple payment ecosystem.
Similar to how stolen card numbers are bought online or stolen in a data breach to make counterfeit cards, fraudsters are entering stolen credit card numbers directly to Apple Pay to create virtual counterfeit cards, and financial institutions might not be doing enough to stop such activity in its tracks.
So far, instances of this type of fraud are doing more financial damage than typical credit card fraud, according to DROP Labs, a mobile commerce advisory blog run by a variety of current and former payment system professionals. While traditional credit card issuers lose $0.10 or less of every $100 of fraudulent transactions, Apple Pay fraud has cost some card issuers as much as $6 for every fraudulent $100 spent.
When a new card is added to Apple Pay, the issuing bank is supposed to verify that the individual uploading the card is in fact the actual cardholder to prevent an unauthorized user from adding your card to another phone — a process called “Yellow Path.”
“Yellow Path” was optional for Apple Pay participating card issuers up until about a month before the mobile payment platform launched. Many issuers had to quickly assemble a card-user authentication support and, as a result, how card issuers complete the “Yellow Path” authentication requirement varies among card issuers.
Some banks are comparing Apple Pay account details to cardholder information using a two-step code sent to the user’s phone number, through a separate mobile app or via email, but others just ask the uploading customer to contact a call center for authentication. In that instance, if a fraudster has enough of the card details and true cardholder information, he may be able to pass the phone check. Most banks use this method of authentication, despite the fraud risks, according to an Experian blog post written by DROP Labs’ Cherian Abraham.
Once a card is successfully uploaded to Apple Pay, fraudsters can go about making fraudulent yet secure transactions, thanks to the platform’s technology features. They will be able to confirm a mobile payment with the touch of a finger once the card is successfully uploaded, even if the card’s not theirs.
“This should concern all – because the strongest chain is only as good as its weakest link – and those with malice are almost always the first to find it,” Abraham wrote in his Experian post. “Fraud in Apple Pay will in time, come to be managed – but the fact that easily available personally identifiable information (PII) can waylay best-in-class protection should give us all pause.”
Consumers may already be apprehensive. According to Accenture’s 2014 North America Consumer Payments Survey of 4,000 individuals, 57 percent were concerned about the security of mobile payment transactions, up from 45 percent two years ago.
So, the more issuers can do to improve their card verification procedures, the better. This is especially important as more banks, retailers and consumers jump on the Apple Pay bandwagon.
Apple Pay has now partnered with more than 45 banks, and Bank of America alone has reported 1.1 million cards added to the service.
According to Apple’s latest company earnings conference call, Apple Pay accounts for nearly $2 of every $3 spent through Visa, American Express and MasterCard contactless mobile transactions. Other companies have announced positive Apply Pay adoption reports as well. Whole Foods has experienced a 400 percent increase in mobile payments since the October launch of the mobile payment platform and Panera Bread says that Apple Pay is responsible for 80 percent of its mobile payments, according to Apple’s CEO Tim Cook on the call.
As Apple Pay use increases, it’s up to the banks and card issuers to ensure they are doing all they can to keep fraudsters out of the mobile payment realm as much as possible. For now, though, Apple Pay users should watch their accounts for unusual payment activity.