Smart Mouse Traps and Lazy Mice

“Building a better mousetrap merely results in smarter mice” – Charles Darwin

Credit card issuers in general have a good handle on fraud. They manage it under 10bps (i.e. losses of $0.10 or less per $100 of transactions) on transactions made with a dumb plastic card lacking any additional context. So Issuers wishing for Apple Pay fraud to fall between 2-3bps was not totally out of character, considering the protections in place by Apple and Networks to keep fraud away – including Issuer support during provisioning, NFC, Tokenization, a tamper proof Secure Element and TouchID. But fraud seems to have followed a different trajectory here. About a month post-launch, it seems like fraud has come to Apple Pay. (in one case – as high as 600bps for an issuer that I cannot name). Though what follows was written in the context of Apple Pay, much of it translates to any other competitor – irrespective of origin, scale, intent, or patron saint.

Apple Pay and the Yellow Path:

All Apple Pay participating card issuers are required to build a “Yellow Path” for when card provisioning in to Apple Pay requires additional bank verification. Implementation of the “Yellow Path” and corresponding customer experience has varied per Card Issuer. Today, depending on your card issuer – you could expect much variance – such as being directed to their call center, being asked to authenticate via the bank’s mobile app, or an entirely other 2FA verification. As one can expect – each has varying levels of success and friction – with just a couple of banks opting to authenticate via their mobile apps, that would have provided a far easier and customer friendly provisioning experience. Where as, those that opted for call center verification traded efficiency for friction and by most reports – the corresponding experience has been subpar.

In fact initially “Yellow Path” was marked optional for card issuers by Apple – which meant that only a couple of Issuers directed much focus at it. Apple reversed its decision and made it mandatory less than a month before launch – which led to issuers scrambling to build and provide this support. Why any bank would consider this optional is beyond me.

Either way, Card issuer implementations of the Apple Pay Yellow Path have proved to be inadequate – as I am willing to bet that most of the fraud in Apple Pay came by stolen identities. For all the paranoia around elevating your phone to be the container for all your credit cards – fraud in Apple Pay has assumed more traditional and unsophisticated ways. No, iPhones weren’t stolen and then used for unauthorized purchases, TouchID was not compromised, Credentials weren’t ripped out of Apple’s tamper proof secure element – nor the much feared but rarely attempted MITM attacks(capture and relay an NFC transmission at a different terminal). Instead fraudsters bought stolen consumer identities complete with credit card information, and convinced both software and manual checks that they were indeed a legitimate customer.

Fraud on Apple Pay is somewhat unique – as the Pay setup is one of the first things one would do upon getting their iPhone 6. At which point – the device will have little to no background or context with the bank. Further, the customer most likely haven’t had the time to install the bank app or login. It is no wonder then that a number of banks defaulted to “Call our call center” as the default Yellow path. In an earlier post on ISIS (Softcard) I did write how the vast retail network coupled with visibility in to customer identity positioned Carriers as a trusted partner for banks to do secure provisioning. But ISIS had other (yet unrealized) aspirations.

For all the focus in protecting transactions and plastic – for e.g. via EMV and Tokenization – issuance and provisioning remains the soft underbelly – under protected and easily compromised. And this should concern all – because the strongest chain is only as good as its weakest link – and those with malice are almost always the first to find it. Fraud in Apple Pay will in time, come to be managed – but the fact that easily available PII can waylay best in class protection should give us all pause.

Board of Advisors at SimplyTapp - creators of Host Card Emulation driving democratization and open access to NFC in Android. Mobile Commerce & Payments Lead at Experian Global Consulting, serving Experian's clients in Banking, Retail, Consumer Credit & Payments. A strategic adviser w/ over 17 years of international Tech & Business Strategy consulting, advising firms in banking, retail & asset mgmt that seek clarity & insight in to the myriad business models around payments, fraud & commerce. Founded DROP Labs, a mobile payments/commerce strategy & advisory practice. Tweets here. I'm on LinkedIn here.
Cherian Abraham
View all posts by Cherian Abraham
Tagged , , , , , , , ,
  • dr.ossy

    My mother’s former employer was able to not only open credit cards under her name but also take out loans. How the loan happened at local bank is still a mystery to me. He even took out CC under my name and her SS and they simply sold that debt to some debt collector company that hounded me for years until I asked for only written communication and when I said that is not my SS.
    All of sudden everything was fine.

    Even iTunes allowed my CC to be used in other people account when
    I have never used cc to purchase apps or songs. CC was stolen from Airline Company. Apple knew my CC because it was used to purchase laptops and such.

    Banks don’t care about fraud never will. They care that they can loan out more money on each transaction.

    To Banks, ApplePay is about heading off virtual currencies and their ilk which bypass them. So Experian shouldn’t worry, they will still be able to take advantage of poor people just fine.

  • Mike Gross

    True name identity fraud (stolen identity information) associated with account originations or enrollment will continue to be a big challenge — for Apple, for issuers, for merchants with loyalty programs. Anything worth stealing. And with more sophisticated technologies, security controls, and monitoring around transactions, account opening is an easy target without visibility into non-traditional attributes like device. Social engineering around these “yellow paths” will also continue to be a problem due to the incessant focus on limiting customer friction.

  • Pingback: Start up: where’s Apple’s Hololens?, the Xiaomi copiers, CES or Skymall product?, YouTube’s tough licensing, and more | The Overspill: when there's more that I want to say()

  • Bob Ashenbrenner

    One security advantage of EMV cards is that they are very difficult to counterfeit. A thief with my credit card number could not make a fake EMV card with my credentials.

    With smartphone based wallets, is this then an avenue for thieves to make counterfeit “cards”? Since NFC uses the same payment rails as EMV, if someone gets my car number, perhaps during a breach of a retailer, could they then add that card to a smartphone and proceed to use it in stores?

    • Jackie

      yes. EMV breached

  • Martin Lawrence

    Who would carry the liability in these cases? I would assume the merchant would not be liable, so it would be the issuer, right?

    Also: I expect that the issuer you mentioned that experienced 600 bps fraud corrected this situation shortly, no? I expect any bank worth its salt would detect this such an increase in the short term and implement corrective measures…

    • droplabs

      This type of fraud looks no different than an actual bank customer. If the bank is using customer provided PII to authenticate – then it’s useless against a fraudster having a stolen, complete customer profile.

  • nfcguy

    Cardholder authentication at the time of a card issuance request, be it plastic card or Apple Pay, is always an interesting fraud mitigation challenge.

    Requiring a newly issued card to be sent to the address on-file at the bank provides some natural mitigation for this type of attack on plastic cards. In the Apple Pay case, the card is sent an iPhone–an ‘address’ that the bank doesn’t know well. The near instantaneous issuance of the card also makes it very attractive to fraudsters.

    Executing stricter cardholder verification is the straight forward fix.

  • Steven Lim

    North America just have to join the rest of Western Europe on the EMV path.
    Thinking Apple pay will come to the rescue is just pure non sense. Apple technology is all about building their eco system and skimming from it as much profits as possible.