Rampant: Explaining the current state of Apple Pay Fraud

Two quick notes before I trade a chilly 36 for a blistering 96, and spend the next few weeks in India. First up is on Samsung’s acquisition of Loop Pay. Second is a followup on Apple Pay Fraud that has now graduated from an itch to a raging infection.

First Loop’s acquisition. I worry that this relays a scattered strategy on Samsung’s part, that stands in stark contrast to the military discipline exhibited by Apple’s own. Via Loop – Samsung is investing more on grabbing upfront a larger share of a shrinking pie vs Apple’s dominance of a growing one. And Loop’s share inevitably will shrink, and unless if Samsung balances it with a broader identity and commerce strategy it risks getting a short term boost and little else.

Chase is rumored to be the largest issuer to sign-on with Samsung/Loop Pay – and that issuer partnership is necessary beyond tokenization reasons alone. Loop has to “downgrade” a card when presented to a EMV terminal by altering the magstripe service code (more on that here, and Will Graylin’s comment on it here) so that the terminal does not challenge the swipe and force a dip. Between that, and the general unwillingness to fork over your brand to be wrapped by a much lesser known entity, will keep some issuers on the bench.

Whether you agree that it should or not, TouchID has become the de facto authentication approach, Passbook is becoming the choice off-property transaction and loyalty store, and Secure Enclave/SE has all the making of a secure identity store. All the interesting bits around payments are being solved by Apple without having to be burdened by becoming regulated or being a bank. This is one trait Samsung should not hesitate to copy.


Fraud in Apple Pay – as I wrote before – came as a surprise to all. Tokenization, On-device secure storage and biometrics separately and together are formidable, but the soft underbelly proved to be provisioning of cards in to AP.

At this point, EVERY issuer in AP has seen significant *ongoing* provisioning fraud via customer account takeover. The levels of fraud has varied since launch, but 600bps is now seen as hardly an anomaly. Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one, is bold enough to call the emperor naked.

So much is now certain:

These are organized crime rings that are handing out pre-provisioned devices to mules that are then being used to commit fraud – with much of fraud (for some issuers) – occurring around Miami,FL and Dallas,TX. Prepaid cards unsurprisingly are a tool of choice as they can be quickly converted to cash or goods – and subsequently, untraceable. What was surprising to hear was how many times Apple stores themselves popped up as the store of choice for the fraudster – and yet unsurprising, due to its nature as a luxury retailer. There is a certain irony in one compromised Apple Pay device paying for another – only to be drafted subsequently in to the fraudsters service.

But why wouldn’t a fraudster with a stolen card – go to town with online retailers instead of AP? For one – AP fraud offers instant gratification. Further, online retailers who shoulder liability in the occurrence of fraud – has become increasingly sophisticated in fighting it. The 24 hours or more delivery window offers them a sufficient window of opportunity to deploy a number of fraud fighting measures (velocity, device fingerprinting, category checks) – and that’s too much of a coin-toss for a fraudster. AP is proving to be a lot simpler.

What does Apple do right?

Apple kicks a card provisioning request to Yellow Path if:

1- Apple ID and Card was paired past a specific date threshold

2- Apple Account was recently modified

3- Apple account has not had any activity for over a year

4- Apple ID being too new, relative to the AP launch and to the provisioning request.

A provisioning request Apple deems as legitimate (Green Path) is never seen by the issuer. Every issuer I have spoken to, agrees that there is negligible fraud in cards provisioned via the Green Path. Apple suggests a 60/40 split, where 60 percent of attempts to provision will flow through the Green Path and 40 percent will trip up and end up being in Yellow Path or Red (outright denied). AP launch Issuers have been able to bring the Yellow Path closer to 10%, but for some others there is a large variance – in some cases up to 55%.

Isn’t this a Bank problem? And don’t that absolve Apple and Networks of their responsibility in this?

NO. It is unconscionable that Apple did not, and was not strongly advised by its partners – to make the Yellow Path implementation (by an issuer) mandatory sooner than it did – which was 4 weeks before AP launch. By then, it was too late for any issuer who had been focused elsewhere to put up any effort of merit. The better Yellow Path approaches – such as having the customer login via the bank-app requires non-trivial effort and planning. No surprise that a number of the launch partners and subsequent ones relied on call centers – in one case having a team as large as 600. In the case of an issuer who saw 3000 activations over a week, 600 of those generated a call to the call center. What happens when ten times more customers sign up?

Remember folks, Fraud scales. Call centers do not.

Call centers are a poor approach for two reasons. One – fraudsters are better at social engineering than call center reps are at sniffing out fraud. In some cases, fraudsters are calling the call center themselves to “alert the bank about a trip out of town” so that fraud rules looking for transaction anomalies (such as customer living in California and transacting in Miami) do not trip them up. Second – Apple Pay is just the first among the hundreds of token requestors that will come to dot the tokenization landscape. If every time I add my card to a token requestor (say: Amazon), and I have to call my bank – well…

In short, provisioning must become secure, invisible and scalable. If AP is any example, it shows inadequate prep.

And one of the biggest gripes I have heard from issuers is the lack of transparency from Apple (what did they expect?) and the makeshift reporting provided to issuers that is proving to be woefully inadequate. Lack of any kind of decent traceability to track fraudulent transactions back to their originating provisioning steps – banks are being forced to build their own on top. Larger issuers have leveraged their own internal processes coupled with homegrown reporting measures to give themselves better transparency and traceability. And smaller ones are doing much pining and little else. For the democratizing effect Apple had in the payments ecosystem by allowing issuer of every scale having their cards supported in AP – it seems to be having a totally different effect in their ability to fight fraud within.

In closing, as more issuers come online (within AP) fraudsters will be the first to line up. They will catch on to the BIN’s that work and the ones that don’t. And as long as issuers fall back on measures easily circumvented by freely available PII – this problem will continue to leech trust and large sums of cash. And alongside of the latter, there is much blame to go around as well.

A proportional response in this scenario cannot be simply unique to AP – because issuer tokens will be consumed in the future by more than just Apple. Tokenization is an industry effort, and securing it must be one too.

And while we are trying to plug these significant gaps… Let’s not pretend the whole wall to be secure; because somewhere is taller.

Board of Advisors at SimplyTapp - creators of Host Card Emulation driving democratization and open access to NFC in Android. Mobile Commerce & Payments Lead at Experian Global Consulting, serving Experian's clients in Banking, Retail, Consumer Credit & Payments. A strategic adviser w/ over 17 years of international Tech & Business Strategy consulting, advising firms in banking, retail & asset mgmt that seek clarity & insight in to the myriad business models around payments, fraud & commerce. Founded DROP Labs, a mobile payments/commerce strategy & advisory practice. Tweets here. I'm on LinkedIn here.
Cherian Abraham
View all posts by Cherian Abraham
Tagged , , , , , , , , , , ,