Rampant: Explaining the current state of Apple Pay Fraud

Two quick notes before I trade a chilly 36 for a blistering 96, and spend the next few weeks in India. First up is on Samsung’s acquisition of Loop Pay. Second is a followup on Apple Pay Fraud that has now graduated from an itch to a raging infection.

First Loop’s acquisition. I worry that this relays a scattered strategy on Samsung’s part, that stands in stark contrast to the military discipline exhibited by Apple’s own. Via Loop – Samsung is investing more on grabbing upfront a larger share of a shrinking pie vs Apple’s dominance of a growing one. And Loop’s share inevitably will shrink, and unless if Samsung balances it with a broader identity and commerce strategy it risks getting a short term boost and little else.

Chase is rumored to be the largest issuer to sign-on with Samsung/Loop Pay – and that issuer partnership is necessary beyond tokenization reasons alone. Loop has to “downgrade” a card when presented to a EMV terminal by altering the magstripe service code (more on that here, and Will Graylin’s comment on it here) so that the terminal does not challenge the swipe and force a dip. Between that, and the general unwillingness to fork over your brand to be wrapped by a much lesser known entity, will keep some issuers on the bench.

Whether you agree that it should or not, TouchID has become the de facto authentication approach, Passbook is becoming the choice off-property transaction and loyalty store, and Secure Enclave/SE has all the making of a secure identity store. All the interesting bits around payments are being solved by Apple without having to be burdened by becoming regulated or being a bank. This is one trait Samsung should not hesitate to copy.

SO WHERE ARE WE WITH APPLE PAY AND FRAUD?

Fraud in Apple Pay – as I wrote before – came as a surprise to all. Tokenization, On-device secure storage and biometrics separately and together are formidable, but the soft underbelly proved to be provisioning of cards in to AP.

At this point, EVERY issuer in AP has seen significant *ongoing* provisioning fraud via customer account takeover. The levels of fraud has varied since launch, but 600bps is now seen as hardly an anomaly. Fraud in the Yellow Path is growing like a weed, and the bank is unable to tell friend from foe. No one, is bold enough to call the emperor naked.

So much is now certain:

These are organized crime rings that are handing out pre-provisioned devices to mules that are then being used to commit fraud – with much of fraud (for some issuers) – occurring around Miami,FL and Dallas,TX. Prepaid cards unsurprisingly are a tool of choice as they can be quickly converted to cash or goods – and subsequently, untraceable. What was surprising to hear was how many times Apple stores themselves popped up as the store of choice for the fraudster – and yet unsurprising, due to its nature as a luxury retailer. There is a certain irony in one compromised Apple Pay device paying for another – only to be drafted subsequently in to the fraudsters service.

But why wouldn’t a fraudster with a stolen card – go to town with online retailers instead of AP? For one – AP fraud offers instant gratification. Further, online retailers who shoulder liability in the occurrence of fraud – has become increasingly sophisticated in fighting it. The 24 hours or more delivery window offers them a sufficient window of opportunity to deploy a number of fraud fighting measures (velocity, device fingerprinting, category checks) – and that’s too much of a coin-toss for a fraudster. AP is proving to be a lot simpler.

What does Apple do right?

Apple kicks a card provisioning request to Yellow Path if:

1- Apple ID and Card was paired past a specific date threshold

2- Apple Account was recently modified

3- Apple account has not had any activity for over a year

4- Apple ID being too new, relative to the AP launch and to the provisioning request.

A provisioning request Apple deems as legitimate (Green Path) is never seen by the issuer. Every issuer I have spoken to, agrees that there is negligible fraud in cards provisioned via the Green Path. Apple suggests a 60/40 split, where 60 percent of attempts to provision will flow through the Green Path and 40 percent will trip up and end up being in Yellow Path or Red (outright denied). AP launch Issuers have been able to bring the Yellow Path closer to 10%, but for some others there is a large variance – in some cases up to 55%.

Isn’t this a Bank problem? And don’t that absolve Apple and Networks of their responsibility in this?

NO. It is unconscionable that Apple did not, and was not strongly advised by its partners – to make the Yellow Path implementation (by an issuer) mandatory sooner than it did – which was 4 weeks before AP launch. By then, it was too late for any issuer who had been focused elsewhere to put up any effort of merit. The better Yellow Path approaches – such as having the customer login via the bank-app requires non-trivial effort and planning. No surprise that a number of the launch partners and subsequent ones relied on call centers – in one case having a team as large as 600. In the case of an issuer who saw 3000 activations over a week, 600 of those generated a call to the call center. What happens when ten times more customers sign up?

Remember folks, Fraud scales. Call centers do not.

Call centers are a poor approach for two reasons. One – fraudsters are better at social engineering than call center reps are at sniffing out fraud. In some cases, fraudsters are calling the call center themselves to “alert the bank about a trip out of town” so that fraud rules looking for transaction anomalies (such as customer living in California and transacting in Miami) do not trip them up. Second – Apple Pay is just the first among the hundreds of token requestors that will come to dot the tokenization landscape. If every time I add my card to a token requestor (say: Amazon), and I have to call my bank – well…

In short, provisioning must become secure, invisible and scalable. If AP is any example, it shows inadequate prep.

And one of the biggest gripes I have heard from issuers is the lack of transparency from Apple (what did they expect?) and the makeshift reporting provided to issuers that is proving to be woefully inadequate. Lack of any kind of decent traceability to track fraudulent transactions back to their originating provisioning steps – banks are being forced to build their own on top. Larger issuers have leveraged their own internal processes coupled with homegrown reporting measures to give themselves better transparency and traceability. And smaller ones are doing much pining and little else. For the democratizing effect Apple had in the payments ecosystem by allowing issuer of every scale having their cards supported in AP – it seems to be having a totally different effect in their ability to fight fraud within.

In closing, as more issuers come online (within AP) fraudsters will be the first to line up. They will catch on to the BIN’s that work and the ones that don’t. And as long as issuers fall back on measures easily circumvented by freely available PII – this problem will continue to leech trust and large sums of cash. And alongside of the latter, there is much blame to go around as well.

A proportional response in this scenario cannot be simply unique to AP – because issuer tokens will be consumed in the future by more than just Apple. Tokenization is an industry effort, and securing it must be one too.

And while we are trying to plug these significant gaps… Let’s not pretend the whole wall to be secure; because somewhere is taller.


Board of Advisors at SimplyTapp - creators of Host Card Emulation driving democratization and open access to NFC in Android. Mobile Commerce & Payments Lead at Experian Global Consulting, serving Experian's clients in Banking, Retail, Consumer Credit & Payments. A strategic adviser w/ over 17 years of international Tech & Business Strategy consulting, advising firms in banking, retail & asset mgmt that seek clarity & insight in to the myriad business models around payments, fraud & commerce. Founded DROP Labs, a mobile payments/commerce strategy & advisory practice. Tweets here. I'm on LinkedIn here.
Cherian Abraham
View all posts by Cherian Abraham
Tagged , , , , , , , , , , ,
  • Gacoogan

    I find it odd that there is so much Apple Pay fraud, since inevitably there is a cell phone subscription associated with most iPhones. Sure, a fraudster could purchase an iPhone at full cost and activate it with bogus information, but that’s a lot of trouble and expense versus other alternatives. Regardless, it’s good that this problem is gradually getting under control.

    • NFC_Wizard

      Unlocked iPhone 6 and a prepaid SIM/account with one of the MVNOs are all you need. Per the article Apple stores are themselves one of the main retail targets of fraud to then buy more unlocked iPhone 6s. So pretty easy and didn’t need use fraudster’s person info in the process

    • Kr00

      The same method of fraud has been used on android phones too, so let’s not be blinded by a false sense of security shall we. Funnily Mr Abraham didn’t mention that he’s works for a rival Android payment system company. Someone’s backing self interest here.

    • Walt French

      PERHAPS the problem is that a card added to Google Wallet doesn’t necessarily inherit a higher level of trust, so sneaking one in is about as good as using it other ways. Whereas once you get a card in Apple Pay, it has the imprimatur of fingerprint-quality ownership/responsibility for charges.

      Now, 3+ weeks after this post, with the claim of 6% fraud going viral, the echo chamber makes it impossible to tell what policies at which banks were fixed versus which are (still?—I’m acting as if from Missouri) an actually juicy avenue for fraud.

      • alexdown

        A card added to google wallet is a google-issued card. Google then bills your “real” card for all transactions once in a while. Not sure about the T&C, but looks like Google (or Bancorp) is shouldering the fraud risk… while Apple simply doesn’t

  • Jeff Meredith

    I have recently added cards with a new Apple Pay provider. It was much more difficult than in the salad days of scan and you’re live. So I believe Cherian’s and Drop Labs cautions are taking effect. But I have also seen a new issuer where it looked too easy.

    Definitely the fraud needs to be addressed especially by the sophisticated rings and I hope the FBI is on this.

    One obvious thing to do would be to issue and insist on a new untainted credit card/ debit card number if they want to use Apple Pay. I know this would be a tremendous effort but it seems worthwhile. It would also coincide with needs for new Chip and Pin cards.

    The fraudsters are importing the compromised cards from the old Mag Stripe Ecosystem. I believe there are no new compromised cards coming from the Apple Pay system. As we transition, including a revamped Google Wallet hopefully we start to exhaust the old ecosystems card numbers.

  • alexdown

    A better solution would be *start the provisioning* within the issuer mobile banking app. Banks already have proper auth in place there, they can show a list if customer’s cards to provision, and there you go.
    This won’t cater the use case of a person provisioning another person’s card, but this use case is prohibited in most countries anyway.

    Apple won’t allow that, though, because they want to control the UI..

    • Mark

      In theory it does look better, but there’s plenty of distrust around mobile banking apps and a good few cases where they were the likely source of fraud, at least in the UK. UK banks in particular have been fond of simply washing their hands and blaming customers without a second glance at the facts. In one or two cases the customers in question had never used or signed up to mobile banking.

      To add to this two of the main UK banks now allow authentication via TouchID, which, while it may be largely secure enough for now HAS been broken, and is simply distrusted by many users. Personally I think its a good idea as a second factor, but I’m not fond of the idea as a primary.

      • alexdown

        Interesting. Any link to the these cases of fraud via mobile banking app? Would like to know more (not from the uk so haven’t heard of the cases you mention)

        • Mark

          The story I originally picked up was this one from the BBC in 2012:
          http://www.bbc.co.uk/news/business-19897527

          Which referenced a radio programme episode of the BBC’s ‘Money Box’:
          http://www.bbc.co.uk/programmes/b01n5z33

          Unfortunately the long page of comments from listeners has now been removed, and that had plenty more examples, many unrelated to the fraud mentioned in the programme. This didn’t start the distrust in mobile banking, but it contributed considerably to the attitude that now prevails.

          UK bank users as rule tend to view anything banks introduce as ‘convenience’ with a healthy dose of cynicism, due to the banks past form in denying fraud is in any way their fault if any authentication step is involved – its about bank indemnity NOT user security. Its not entirely unique to UK banking, but our industry is certainly far more of a fan of it than most. So in the UK we always have to ask ‘whats in it for them’ and ‘will they use it to pass the blame’.

          • http://bit.ly/11F2eas Philip Cohen

            “What’s in it for them” applies to all businesses; for some, as far as calculatedly aiding and abetting criminal activity as is demonstrably the case with eBay Inc. on its auctions … http://bit.ly/11F2eas

          • alexdown

            “NatWest only recently launched Get Cash, along with another system called Emergency Cash, which involves calling a phone operator.”

            call centres are always the weakest link of the chain. human factor.

          • Mark

            I’d agree on call centres as a weak link, but in the example I linked to the bank acknowledged the call centre weakness, but denied the problems specific to the mobile app – although some of those may also have stemmed from provisioning requests for app access not requested by the customer OR back end security issues.

            This type of denial is a consistent theme with UK banks and technology failures, but it is difficult to say for sure whether the banks are complete idiots, or whether they hope the can make their denial of liability stick because they are assuming their customers are idiots. A distant cousin of mine (I don’t know her well) is fairly senior in IT security at one of the UK banks, and I have to say her extremely limited understanding of technology and rather blinkered outlook inspires little confidence that the banks have the grip on the issues they should have.

  • http://bit.ly/11F2eas Philip Cohen

    Oh, my God, and there I was with the impression that the Apple Pay interface to the U.S. banks’ credit card payments system was perfect …

    Apple Pay—likely to be the greatest media/marketing beat up of the 21st century!

    Too bad all that hot air will soon enough cool …

    Regardless, when I recently activated my MasterCard “MasterPass” wallet it was done by logging into the issuing bank’s secure website and clicking on the “Activate MasterPass” button; it could not have been any simpler, or more secure …

    • alexdown

      true. but will Apple give up control of the UI? don’t think so…

      • http://bit.ly/11F2eas Philip Cohen

        The real question is, what is it that keeps U.S. payments terminals in the “Stone Age” when the rest of the world has long ago moved into the 21st century? Regardless, Apple Pay works only on those NFC terminals that just as easily will take “contactless” EMV cards—if the U.S. banks issued EMV cards, and then the banks might not be so inclined to pay Apple 0.15% of the transaction value. Frankly, Apple has taken the banks to the cleaners; Apple should instead be paying the banks for the banks helping Apple to sell more iPhones, which is what Apple is in the business of doing, not payments …

        Presumably, “contactless” NFC has otherwise not caught on in the U.S. because the U.S. banks—unlike those in the rest of the world—were (are) too mean to spend the extra $1 on contactless EMV cards; as a result the U.S., which processes ~33% of the world’s credit card transactions, has ~50% of the world’s card fraud …

        • Atlas

          You seem to ignore that cards with NFC impose a limit of 20$ because they are much less secure than systems like Apple Pay or Android Pay.

          • http://bit.ly/11F2eas Philip Cohen

            In Australia, the maximum value for a contactless EMV card transaction is AUD100 and that will cover the great majority of transactions.

            Maybe you live is a more primitive country where the risk is greater and so the limit is a paltry $20, or possibly you simply don’t know what you are talking about, regardless …

            Apple Pay—still a proprietary OS solution to a payments problem that simply does not exist, at least not in Australia …

    • Atlas

      You were wrong on all accounts.
      And today Samsung Pay is shown to be hackable.

      • http://bit.ly/11F2eas Philip Cohen
        • Atlas

          You were wrong. Apple Pay hasn’t been hacked, and Samsung Pay has. Just like the fingerprint sensor had been hacked on the S5. Samsung cares only about money. They didn’t care checking if everything was perfectly secure.

          • http://bit.ly/11F2eas Philip Cohen

            And Apple doesn’t care “only about money”? Then why does Apple want a 0.15% cut of the value of each transaction, and all the other “Pays” don’t? …

            Now, back to your Apple cubicle, fanboy …

          • Atlas

            Apple cares about money a lot, it’s their main interest of course, but they do not care about money ONLY.

            Funny that you call ME a fanboy when it’s you who bashed Apple Pay based on nothing but speculation and now ignore the fact that Samsung Pay was hacked when Apple Pay hasn’t yet.

  • Pingback: Apple Pay provisioning fraud hole "has to get plugged" now • NFC World+()

  • Mark S.

    Weird – the guy who writes the article has is involved in a competing Android system. No conflict of interest there. /s This article is a lot more accurate than the biased opinion piece above. http://www.theverge.com/2015/3/4/8149663/apple-pay-credit-card-fraud-banks

    • alexdown

      “During setup Apple Pay requires banks to verify each and every card,”
      Except that this is a requirement that came from the banks. Originally apple designed the green path only, and also until very recently was pushing the banks to use green path as much as possible.
      So not really as the article imply… 😉

    • Kr00

      Always back self interest would be the motto here I’m guessing. Mr Abraham has no credibility now. If he had admitted working for SimplyTap, we wouldve had the choice to make an objective judgement on his article. Now, well he may as well be another used car salesman. Zero credibility.

      • Oscar Cavail

        But thank God he works for a rival. Were you made aware of iPay as the cutting-edge payment choice for retail thieves from someone working for Apple? No you learned about it through a rival.

        • Kr00

          WTF is iPay? Maybe Apple should write an article on how easy it is for retail theives to do this on an Android phone, as it is being done right now? Then you’d learn something from your rival.

          • Oscar Cavail

            Doubtful. Your suggestion would simply highlight the fact that Apple dropped the ball in the first place. Business 101.

          • Kr00

            Banks have dropped the ball. If your assertion is to be half believed, then google samsecum have dropped the ball too.

          • Oscar Cavail

            Okay I guess you need to have it spelled out for you: In business you do NOT point out a cock up of your competitor that implicitly requires you to admit making the *SAME* mistake. That’s simply an invitation for bad press coverage and or an invitation to be fired by the board.

            Are you seriously suggesting that Apple should employ the tactic “yeah but they screwed up too?” LOL.

          • Kr00

            Funny that he focussed on only one company don’t you think? Any subjective writer covers all bases and shows no bias. I’m sure he was paid well to trash his opponent. I wonder how many shares he owns in SimplyTap? Manipulation of stock prices is illegal, did you know?

          • arpad

            I think you meant “samescum,” not “samsecum.” Remarkably witty nonetheless

    • droplabs

      Not weird at all. I don’t hide my role with ST and the importance of HCE in Android. But if your tinfoil conspiracy gives you comfort, I’m not going to take that away. If it’s not bolted on, stay a while and read some of the other posts, learn and in response – share your own perspective. Not everything is a conspiracy.

      • Atlas

        Are you going to write an article on today’s hack of Samsung Pay?

  • Kr00

    Would’ve been professional courtesy to tell people that you’re on the advisory board of a rival online payment system company for Android, wouldn’t you think Mr Abrahm?

    • http://bit.ly/11F2eas Philip Cohen

      “Board of Advisors at SimplyTapp – creators of Host Card Emulation & a LightSpeed Ventures Co, delivering HCE enabled mobile payment distribution & authorization solutions for enterprises. A strategic adviser w/ over 16 years of international tech & strategy consulting experience, to firms seeking clarity & insight in to the myriad business models around payments & commerce. Founded DROP Labs, a mobile payments/commerce strategy & advisory practice focused on banking & retail. Tweets here. I’m on LinkedIn here.”

      • Kr00

        Were you aware SimplyTap is an Android rival to Apple Pay? Hence my comment, please read carefully.

        Hardly ethical to only mention your rival on a vulnerability that can happen on any smart phone with e wallet services, yet there is not one word of that fact here. If he owns shares in SimplyTap, this is more than unethical, its illegal. Any stolen card can be set up on any smartphone like this.

        Authentication happens between the bank and the user, not Apple, Samsung or Google. Again, this is a biased and misleading article at best. Rumour is, he was trying to sell this story around the traps and many saw it for what is actually is.

        • http://bit.ly/11F2eas Philip Cohen

          All I’m saying is that the author has declared his interests at the bottom of the article …

          Regardless, if you think that anything that emanates from any of the various “departments of spin” has anything to do with ethics, you are delusional …

        • Derick

          ” Though what follows was written in the context of Apple Pay, much of it translates to any other competitor – irrespective of origin, scale, intent, or patron saint.”

          http://www.droplabs.co/?p=1204

          Take off the tinfoil. Not everything is a conspiracy.

          Stay a while and read some of the other posts on here. Might change your perspective.

  • Veronica Wilson

    I’ve been using Apple Pay since early November and paid with it at the Apple Store, The Home Depot, Lucky Supermarket, Macy’s, McDonald’s, Panera Bread, Peets Coffee & Tea, RadioShack, Subway, Walgreens, and Whole Foods. I was also able to use Apple Pay in Canada at Chez Maxim, La Panthere Verte and McDonald’s. Paying with Apple Pay was faster and more convenient than using cash, checks, debit or credit cards. And I’m not alone praising the virtues of this mobile payment system. Early reports show Apple Pay gaining meaningful traction and a high level of customer engagement. It’s time to start saying good-bye to the magnetic stripes in our wallets.

  • http://bit.ly/11F2eas Philip Cohen

    Dream on, delusional one …

    • Atlas

      Don’t be so butthurt.