These days, you’d think that any company offering a new method of making financial transactions would have learned something from the thousands of data breaches in the past few years. (The top 20 breaches for 2014 are reported here.)
Unfortunately, that doesn’t seem to be the case when it comes to Apple Pay.
In September 2014, Apple announced its plans to offer its own version of the “mobile wallet,” giving consumers the convenience of making purchases via their iPhones and new Apple Watches.
Apple Pay is expected to give Apple a respectable share of the mobile payments market, which is expected to reach $100 billion in the US alone over the next five years.
According to the New York Times,
Apple hopes that its promises about security, including that credit card information will not be stored on the smartphones or devices or on Apple’s servers, will convince consumers that it is safer than using a credit card. “We’re totally reliant on the exposed numbers and the outdated and vulnerable mag stripe,” said Timothy D. Cook, Apple’s chief executive, at an event in Cupertino, Calif., on Tuesday. “Which all of us know aren’t so secure.”
Banks rushed to be included among the credit card issuers associated with Apple Pay.
Higher Fraud Rates
However, by March, according to the Times, banks were reporting unusually high fraud rates using stolen credit card numbers on Apple Pay.
One industry consultant put the Apple Pay fraud rate at 6%. This compares to .1 of 1% for traditional credit card fraud.
According to the Times:
Apple Pay itself should, in theory, cut down on fraud because it makes stealing credit card information almost impossible. Each time a transaction takes place, Apple generates the equivalent of a new credit card number so the merchant never actually sees a customer’s information.
According to Apple,
Once your card is approved, the payment network or your bank creates a device-specific Device Account Number, encrypts it, and sends it along with other data (such as the key used to generate dynamic security codes unique to each transaction) to Apple. Apple can’t decrypt it, but will add it to the Secure Element within your device. The Secure Element is an industry-standard, certified chip designed to store your payment information safely. The Device Account Number in the Secure Element is unique to your device and to each card added. It’s isolated from iOS, never stored on Apple Pay servers, and never backed up to iCloud. Because this number is unique and different from usual credit or debit card numbers, your bank can prevent its use on a magnetic stripe card, over the phone, or on websites.
That sounds similar to PACid’s dynamic encryption. So far, so good.
The security problem lies in the way that new credit cards are “on boarded” into the Apple Pay system.
In order to make the process of signing up for Apple Pay as easy as possible for consumers, Apple required little beyond their credit card numbers. It didn’t even provide street addresses and telephone numbers for the consumers to the issuing banks, to help them detect fraud.
When Apple Pay accounts were flagged by the banks, consumers were directed to a customer care center rather than to a fraud prevention center. The result was that even more fraudulent transactions were approved.
For example, criminals would contact the customer care centers to “alert” them about an upcoming out-of-town “business trip” that would cause a card to be used in an unusual location — thus causing unusual (and fraudulent) charges not to be flagged immediately.
Apple Pay makes it especially easy for criminals to commit “in person” fraud.
As reported on Krebs on Security,
Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.
Traditionally, in-person credit card fraud is committed either using stolen cards or stolen credit card data. Data can be stolen from the magnetic strips on cards using malware on point-of-sale devices, as in the data breaches at Target and Home Depot. Thieves then encode the data onto new cards.
Apple Pay fraud is even easier, because thieves don’t need to have a physical credit card in their possession.
Ironically, Apple itself is one of the leading victims of Apple Pay fraud, as criminals use Apple Pay to buy merchandise at Apple stores.
We’ve been talking about the benefits of dynamic encryption for many, many years. But we’ve never claimed that it was a panacea for all security ills. Dynamic encryption is far superior to static encryption when it comes to protecting financial information, but to succeed in keeping data safe it needs to be used as part of a process that’s sensible and secure from end-to-end.
To learn more about PACid’s Five Levels of Data Security, please click here.