PACid Technologies

Follow Us

facebooktwitter
  • Home
  • Consumers
  • Corporations
  • PACid Technology
    • PACid Technology
    • Patent Portfolio
    • Bolt-on Strong Security (BoSS)
    • PACid’s Five Levels of Data Security
  • Patents and Inventing
  • Resource Center
    • Blog
    • Papers and Articles
  • About Us
    • About Us
    • Contact Us
    • Our Vision

Does Apple Pay Make Financial Fraud Even Easier?

Posted on March 26, 2015 by Lauri Donahue

Apple PayThese days, you’d think that any company offering a new method of making financial transactions would have learned something from the thousands of data breaches in the past few years. (The top 20 breaches for 2014 are reported here.)

Unfortunately, that doesn’t seem to be the case when it comes to Apple Pay.

In September 2014, Apple announced its plans to offer its own version of the “mobile wallet,” giving consumers the convenience of making purchases via their iPhones and new Apple Watches.

Apple Pay is expected to give Apple a respectable share of the mobile payments market, which is expected to reach $100 billion in the US alone over the next five years.

According to the New York Times,

Apple hopes that its promises about security, including that credit card information will not be stored on the smartphones or devices or on Apple’s servers, will convince consumers that it is safer than using a credit card. “We’re totally reliant on the exposed numbers and the outdated and vulnerable mag stripe,” said Timothy D. Cook, Apple’s chief executive, at an event in Cupertino, Calif., on Tuesday. “Which all of us know aren’t so secure.”

Banks rushed to be included among the credit card issuers associated with Apple Pay.

Higher Fraud Rates

However, by March, according to the Times, banks were reporting unusually high fraud rates using stolen credit card numbers on Apple Pay.

One industry consultant put the Apple Pay fraud rate at 6%. This compares to .1 of 1% for traditional credit card fraud.

According to the Times:

Apple Pay itself should, in theory, cut down on fraud because it makes stealing credit card information almost impossible. Each time a transaction takes place, Apple generates the equivalent of a new credit card number so the merchant never actually sees a customer’s information.

According to Apple,

Once your card is approved, the payment network or your bank creates a device-specific Device Account Number, encrypts it, and sends it along with other data (such as the key used to generate dynamic security codes unique to each transaction) to Apple. Apple can’t decrypt it, but will add it to the Secure Element within your device. The Secure Element is an industry-standard, certified chip designed to store your payment information safely. The Device Account Number in the Secure Element is unique to your device and to each card added. It’s isolated from iOS, never stored on Apple Pay servers, and never backed up to iCloud. Because this number is unique and different from usual credit or debit card numbers, your bank can prevent its use on a magnetic stripe card, over the phone, or on websites.

(Emphasis added.)

That sounds similar to PACid’s dynamic encryption. So far, so good.

On-Board Problems

The security problem lies in the way that new credit cards are “on boarded” into the Apple Pay system.

In order to make the process of signing up for Apple Pay as easy as possible for consumers, Apple required little beyond their credit card numbers. It didn’t even provide street addresses and telephone numbers for the consumers to the issuing banks, to help them detect fraud.

When Apple Pay accounts were flagged by the banks, consumers were directed to a customer care center rather than to a fraud prevention center. The result was that even more fraudulent transactions were approved.

For example, criminals would contact the customer care centers to “alert” them about an upcoming out-of-town “business trip” that would cause a card to be used in an unusual location — thus causing unusual (and fraudulent) charges not to be flagged immediately.

Apple Pay makes it especially easy for criminals to commit “in person” fraud.

Bricks-and-Mortar

As reported on Krebs on Security,

Apple Pay makes it possible for cyber thieves to buy high-priced merchandise from brick-and-mortar stores using stolen credit and debit card numbers that were heretofore only useful for online fraud.

Traditionally, in-person credit card fraud is committed either using stolen cards or stolen credit card data. Data can be stolen from the magnetic strips on cards using malware on point-of-sale devices, as in the data breaches at Target and Home Depot. Thieves then encode the data onto new cards.

Apple Pay fraud is even easier, because thieves don’t need to have a physical credit card in their possession.

Ironically, Apple itself is one of the leading victims of Apple Pay fraud, as criminals use Apple Pay to buy merchandise at Apple stores.

Dynamic Encryption

We’ve been talking about the benefits of dynamic encryption for many, many years. But we’ve never claimed that it was a panacea for all security ills. Dynamic encryption is far superior to static encryption when it comes to protecting financial information, but to succeed in keeping data safe it needs to be used as part of a process that’s sensible and secure from end-to-end.

To learn more about PACid’s Five Levels of Data Security, please click here.

facebooktwittergoogle_plusredditpinterestlinkedinmail
‹ Will 2015 be the “Year of the Health Care Hack”?
My patents are for invention, not litigation ›
Posted in Blog

Share This Post

facebooktwittergoogle_plusredditpinterestlinkedinmail

Recent Posts

  • Medical Devices a Scary Cyberthreat
  • Cybercrime Continues Rapid Increase in Q42016
  • The “Dark Web” and Insider Threats to Data Security
  • Law Firms Face Large Liability from Data Breaches
  • Cybercrime More Common Than You Would Think

Archives

  • April 2017 (1)
  • March 2017 (1)
  • January 2017 (1)
  • December 2016 (1)
  • October 2016 (1)
  • September 2016 (1)
  • August 2016 (1)
  • July 2016 (1)
  • June 2016 (1)
  • April 2016 (1)
  • March 2016 (2)
  • February 2016 (1)
  • December 2015 (1)
  • October 2015 (1)
  • September 2015 (1)
  • July 2015 (2)
  • June 2015 (2)
  • April 2015 (1)
  • March 2015 (1)
  • February 2015 (1)
  • January 2015 (2)
  • December 2014 (1)
  • November 2014 (2)
  • October 2014 (1)
  • September 2014 (2)
  • August 2014 (2)
  • July 2014 (1)
  • June 2014 (3)
  • May 2014 (5)
  • April 2014 (2)
  • February 2014 (1)
    © 2018 PACid Technologies
    ↑
    Responsive Theme powered by WordPress