With the launch of Apple Pay in 2014, banks and merchants were told they were getting a system that would help prevent fraud by requiring fingerprint authentication and providing better security than plastic credit cards.
Apple used this promise to elicit revenue sharing from merchants and banks that supported their system.
What actually happened?
Within 6 months of Apple Pay’s release, rampant fraud had been reported from banks and retail stores supporting Apple Pay, and for some banks, the fraud rates reached 60 times higher than traditional plastic cards.
Ironically, one of the hardest hit retailers were Apple stores themselves.
Too Easy to Add Stolen Cards
The problem wasn’t with the encryption or fingerprint security, but the fact that adding stolen cards into Apple Pay was too easy.
Banks want to make it easy to add their cards to the system and Apple prides itself on easy to use products and services.
Apple added neat features like being able to take a picture of your credit card. So, fraudsters used paint programs to create images of stolen cards and took pictures of the print-outs.
Apple wanted to make it easier for customers who already had their credit card on file with iTunes. So, fraudsters added stolen cards to iTunes, ran a couple small transactions that wouldn’t be noticed, and then bypassed most of the security checks when adding the cards to Apple Pay.
Banks wanted friendly support groups to help with the process of on-boarding cards. The support people were so friendly; they even helped activate stolen cards.
Who’s to Blame?
Apple has pointed at the banks for any problems approving stolen cards, but in the end, they created a system with a major security hole and left the banks to pay millions of dollars to cover fraud losses.
I’d love to be a fly on the wall while Apple tries to get reimbursed for losses at their own stores for accepting Apple Pay.
One thing that Apple Pay fraud has shined a light on is the fact that bank’s security verification questions are often woefully inadequate for determining who actually owns a credit card.
The “gold standard” for some banks to verify cardholder identity was to ask for the last 4 digits of your social security number. Unfortunately, criminals have access to huge databases of security information stolen from previous data breaches.
For a criminal, searching for the last 4 digits of your SSN is about as difficult as finding a bad picture of you on Facebook.
Apple Pay vs. Chip Cards
If you’re a merchant, accepting Apple Pay might sound cool, but it doesn’t look like its promise of reducing fraud will ever be as strong as chip based cards.
Chip cards were specifically designed to prevent counterfeiting, whereas Apple Pay looks to be a counterfeiter’s dream.
Banks have been forced to put up higher and higher walls to prevent stolen cards being added. It’s still fairly easy too add a card if your phone is already linked to your bank account, but adding cards to tablets and phones with new numbers requires extra verification steps.
One way to streamline the process is to verify the customer’s card with a product like Chip Shield. It reads the payment information directly from the chip card and validates that the card is legitimate. If a card was added to a mobile wallet using Chip Shield the risk of fraud at merchants would be greatly reduced.
Maybe Apple Pay + Chip Shield could live up to the promise of reducing fraud for merchants.