Last week, I participated in the ISMG Fraud Forum in Los Angeles, and one of the more interesting things I learned was how rampant ApplePay fraud is. Turns out the bad guys are loading iPhones with stolen card-not-present card information (which is much easier to steal than card present magstripe data) and essentially turning that data into a physical card ala ApplePay.
The banker speaking about this topic at the conference insightfully pointed out that this scheme was enabling the fraudsters to bridge the CNP (card not present) world with the CP (card present) world. Now they don’t have to even bother with their elaborate infiltrations of large retail chains like Target and Home Depot. They can just steal or buy cheaper CNP card data used for ecommerce transactions and load that data onto a smartphone, thereby transforming the CNP data into a counterfeit physical card used to commit more lucrative CP fraud. For more information on this see droplabs.co
This isn’t necessarily an ApplePay problem. The responsibility ultimately lies with the card issuer who must be able to prove the ApplePay cardholder is indeed a legitimate customer with a valid card. Apple does provide the issuer with information to help inform that decision. But the bankers I spoke with at the ISMG fraud conference complained that they don’t get enough information out of ApplePay to properly support their fraud processes. If that’s the case they have the right to refuse accepting it — assuming they can get the support of their marketing colleagues.
In the meantime, Apple does provide a lot of rich customer data to aid banks with identity proofing, including information on a customer’s device and iTunes account such as; device name, its current location, and whether or not the customer has a long history of transactions within iTunes. So I’m not exactly sure what else the banks are expecting. Interestingly, neither Apple nor the banks get any useful identity information out of the mobile carriers – at least that I know or heard of. And mobile carrier data could be particularly helpful with identity proofing. For example the banks could compare the mobile service’s billing address with the card account holder’s billing address.
For years, we have been briefed by vendors offering a plethora of innovative and strong user authentication solutions for mobile payments and commerce. And for years, we have been asking the vendors touting them how they know their mobile app is being provisioned to a legitimate user rather than a fraudster. That always appeared to me to be the weakest link in mobile commerce –making sure you provide the app to the right person instead of a crook.
Identity proofing in a non-face-to-face environment is anything but easy but there are some decent solutions around that can be stitched together to significantly narrow down the population of fraudulent transactions and identities (See our research note “Identity Proofing Revisited as Data Confidentiality Dies”). The key is reducing reliance on static data – much of which is PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements.
This problem is only going to get worse as Samsung/LoopPay and the MCX/CurrentC (supported by Walmart, BestBuy and many other major retailers) release their mobile payment systems, without the customer data advantages Apple has in their relatively closed environment.
The vendors in the mobile user authentication space have consistently answered that they are leaving account provisioning policies to the banks or other consumer service providers provisioning the apps. Well maybe it’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps. Whoever does this well is surely going to win lots of customer support… and revenue.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.