Last week, I participated in the ISMG Fraud Forum in Los Angeles, and one of the more interesting things I learned was how rampant ApplePay fraud is. Turns out the bad guys are loading iPhones with stolen card-not-present card information (which is much easier to steal than card present magstripe data) and essentially turning that data into a physical card ala ApplePay.
The banker speaking about this topic at the conference insightfully pointed out that this scheme was enabling the fraudsters to bridge the CNP (card not present) world with the CP (card present) world. Now they don’t have to even bother with their elaborate infiltrations of large retail chains like Target and Home Depot. They can just steal or buy cheaper CNP card data used for ecommerce transactions and load that data onto a smartphone, thereby transforming the CNP data into a counterfeit physical card used to commit more lucrative CP fraud. For more information on this see droplabs.co
This isn’t necessarily an ApplePay problem. The responsibility ultimately lies with the card issuer who must be able to prove the ApplePay cardholder is indeed a legitimate customer with a valid card. Apple does provide the issuer with information to help inform that decision. But the bankers I spoke with at the ISMG fraud conference complained that they don’t get enough information out of ApplePay to properly support their fraud processes. If that’s the case they have the right to refuse accepting it — assuming they can get the support of their marketing colleagues.
In the meantime, Apple does provide a lot of rich customer data to aid banks with identity proofing, including information on a customer’s device and iTunes account such as; device name, its current location, and whether or not the customer has a long history of transactions within iTunes. So I’m not exactly sure what else the banks are expecting. Interestingly, neither Apple nor the banks get any useful identity information out of the mobile carriers – at least that I know or heard of. And mobile carrier data could be particularly helpful with identity proofing. For example the banks could compare the mobile service’s billing address with the card account holder’s billing address.
For years, we have been briefed by vendors offering a plethora of innovative and strong user authentication solutions for mobile payments and commerce. And for years, we have been asking the vendors touting them how they know their mobile app is being provisioned to a legitimate user rather than a fraudster. That always appeared to me to be the weakest link in mobile commerce –making sure you provide the app to the right person instead of a crook.
Identity proofing in a non-face-to-face environment is anything but easy but there are some decent solutions around that can be stitched together to significantly narrow down the population of fraudulent transactions and identities (See our research note “Identity Proofing Revisited as Data Confidentiality Dies”). The key is reducing reliance on static data – much of which is PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements.
This problem is only going to get worse as Samsung/LoopPay and the MCX/CurrentC (supported by Walmart, BestBuy and many other major retailers) release their mobile payment systems, without the customer data advantages Apple has in their relatively closed environment.
The vendors in the mobile user authentication space have consistently answered that they are leaving account provisioning policies to the banks or other consumer service providers provisioning the apps. Well maybe it’s time for them to reconsider and start helping their client banks and service providers by supporting identity proofing solutions built into their apps. Whoever does this well is surely going to win lots of customer support… and revenue.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
Comments are closed
6 Comments
The first time registration is always the most dangerous event in a remote encounter. The foundation for the rest of the relationship is constructed during that first visit. Many vendors in the mobile user authentication space do not have roots that go back to the early identity theft wars of the early 2000’s and their service is “all about the app, ’bout the app, no troubles”… they may not understand what data components are even important for minimizing risk.
Therefore, you are 100% correct. The ability to triangulate on identity and authentication components in the real world and tie those to the online or mobile world is an extremely valuable asset. At some point, the voice channel telephone number that accompanies a mobile smartphone may become as important an identifier as your SSN#. The capabilities to tie that number, the user behind it and other app and payment components together in an inseparable bundle is something those looking for solutions ought to be considering before turning users and imposters both loose with payment options that haven’t been battle hardened.
The issue raised by the latest concerns about mobile payments in the context of Apple Pay is that of inadequate identity proofing. Banks need the ability to handle enrolment requests that can scale and don’t rely on call center support for challenge response questions for provisioning. So the provisioning, whether it’s the credit card or for that matter other authentication credentials such as an additional fingerprint, must become secure, least friction and scalable especially with the use of multi-factor authentication. One way of doing this would be to springboard off a robust authentication (for example at initial enrolment of the credentials such as a fingerprint) and identity proofing and then anchor subsequent enrolments off the base in a secure manner thereby leveraging and building on the identity proofing for the already established credentials.
The new EBA regulation for Internet payments do not apply to Apple pay and will not until the guidelines for mobile payments or the psd2 are published. But so far if the requirements in the current regulations are indicative of what’s going to be required for mobile payments then at least card not present transactions will require an strong second factor of authentication and I don’t think financial institutions will be willing to approve transactions based on an authentication method they don’t control. I think that’s going to be a challenge for apple pay in Europe.
“Apple does provide the issuer with information to help inform that decision. But the bankers I spoke with at the ISMG fraud conference complained that they don’t get enough information out of ApplePay to properly support their fraud processes.”
The banks are using dial-out call centers to do address verification – that’s it. No wonder there is fraud. They should be using their own strong two-factor authentication to identity the consumer.
Apple needs a tighter integration to the credit card companies fraud departments. It sounds like real time information sharing could aid in solving this issue. They need a form of identity verification at the Apple and CC end. Perhaps even the Pin on the CC could aid in this?
Just suppose, in order to use ApplePay, you had to perform a onetime trip to an actual physical bank.
Non-FaceToFace registration is very hard problem. These criminals are very very smart and persistent as billions are up for grabs.
I doubt though, they would show up physically, it would never scale anyway.
It’s seems to be a matter of marketing driving adoption and security trying to patch it up. As long as the cost to the banks maintainable, it’s just a manageable cost of business for them. However, I think it is about to get out of control.