Poor Bank Security Checks Leave Apple Pay Vulnerable to Fraud [u]

With the (relatively) successful launch of Apple Pay, it was only a matter of time before the myth of “Apple Pay addresses fraud” was busted. This time, however, it’s not Apple’s fault that its brand has become associated with fraud: The whole US credit card security system is deeply flawed – that’s the problem.

Apple pay

Before you jump to conclusions about fake fingerprints being used to finalise a payment from a stolen iPhone, or even the NFC protocol being hacked, the guys from Drop Labs (via Gizmodo) shed light on the matter. It is possible to buy credit card numbers online and then use them with Apple Pay, thus effectively creating a fake credit card without the hassle of making a physical one.

The result: Within a month of the launch of Apple Pay, roughly $6 per $100 of transactions were fraudulent, says Drop Labs, pointing to an unnamed card issuer. As we said earlier, the problem isn’t with Apple Pay: The company did create a safe environment for mobile payments, and it’s the banks who didn’t do their homework, says DropLabs.

But there is a problem directly related to Apple Pay: When a bank enrols on Apple’s mobile payment platform, it is required to build a “Yellow Path” for when card provisioning into Apple Pay requires additional bank verification.

In fact initially “Yellow Path” was marked optional for card issuers by Apple – which meant that only a couple of Issuers directed much focus at it. Apple reversed its decision and made it mandatory less than a month before launch – which led to issuers scrambling to build and provide this support. Why any bank would consider this optional is beyond me.

The security measures depend on the bank, but most banks are using a phone call to check the authenticity of the card loaded into Apple Pay, which ranks low in security measures.

While this issue is strictly related to the US as of now, we’ve contacted Canadian banks to find out their position and learn about possible security measures in such scenarios, so we’ll update the post as soon as we hear back from them.

[Update] RBC spokeswoman Kate Yurincich sent us the following statement:

RBC takes the privacy and security of clients very seriously. We think it’s one of the reasons people turn to a bank for their payment solution. We follow comprehensive privacy policies and security practices in compliance with laws and to support our commitment of trust through integrity in everything we do. We are firmly committed to safeguarding our client’s confidentiality and protecting personal, financial and business information. This commitment extends to our online services and any new technologies we employ. For example, with mobile payments, this is why we developed our patent-pending RBC Secure Cloud, the first cloud-based mobile solution that keeps our clients’ credentials (sensitive personal data) behind our firewalls rather than on the device, where it’s vulnerable.

Technology enthusiast, rocker, biker and writer of iPhoneinCanada.ca. Follow me on Twitter or contact me via email: istvan@iphoneincanada.ca

  • Dingleberry

    The RBC response is dumb. The encryption on the iPhone is just fine, it’s the authentication processes when registering the card that’s the issue.

    An easy solution would be to register the device with the credit issuer, as the majority of Apple Pay users will have only one device and every iPhone has a unique ID tag. This way identity thieves aren’t walking around with an iPhone that has 40 different credit cards registered to it.