US criminal gangs are taking advantage of security gaps in the provisioning of new cards to commit high levels of fraud on the new Apple Pay mobile payment platform, experts have warned.
The fraudsters are buying up stolen card-not-present (CNP) data widely available on underground internet forums and loading them onto iPhones with Apple Pay enabled, Gartner distinguished analyst Avivah Litan claimed in a blog post.
These details are then sent to the card issuing bank in question along with information about iTunes activity and the device, provided by Apple, to help the bank decide if it’s legit or not.
However, if there are still question marks about its authenticity, the provisioning process will be moved to the “Yellow Path” and banks must carry out extra verification.
It’s at this stage where experts say they’re failing.
Some banks are apparently only requesting social security numbers for identification, which themselves are easy for criminals to obtain, and some offer call center numbers to call – manned by operatives who are proving easy for fraudsters to socially engineer.
Once a card is provisioned, the criminal gangs are using feet on the ground to spend via Apple Pay on high value retail items including, ironically, in Apple Stores.
“The banker speaking about this topic at the conference insightfully pointed out that this scheme was enabling the fraudsters to bridge the CNP world with the CP (card present) world. Now they don’t have to even bother with their elaborate infiltrations of large retail chains like Target and Home Depot,” explained Litan.
“They can just steal or buy cheaper CNP card data used for e-commerce transactions and load that data onto a smartphone, thereby transforming the CNP data into a counterfeit physical card used to commit more lucrative CP fraud.”
Although it appears to be a banking problem, some providers have blamed Apple for offering poor reporting capabilities which do little to support their own anti-fraud tools.
Payments and fraud expert, Cherian Abraham, argued that Apple originally marked the Yellow Path as optional, before changing it to mandatory just a month before launch.
This meant that many did not have time to plan and integrate more secure verification processes for provision, such as forcing users to log-in via their mobile banking app or carry out some kind of two-factor authentication.
“As one can expect – each has varying levels of success and friction – with just a couple of banks opting to authenticate via their mobile apps, that would have provided a far easier and customer friendly provisioning experience,” he argued in a blog post.
“Whereas, those that opted for call center verification traded efficiency for friction and by most reports – the corresponding experience has been subpar.”
For Gartner’s Litan the answer may lie with moving away from authenticating via personally identifiable data which can be easily phished or stolen and then sold.
“The key is reducing reliance on static data – much of which is PII data that has been compromised by the crooks – and increasing reliance on dynamic data, like reputation, behavior and relationships between non-PII data elements,” she concluded.