Apple Pay a Gateway for Cyber-Crime

by Matt Klassen on March 10, 2015

Just as you’re gazing upon Apple’s new Watch and thinking to yourself that the future of wearable tech has finally arrived cyber fraudsters are exploiting weak authentication procedures in the Apple Pay system—the payment service that stands as a key feature of the new watch—to defraud banks of potentially millions of dollars.

According to reports, “criminals have been setting up iPhones with stolen personal information, then calling banks to authenticate a victim’s card on the new device. This is so-called ‘Yellow Path’ authentication, in which a card isn’t automatically accepted (Green Path) or rejected (Red Path), but requires additional provisioning by the bank to be added to Apple Pay.” The problem is, unfortunately, the some banks don’t require much in the way of “Yellow Path” authentication, meaning criminals can often use a basic amount of stolen personal information to setup a fraudulent Apple Pay account.

But who is to blame for this growing financial disaster? As expected Apple is accepting exactly none of the blame, instead passing the buck to the banks, but don’t worry, there’s plenty of blame to go around here. The simple fact is that Apple has rushed a very sensitive financial product to market without giving the financial industry the time to establish the proper security protocols, pointing a key vulnerability in the digital payment revolution, the ability to make sure you provide the right financial access to the right people…and not to crooks waiting in the digital shadows.

“Apple Pay is designed to be extremely secure and protect a user’s personal information,” the company said in a statement provided to the E-Commerce Times by Apple spokesperson Lisa Newell.

“During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay. Banks are always reviewing and improving their approval process, which varies by bank,” Apple explained.

Of course that is a not-so-subtle way of saying Apple Pay is secure and Apple Pay is awesome, it’s the banks that are to blame for this one.

“It is unconscionable that Apple did not, and was not strongly advised by its partners to make the Yellow Path implementation (by an issuer) mandatory sooner than it did, which was four weeks before [Apple Pay’s] launch,” wrote Cherian Abraham, a mobile-payments specialist, in a Drop Labs blog post. “By then, it was too late for any issuer who had been focused elsewhere to put up any effort of merit.”

But that said, the vulnerability being exposed in this Apple Pay scandal seems to point to a wider problem with mobile payment services, user verification.

“This isn’t necessarily an Apple Pay problem. The responsibility ultimately lies with the card issuer who must be able to prove the Apple Pay cardholder is indeed a legitimate customer with a valid card,” said Avivah Litan, vice president and distinguished analyst for research firm Gartner. “That always appeared to me to be the weakest link in mobile commerce — making sure you provide the app to the right person instead of a crook.”

Despite no one taking blame for this growing fiasco for Apple and banks are recognizing it as a blip on the development path of what will soon become a vital technological tool, the only problem of course is that this blip has to do with what we hold most dear, our personal information and our money, which Apple seems to be handling with blatant disregard.

Did you like this post ? TheTelecomBlog.com publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Matt Klassen. www.digitcom.ca. Follow TheTelecomBlog.com by: RSS, Twitter, Facebook, or YouTube.

Previous post:

Next post: