It has been a big year for Apple Pay. With 100s of thousands of supporting banking institutions and locations, it looks like Apple Pay has the momentum to succeed where Google (Wallet) and the telcos (Softcard) have so far failed. Apple’s level of success to this point has been driven by three vectors: simplicity, privacy and security. But Apple Pay’s security has been questioned in the past ten days in a few articles that appear to lay blame on Apple for not securing Apple Pay. The problem here is that the facts don’t point the finger at Apple, the facts point directly to a few banks who aren’t authenticating cards as they should, as some banks are authenticating stolen cards and cards from stolen identities.
It’s important to understand the Apple Pay credit card on-boarding and authentication process to understand where the ball is being dropped. Banks are actually the ones doing the authentication, not Apple, and each bank can have their own ways authorizing cards, just as they have different ways of credit card acceptance with different levels of fraud tolerance. Banks can authorize electronically, via phone or by text.
My bank, Bank of America, asked me to call in for Apple Pay authentication for one of my personal cards, but electronically let a business account debit card go through without a phone or text check. Bank of America obviously saw something it wanted to check out on the personal account so I needed to call in. That phone check could have been made based on a comparison between the data the bank had and some of the encrypted data Apple sent to the bank.
Unknown to most, Apple actually sends additional information to the banks to help with authentication as outlined in the Apple Pay Security and Privacy Overview. It says, “…Then [Apple] sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.”
According to the Apple iOS Security Guide’s section on Apple Pay, it very clearly states that in addition to location and iTunes activity, Apple encrypts and shares information like the last four digits of the phone number and the device name. The bank then determines if the card is approved for use with Apple Pay. All of this information can be helpful in verifying, but only if the banks use it and if they are not, they may have to fix their process as part of this.
This additional information Apple sends to the banks makes a whole lot of sense to help improve authentication. For example, a bank may want to provide a higher level of authentication scrutiny on a user’s card who just recently opened an iTunes account, whose phone numbers don’t match the billing address, or are currently in a different country than the billing address states. These examples don’t always indicate fraud, but could certainly prompt a second factor authentication like a phone call or text.
Some reported fraud rates are claimed at 6%, well beyond the 1% industry average. I have found a few interesting things about this figure. First, not a single bank is on record discussing this. According to Apple Insider, the only people going on record so far are people who actually benefit from an Apple Pay competitor’s success. Also, what does the 6% actually encompass? Is it for a specific time period, maybe a specific country? Specifics aren’t available. And finally, think about this…. if Apple Pay were truly insecure, banks would drop it like a hot potato, right?
Where do we go from here? Security is a constantly changing animal, so Apple is obviously working with banks to make Apple Pay safer. In the mean-time, people should start doing their homework to better understand how the Apple Pay credit card authentication works and focus on the right companies, the banks. Banks have always owned the credit card authentication process, not Apple. If one of the banks has something to say, they should go on the record and share specific data. I don’t think this will happen, though, as I think we are witnessing a CYA moment, and it’s so much easier to blame Apple than take accountability for an authentication flaw.