{"id":75865,"date":"2015-03-17T20:18:38","date_gmt":"2015-03-18T00:18:38","guid":{"rendered":"http:\/\/rbachnet.wwwmi3-ss40.a2hosted.com\/index.php\/"},"modified":"2022-08-25T12:43:57","modified_gmt":"2022-08-25T16:43:57","slug":"banks-scramble-to-fight-apple-pay-fraud","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/banks-scramble-to-fight-apple-pay-fraud\/","title":{"rendered":"Banks Scramble to Fight Apple Pay Fraud"},"content":{"rendered":"<p><em><a href=\"https:\/\/web.archive.org\/web\/20150607060334\/http:\/\/fooyoh.com\/geekapolis_gadgets_wishlist\/14778832\/apple-wants-to-replace-your-wallet-with-apple-pay\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-106474\" title=\"Banks Scramble to Fight Apple Pay Fraud\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/apple_pay-e1569707498908-124x150.jpg?resize=74%2C90&#038;ssl=1\" alt=\"Banks Scramble to Fight Apple Pay Fraud\" width=\"74\" height=\"90\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/apple_pay-e1569707498908.jpg?resize=124%2C150&amp;ssl=1 124w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/apple_pay-e1569707498908.jpg?resize=62%2C75&amp;ssl=1 62w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/apple_pay-e1569707498908.jpg?w=731&amp;ssl=1 731w\" sizes=\"auto, (max-width: 74px) 100vw, 74px\" \/><\/a><a href=\"https:\/\/web.archive.org\/web\/20200516171751\/https:\/\/searchfinancialsecurity.techtarget.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">SearchFinancialSecurity<\/a><\/em> <a title=\"Amid Apple Pay fraud, banks scramble to fix Yellow Path process\" href=\"https:\/\/web.archive.org\/web\/20190726130848\/https:\/\/searchfinancialsecurity.techtarget.com\/news\/2240241612\/Amid-Apple-Pay-fraud-banks-scramble-to-fix-Yellow-Path-process\" target=\"_blank\" rel=\"noopener noreferrer\">reports<\/a> that <strong>Apple Pay fraud<\/strong> is <strong>on the rise<\/strong> and banks are rushing to fix sloppy <a title=\"Authentication\" href=\"http:\/\/en.wikipedia.org\/wiki\/Authentication\" target=\"_blank\" rel=\"nofollow noopener wikipedia noreferrer\">authentication<\/a> processes. <strong>Sloppy bank authentication processes<\/strong> are at the heart of growing <a title=\"Apple Pay\" href=\"https:\/\/web.archive.org\/web\/20150624163131\/http:\/\/www.apple.com\/support\/iphone\/apple-pay\/\" target=\"_blank\" rel=\"noopener noreferrer\">Apple Pay<\/a> fraud and experts worry about potential fraud with other <strong>mobile payment systems<\/strong>.<\/p>\n<p><a href=\"https:\/\/web.archive.org\/web\/20180916181800\/http:\/\/www.fico.com\/en\/blogs\/category\/fraud-security\/\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-106476 size-thumbnail\" title=\"Apple Pay logo\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/apple_pay-logo.jpg?resize=75%2C58&#038;ssl=1\" alt=\"Apple Pay logo\" width=\"75\" height=\"58\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/apple_pay-logo.jpg?resize=75%2C58&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/apple_pay-logo.jpg?resize=150%2C117&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/apple_pay-logo.jpg?resize=768%2C597&amp;ssl=1 768w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/apple_pay-logo.jpg?w=812&amp;ssl=1 812w\" sizes=\"auto, (max-width: 75px) 100vw, 75px\" \/><\/a>When Apple Pay was first unveiled by\u00a0<a title=\"Apple Computers\" href=\"http:\/\/www.apple.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Apple<\/a> (<a title=\"NASDAQ : AAPL\" href=\"https:\/\/www.tradingview.com\/symbols\/NASDAQ-AAPL\/\" target=\"_blank\" rel=\"noopener noreferrer\">AAPL<\/a>) in October 2014, it was touted for its <strong>increased security<\/strong> thanks to <a title=\"A Comprehensive Outline of the Security Behind Apple Pay\" href=\"http:\/\/www.macrumors.com\/2014\/10\/02\/comprehensive-look-at-apple-pay-security\/\" target=\"_blank\" rel=\"noopener noreferrer\">tokenized Device Account Numbers<\/a> and the <a title=\"How Touch ID works: Making sense of Apple's fingerprint identity sensor\" href=\"http:\/\/www.imore.com\/how-touch-id-works\" target=\"_blank\" rel=\"noopener noreferrer\">Touch ID fingerprint system<\/a>. <em>eWeek.com<\/em> provided a good overview of how Apple Pay\u2019s approval process works:<\/p>\n<ul>\n<li>The camera of an iPhone 6 or 6 Plus takes a photo of the credit or debit card<\/li>\n<li>Apple Passbook software extracts the name and expiration date, then encrypts and transmits the data to Apple<\/li>\n<li>If the photo doesn\u2019t allow for extraction (poor quality or card is too worn), users are allowed to manually enter the card number<\/li>\n<li>Apple checks to see if the card is already on file in iTunes, verifying it through a match<\/li>\n<li>But most cards aren\u2019t already in iTunes &#8211; so Apple sends card data, phone data, and iTunes account info to the card-issuing bank<\/li>\n<li>If verified by the bank and approved, it\u2019s added to Apple Pay and the Apple Passbook, and it\u2019s ready to be used for purchasing<\/li>\n<\/ul>\n<p>If this provisioning is <strong>successful<\/strong>, the bank will <strong>automatically<\/strong> accept (<strong>Green Path<\/strong>) the info and then <strong>beam an encrypted<\/strong> version of the <strong>card details to be stored<\/strong>.<\/p>\n<p><a href=\"http:\/\/www.dailymail.co.uk\/news\/article-2165390\/FBI-arrests-British-hackers-biggest-undercover-sting-global-online-fraud.html\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-106478 size-medium\" title=\"criminals have set up iPhones with stolen cardl info from Target and Home Depot hacks\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ccards.jpg?resize=150%2C97&#038;ssl=1\" alt=\"criminals have set up iPhones with stolen cardl info from Target and Home Depot hacks\" width=\"150\" height=\"97\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ccards.jpg?resize=150%2C97&amp;ssl=1 150w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ccards.jpg?resize=75%2C49&amp;ssl=1 75w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/ccards.jpg?w=468&amp;ssl=1 468w\" sizes=\"auto, (max-width: 150px) 100vw, 150px\" \/><\/a>According to reports, criminals have set up iPhones with <strong>stolen personal information,<\/strong> which has been tracked back to accounts compromised in <a title=\"Here\u2019s What Happened To Your Target Data That Was Hacked\" href=\"http:\/\/www.businessinsider.com\/heres-what-happened-to-your-target-data-that-was-hacked-2014-10\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Target<\/strong>\u2019s big data breach<\/a> at the end of 2013, the <strong><a title=\"The Home Depot\" href=\"https:\/\/www.homedepot.com\/\" target=\"_blank\" rel=\"homepage nofollow noopener noreferrer\">H<\/a><\/strong><a title=\"Home Depot Hit By Same Malware as Target\" href=\"http:\/\/krebsonsecurity.com\/tag\/home-depot-databreach\/\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>ome Depot<\/strong> hacking<\/a> in 2014, and likely the <a title=\"Anthem Breach Allows Phish of US Cyber Forces\" href=\"http:\/\/wp.me\/p2wgaW-jF3\" target=\"_blank\" rel=\"noopener noreferrer\"><strong>Anthem<\/strong> breach<\/a> of 2015. The criminals take the <strong>stolen <a title=\"personally identifiable information (PII)\" href=\"https:\/\/web.archive.org\/web\/20200504232422\/https:\/\/searchfinancialsecurity.techtarget.com\/definition\/personally-identifiable-information\" target=\"_blank\" rel=\"noopener noreferrer\">PII<\/a> and call banks to authenticate a victim&#8217;s card on the new device<\/strong>. This is so-called &#8220;<strong>Yellow Path<\/strong>&#8221; authentication, where a card isn&#8217;t or<strong> rejected<\/strong> (<strong>Red Path<\/strong>), but requires more provisioning by the bank to be added to Apple Pay.<\/p>\n<p>When Yellow Path authentication is required, the bank may send a <a title=\"One-time authorization code\" href=\"http:\/\/en.wikipedia.org\/wiki\/One-time_authorization_code\" target=\"_blank\" rel=\"nofollow noopener wikipedia noreferrer\">one-time authorization code<\/a> to the customer\u2019s email or mobile phone that must be entered into the Apple Pay set-up.\u00a0 Other banks may ask the customer to call a toll-free number where a customer service representative will try to verify the person\u2019s identity with a series of questions about recent purchases or a home address according to the <a title=\"Apple Pay Sign-Ups Get Tougher as Banks Respond to Fraud\" href=\"https:\/\/web.archive.org\/web\/20200809060714\/https:\/\/blogs.wsj.com\/totalreturn\/2015\/03\/06\/apple-pay-sign-ups-get-tougher-as-banks-respond-to-fraud\/\" target=\"_blank\" rel=\"noopener noreferrer\"><em>WSJ<\/em><\/a>.<\/p>\n<p>If this provisioning is successful, the bank will then beam an encrypted version of the card details to be stored on the <a title=\"Smart Cards and Security Basics\" href=\"http:\/\/www.smartcardbasics.com\/pdf\/7100030_BKL_Smart-Card-Security-Basics.pdf\" target=\"_blank\" rel=\"noopener noreferrer\">Secure Element of the phone<\/a> (PDF). The author contends that the heart of the problem is that some <strong>banks have lax Yellow Path processes<\/strong>, only asking for the last four digits of a Social Security number, leading to criminals using stolen identities and credit\/debit cards to buy high-priced goods, often from Apple Stores.<\/p>\n<p>Avivah Litan, a VP at\u00a0<a title=\"Gartner\" href=\"https:\/\/www.gartner.com\/technology\/home.jsp\" target=\"_blank\" rel=\"noopener noreferrer\">Gartner<\/a> (<a title=\"NYSE : IT\" href=\"https:\/\/www.nyse.com\/quote\/XNYS:IT\" target=\"_blank\" rel=\"noopener noreferrer\">IT<\/a>) said that this kind of fraud is a <strong>fundamental flaw<\/strong> that will affect all mobile payment services. &#8220;This isn&#8217;t necessarily an Apple Pay problem. The responsibility ultimately lies with the <strong>card issuer<\/strong> who must be able to <strong>prove<\/strong> the Apple Pay cardholder is indeed a <strong>legitimate customer<\/strong> with a valid card,&#8221; Ms. Litan wrote in a blog post. &#8220;That always appeared to me to be the weakest link in mobile commerce &#8212; making sure you provide the app to the right person instead of a crook.&#8221;<\/p>\n<p><strong><em>rb-<\/em><\/strong><\/p>\n<p><em>With the iPhone 6&#8217;s NFC capabilities, the physical card may not be required for such &#8220;purchases.&#8221; Maybe someday this will keep merchants from holding card data but for now, seems like the banks need to get their act together.<\/em><\/p>\n<h6>Related articles<\/h6>\n<ul>\n<li><a href=\"http:\/\/krebsonsecurity.com\/?p=30298\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Apple Pay: Bridging Online and Big Box Fraud<\/a> (krebsonsecurity.com)<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on <a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Apple Pay fraud rising as banks rush to fix sloppy authentication processes &#038; worry about fraud with other mobile payment systems<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[3277,420,2363,101,2389,2099,1798,1452,125,164,2392,304,951,4,2049],"class_list":["post-75865","post","type-post","status-publish","format-standard","hentry","category-security","tag-3277","tag-aapl","tag-anthem","tag-apple","tag-apple-pay","tag-authentication","tag-banking","tag-biometrics","tag-data-breach","tag-fraud","tag-home-depot","tag-iphone","tag-pii","tag-security","tag-target"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/75865","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=75865"}],"version-history":[{"count":16,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/75865\/revisions"}],"predecessor-version":[{"id":130625,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/75865\/revisions\/130625"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=75865"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=75865"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=75865"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}