It's important to keep saying that because publications keep making it a point to link Apple Pay and "fraud" in their headlines. It's important because those publications are spreading fear, uncertainty, and doubt about Apple Pay — which makes mobile payments more accessible and secures the very data often used to actually commit fraud — to the people for whom it is most beneficial. That's why, as the FUD keeps coming up, we're going to keep addressing it. The latest example comes by way of the New York Times:
The vulnerability in Apple Pay is in the way that it — and card issuers — "onboard" new credit cards into the system.
There's no "vulnerability" in Apple Pay. Apple Pay remains so secure the only way criminals can take advantage of it is through traditional social engineering attacks against banks. The "vulnerability" here is the approval process used by the banks.
Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless," the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early.
Apple publicly documents the information it provides to banks, which includes the last four digits of the phone number, as well as the device name, iTunes account activity, and more. If my bank gets the last four digits of my telephone number, and compares them with what they have on file, they should easily be able to get my address and any other information on that file. Likewise the iTunes account information. They should then be able to match it to the card I'm trying to add and come to an informed decision as to what path needs to be followed for verification. If there's any doubt, for my own protection, they should "yellow path" me and pursue the additional verification options available to them.
Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up. The banks didn't press the company for fear that they would not be included among the initial issuers on Apple Pay.
The banks aren't beholden to Apple, they're beholden to their customers. If, in their rush to jump on Apple Pay for first-mover or any other market advantage, they failed to protect their customers, then shame on them. Even if we accept the allegation that they were "scared" of Apple, shame on them.
This very much feels like banks throwing Apple under the bus — or into the headlines — because they didn't take action to prevent fraud and now want to shift blame. Here's what was previously reported:
The effects of those incidents are being felt for some time after the breaches in large part because financial institutions that issue cards typically don't launch broad-scale replacements of the affected plastic after a merchant is hacked.The card companies figure that the cost of potential fraud is often less than giving each customer a new card, according to payment experts and bank executives, and customers sometimes complain about the inconvenience of having to switch to new cards.
In other words, the banks ran the numbers and chose not to take measures that would have prevented fraud because it was cheaper for them simply to handle the fraud. That's fine. That's their business and their choice. Their choice not to cancel the card data, their choice to approve it for Apple Pay, and their responsibility for the resulting fraud.
Back to the Times:
It also appears that banks set up a flawed process to deal with the credit cards that it did flag. Affected users were directed to a customer care phone center, not a fraud prevention center. A customer care center's mission is to help customers use their cards, leading more fraudulent cards to be approved for use on Apple Pay.
Again, banks.
Some Apple supporters have sought to discredit Mr. Abraham based on his affiliation as an adviser to a company that is based on Apple's main competitor, Android. While he may indeed be conflicted, he has rightfully raised an important security issue that all sides have acknowledged is a problem, though perhaps not to the extent he has contended.
It should have nothing to do with who is affiliated with whom. It should only have to do with accurate reporting of the facts.
Apple has now begun providing additional information to the banks that should help deter some of the fraud. The banks, which are responsible for the costs of the frauds, have toughened standards to review customer sign-ups on Apple Pay. No bank executive would speak with me on the record for fear of upsetting their company's relationship with Apple.
Apple Pay provides enormous usability and security benefits. If the process on the bank's end can be strengthened as well, that's great for them, and great for retailers. (Apple has created a new Apple Pay FAQ to help.)
It's still incredibly curious that so many headlines appeared so quickly, all based on one blog post. Single sourcing isn't usually what publications the stature of the Wall Street Journal or New York Times pride themselves on. It's also unfortunate that a problem facing banks and retailers was spun in a way that could, potentially, scare end-users who have absolutely no reason to be scared.
Worse, if there ever is a real problem with Apple Pay, something that people need to be made aware of, there's a risk of it getting lost in all the not-real noise.
The latest round reads like they're aware initial coverage has been recognized for the FUD that is was and they're simultaneously trying to back away while still maintaining as much cover under Apple as they can. My guess is that they're not backing away far enough, fast enough, and people are going to continue to realize the bad, potentially harmful coverage for what it is.
And that could be an even bigger problem for the people behind it.
Update 1: Newsweek riffed off the Times's headlines and narrative, but at the same time included:
A bank employee, who asked not to be named to avoid upsetting Apple, told Newsweek the actual percentage of fraud was much lower, but didn't provide any specifics.
Upsetting Apple by saying Apple Pay fraud was much lower than "reporting" would have us believe? Sounds like that would help, not hurt Apple. Or was it a typo and the author really meant it would upset banks or the media who've been misreporting it?
Update 2: CNN spoke to banks, which dismissed allegations tying Apple Pay to bank fraud.
[CNNMoney] spoke to the nation's largest banks, an association of community banks and Apple. The takeaway? This high level of fraud isn't really widespread.Banks also make this point: Banks get stuck with fraud costs. Yet dozens of small banks are in a long line to join Apple Pay by the end of 2015, according to L. Cary Whaley III, a technology policy expert at Independent Community Bankers of America. Why would they want to join if fraud is truly rampant?
It's beginning to sound like banks don't have their stories straight.
