High incidences of fraud with Apple's mobile payment app may require banks to adapt their security measures in new ways, according to experts.
A report in the Wall Street Journal on Monday said that banks were seeing a growing incidence of fraud with the Apple Pay app, and quoted mobile payment expert Cherian Abraham as saying that payment fraud was "growing like a weed."
But to pin the problem on Apple Pay is to misunderstand the system, according to John Pironti, a risk and security advisor at ISACA and president of the security firm IP Architects. In fact, Pironti told VICE News that Apple's security protections are some of the best in the business.
"The Apple Pay model is based on really good practice of layered approaches, limiting where card data can be present in the device, encrypting things appropriately, doing everything we could reasonably ask someone to do in a commercial payment system. Apple is doing it," Pironti said. "That doesn't mean we haven't got creative guys thinking about ways to take advantage, to leverage the device, the network it's traveling over, or interfaces with banks."
The real problem, he said, is that the banks that anchor the transactions aren't secure enough. When users first enter credit card data into the Apple Pay system, banks should make multiple verification steps to make sure that the person entering the data is the card owner and phone owner, he said.
"Some banks ask multiple [security] questions but they are not good questions, and some banks don't. That's a problem not for Apple but for people having questions that aren't so secret. If you want to get my mother's maiden name you can go to Ancestry.com and get it for a few dollars. Is that really the fault of Apple or the issuing bank not strengthening way they authenticate the user?" he said.
Abraham also identified the account setup step was the weak link in a blog post. He explained that Apple designed new accounts to be sent to either a "green path," if there were no apparent problems, "a yellow path," for a security team to review if the setup was questionable, or a "red path," to deny an account outright. Abraham claimed that banks didn't have enough time before Apple Pay's launch to set up their "yellow path" procedures in order to better catch fraud.
"It is unconscionable that Apple did not, and was not strongly advised by its partners — to make the Yellow Path implementation (by an issuer) mandatory sooner than it did — which was four weeks before AP launch. By then, it was too late for any issuer who had been focused elsewhere to put up any effort of merit," Abraham wrote.
Banks likely opted for minimum security on the Apple Pay transactions initially in order to appeal to customers, Abraham and Pironti both said. There's a point at which security levels are seen as a hassle by the consumer, Pironti added.
"If I make you put your retina in front of the thing everyday or call five phone numbers, you'd probably never use it. So would it be possible to add security features? Sure. But would it be accepted by the intended use population? Probably not," he said.
Abraham told the Journal that a majority of the fraud happening on Apple Pay is being coordinated by a "sophisticated organized crime gang" compromising the process when users enter their credit card data. It's less likely, Pironti said, for thieves to be able to steal a phone and then obtain the credit card information from the device.
Still, the banks likely assumed there would be some fraud with the system, according to the experts. Abraham and Pironti said that banks usually assume 1 percent of transactions will be fraudulent. Abraham estimated that 6 percent of Apple Pay transactions were fraudulent, which may result in banks needing to increase their security controls to bring fraud back down to an acceptable rate for their business model, Pironti explained.
The widespread discussion over fraud on Apple Pay likely won't spur the tech giant to make any changes to the app, but it probably will cause banks to increase their security measures, according to Pironti. Banks may start paying closer attention to questionable accounts and requiring two-step authentication or calling users whose accounts appear to have been compromised, he said. The mobile payment industry is still not quite as mature as the credit card industry, he explained, and so there is still a gap in security measures.
"There's other things we can do, we can ask for secondary levels of verification for certain transactions, like ones you've never made before or big purchases. The banks may want even more steps and may go back to Apple and say we want more options based on the riskier set of activities. That's easily something where Apple says we're happy to do that for you and you can enable that if you choose to," Pironti said.
Apple did not respond to requests for comment from VICE News but told the Journal that Apple Pay is "designed to be extremely secure and protect a user's personal information" and "banks are always reviewing and improving their approval process, which varies by bank."
Follow Colleen Curry on Twitter: @CurryColleen