ApplePay Insecure? The Deeper Truth

There are now a lot of "news" articles (such as this one in the LA Times) that make sensational headlines that Apple Pay is not secure.  Lately it came out that fraud rates with Apple Pay customers were "through the roof" - 6% as opposed to 1%.  At face value, it would appear that this means that Apple Pay is a much less secure form of payment than normal credit cards or other methods.  However, let's cut through the hype, the fervent Apple bashing, and get to the facts.

First, in September 2014 when Apple Pay was announced, Tim Cook claimed that it would be more secure.  So what exactly is the discrepancy?

The Old Way

To understand, we first need to understand the different payment systems, their vulnerabilities, and what is being done to combat the fraud.  Current credit cards employ one of 2 technologies:  a magnetic stripe containing card information, or an EMV (Europay / MasterCard / Visa) encryption chip.  With a magnetic stripe, if you want to pay for goods or services with your card, you have a choice of either swiping it on a reader, or reading the card information with your eyes (or from memory) to someone and having them input into a payment system.  A paper imprint with carbon paper is a tried-and-true 50-year-old method of taking payment information as well.  With EMV, when the card is scanned, the chip generates a per-transaction code that can only be used to issue payment to that merchant for that transaction.  Your personal information (card number, name, expiration date, security code, etc.) are not communicated to the merchant.  However if, say, you are paying over the phone or Internet (not in person), then you have to resort to Plan B just like the magnetic strip.

So, what are the vulnerabilities in this old system?

1. Point of Purchase Interception
1. If you have a dishonest clerk, or a fake card scanner attached on top of the real one, they can grab your card info and record it for later fraud.
2. Many card scanners are done over unencrypted, open phone lines that can be tapped or intercepted.
3. Many card scanners are done by computer, over the Internet, and can be intercepted.
2. Information System Hacking
1. The vast majority of large businesses, whether online or in-person purchases, enter and store your card information into their database.  This means that a hacker who breaks into the system can glean thousands or millions of contact and payment information from databases, over the Internet.  Many of these systems do not have intruder detection, so it is certainly possible that at least half of these thefts go undetected or unnoticed.
3. Card Issuing Bank
1. If a thief steals not your card information, but personal identification information (your name, social security number, address, bank account numbers, employer, utility account numbers, etc.), they can pose as you and open a new card that you don't know about, in your name.  With the statements sent to your address.  And run up charges that you are billed for.

Now we know this, but what has been done to combat this fraud?  Every card issuer is required to implement fraud monitoring, that learns your purchase patterns, and attempts to detect purchases made out of pattern - thus alerting people and possibly disabling the card.  Many of us have experienced going on vacation, and having our card stop working because the fraud monitoring system detects out-of-normal behavior.  However, thieves can also gain information on your spending habits (what areas are your purchases made), and sell that information to card buyers who use those cards in those areas, thus avoiding fraud monitoring for a period of time.  But these efforts have held the fraud rate at about 1% (about $1 for every $100 spent).  That is actually pretty high if you think about it - and especially in the United States where merchants are (not yet) required to provide EMV card readers.

The Apple Pay Way

So now, how does Apple Pay work?  With Apple Pay, they employ the EMV algorithm in the device (iPhone, Apple Watch, iPad, etc.).  But this is used both for online (via in-app) and in-person purchases (via Near Field Communications or NFC).  And, in order for you to use your device to pay, you must scan your fingerprint.  So, for payment, it is definitely more secure.  So why is there so much fraud with Apple Pay?  Now, the vulnerability comes to light:

1. Card Issuing Bank / Apple Pay Trust
1. In order to register a card with Apple Pay, Apple came up with a system whereby the card holder takes a photo of the card with the phone, then has to go into the bank to have them confirm identity and that the card holder is actually the card holder (physical presence to a physical bank employee).  Alternatively, a cardholder's device (iPhone) can be registered via Apple, and a secure iMessage sent to the previously-configured trusted device to confirm identity.  However, most banks balked at the "overhead" that would impose on their customers, and opted for a less secure authentication via phone.  A bank operator talks to the "cardholder" (hopefully it really is that person) and asks some "personal" information to confirm s/he is the cardholder, to allow that card to be registered with the device for Apple Pay.

As you can see, it is impossible to intercept and make any useful information during point of transaction.  Nor is any card or cardholder information made available to the merchant, so there is nothing insecure to store in a database that can be hacked.  However, you can probably spend about 2 seconds and think of a way around this - and the vulnerability has nothing to do with Apple.  The thieves have done nothing but think of this, so they saw this hole as well.  Through the readily available methods of obtaining personal information, the thief can register the card with their own Apple Pay through the bank if they have the card information, yes, but that is the hard way and probably may trace back to them through the device.  Easier still, is to use the stolen identity information to open up a credit card through an issuing bank, one the person whose identity is stolen knows nothing about, and then register that card with Apple Pay.  And that is exactly what is happening.

What are the methods of mitigating this?  If you have banks with lax procedures or standards for authenticating their customers (which many have), then there is very little that can be done.  Certainly you can be alerted if you monitor your credit report on all 3 bureaus, and perhaps pay for a monitoring service like Life Lock, but that actually takes some time before it makes its way through the system and becomes an alert.  And, you have to pay attention to the alerts, make a determination if the alert is because you actually did open up an account (a false alert), or if it was someone else on your behalf (a true alert).  This alert monitoring system is not as immediate or mature as the fraud monitoring in place for the old card methods - as soon as a purchase is made, the computer can flag it and call you or disable the card.

So, let's compare apples to apples (yes, pun there).  It is actually misleading to claim that 1% fraud rate, because it is a percentage of a different means of theft (card theft, not identity theft).  If you use the same measure, Apple Pay would actually be 0% - none of the Apple Pay cards are stolen.  So what is the identity theft rate without Apple Pay, of thieves opening accounts in a stolen person's identity?  That information I haven't seen.  And that is the rate you must compare to the 6% they are claiming for Apple Pay.