In the last two days, we have seen a lot of media coverage around Apple Pay being used for fraudulent activities by criminals with stolen identities and credit cards. The news were first reported by The Guardian. Many of the articles highlight that fraud is stemming from a back door in the activation process called the “yellow path”. The yellow path is the process by which the bank can put the card activation on hold to do additional verifications.
The yellow path process is well explained on Apple’s support page: “As part of the Link and Provision process, Apple shares information from the device with the issuing bank or network... using this information, the issuing bank will determine whether to approve adding the card to Apple Pay.”
When Apple Pay was announced, almost everybody was drooling over the use of tokenization and secure element. At the time, Apple never mentioned that device information will be sent to the card networks or issuing banks. Apple added the yellow path one month before Apple Pay went live. We have no insight on what prompted this late addition but it’s important to remember that with Apple Pay, all the liability is on the banks. Apple Pay is just the messenger transmitting and provisioning the card token. The banks have a need to verify whether the card was stolen or not in order to reduce their risk on payment-related fraud chargebacks.
This is far different than when you enter a credit cards number on an ecommerce site - the ecommerce site is liable for any payment-related fraud chargebacks. Those ecommerce sites invest heavily in fraud prevention solution to detect anomalies with devices, users, etc., because they have a vested interest in reducing chargebacks.
With this late addition, banks had to scramble and opted for the simplest and fastest route by implementing simple rules and verification within the yellow path. Additional verification channels include call center verification, SMS OTP, etc. – all of which are well known by fraudsters. Trust in the SMS channel is not uncommon in the banking world, but it has a track record of compromise beyond the US, in Europe, Asia-Pacific and Africa.
Banks and Apple need to work together to detect stolen credentials early. It starts with getting more data from the device and transmitting it to the issuer bank for risk assessment. Mobile devices and data contain great assets to detect behavioral anomalies, why not use them, right? We recommend banks to look into leveraging their mobile apps for additional verification. The majority of Apple Pay users are likely to have the bank app installed on their iPhone where they register the card. Banks and Apple could leverage the mobile banking login process, as well as push notifications to verify the user. For example, if a card is activated, the issuer bank can trigger a push notification to the registered device of the user. The largest banks in the country already leverage this kind of notification for fraud alerts, why not for Apple Pay card activation?
Push notifications can be packaged with strong security like root detection, PKI or biometrics for additional visibility on the device. The recent patent filling from Apple to have TouchID in the cloud might be a hint that they are evaluating the use of biometrics as well.
If we want newer mobile payment technologies to reach the masses, we cannot continue to use old fraud prevention technologies on them.