Linked by Thom Holwerda on Tue 17th Mar 2015 10:12 UTC

Apple Pay itself should, in theory, cut down on fraud because it makes stealing credit card information almost impossible. Each time a transaction takes place, Apple generates the equivalent of a new credit card number so the merchant never actually sees a customer's information.

The vulnerability in Apple Pay is in the way that it - and card issuers - "onboard" new credit cards into the system. Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless", the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early.

The banks, desperate to become their customers' default card on Apple Pay - most add only one to their iPhones - did little to build their own defenses or to push Apple to provide more detailed information about its customers. Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up. The banks didn't press the company for fear that they would not be included among the initial issuers on Apple Pay.

It seems the Apple Pay fraud is a bit more complex than it just being the banks' fault. This is what happens when one company becomes so big and dominant that everyone else dances to their tunes. We've seen it before in technology, and it seems we are entirely unwilling to learn.

In any case, letting a secretive, closed technology company take care of my payments seems like an incredibly stupid thing to do. I much prefer our banks to handle it - they're shady, too, of course, but at least here in The Netherlands, there are at least a lot of government and media eyes focussed on them, and they have far stricter laws and regulations to adhere to than a random technology company.

Permalink for comment 607178
To read all comments associated with this story, please click here.
RE[2]: Comment by Nelson
by vault on Tue 17th Mar 2015 14:32 UTC in reply to "RE: Comment by Nelson"
Member since:

Yes, definitely - it's a huge improvement for the US, which is still using unsecured pieces of plastic anyone can pay with if they find one. Apple Pay is an improvement over that.

However, many developed nations have moved on to secure pin and chip debit cards decades ago, and for those countries, Apple Pay and similar systems offer far less of an advantage. It could be a little bit more convenient, but that's about it.

In Europe we now have contactless cards that can be used in the exact same way. Even before that, you could still use the card online, as all the details needed to make a payment are right on the card.

See, we were promised that contactless payments are secure and there is nothing to worry about, but when shit hits the fan - you're on your own. Most transactions are done offline, and that means the terminal is not communicating with your bank in real time. It just assumes the card is valid and that you have the right amount. If not - you and the bank will deal with it one way or another. So, someone can steal a card, make multiple transactions and when they're processed at the end of the day - the damage (potentially hundreds of Euros) is already done. Like you said, the card is just an unsecured piece of plastic.

And yes I've seen that happen.

Theoretically, my country's laws say I'm not responsible for electronic transactions I have not authorised. So it's simple, right? I get my money back. Sadly, no. If I go to my bank they'll send me to Mastercard/Visa to make a claim and wash their hands off. Mastercard will tell me it's the shop's responsibility to verify an identity during a payment, so it's all on them. Of course no shop ever does that. So even if they're responsible and they are willing to help me, I may now have multiple shops and outlets to deal with. Even if I get my money back eventually, it will take months or even years. No one wants to go through that.

What's even worse is there's literally no bank left in my country that will issue a standard chip&pin card without the wireless gimmick. And most of the time you can't disable it. Some people even cut out the little RFID antenna out, because there's no other choice. The same people used to scratch the CVV number off the card and memorise it - I used to think it absolutely crazy.

Now compare that to Apple Pay. We all know (hopefully) that fingerprint authentication is not as secure as we once imagined. But in this case, it may just be secure enough. If it holds up for even half day, it may be enough time for me to restrict the card, or wipe the phone remotely, or whatever. Hell, even the 4-digit pin protected phone is more secure than "naked" contactless card.

So please don't pretend that Apple Pay would not be an improvement over here, because that's not true. At the very least it could save us a ton of headaches.

Reply Parent Score: 2