Apple Pay, which pre-rollout was praised for its security features, was in the center of a storm this week when some called the security of Apple's mobile wallet into question, claiming that 6% of transactions are fraudulent.
The criticism was directed not at Apple's transaction security, which relies on tokenization, but at the way new cards are added to Apple Pay. Some fraudsters reportedly have been taking stolen card information (available on several black markets) and using it to set up Apple Pay accounts on their mobile devices.
In a rebuttal, entitled, "Nope, there's no 'Apple Pay fraud'," Business Insider argued that the impression of some kind of security weakness in Apple's new payment system is not justified. "What has happened is that Apple Pay itself is basically fraud-proof, so fraudsters have turned their attention to the next weakest link: credit cards before they're added to an Apple Pay wallet."
Because banks have responsibility for verifying new cards for Apple Pay, the security hole if you can call it that exists on the bank's end.
Apple does provide issuers with information to help them decide whether to validate a new user, noted Avivah Litan, vice president at Gartner. It provides the potential customer's device name, current location, and whether or not the customer has a long history of transactions within iTunes.
A bank can decide whether a credit or debit card requires additional verification, according to the Apple iOS Security Guide. "Depending on what is offered by the card issuer, the user may be able to choose between different options for additional verification, such as a text message, email, customer service call, or a method in an approved third-party app to complete the verification."
Wells Fargo requires some customers to provide additional verification to add a card to Apple Pay. Customers will be directed to either call in to verify or to download the Wells Fargo Verify app, according to bank spokeswoman Hilary O'Byrne. The app will guide the customer through the verification process.
JPMorgan Chase provided this statement, which reflects several other large banks' stance: "Chase customers are not liable for any unauthorized purchases on their accounts. We monitor accounts for suspicious activity, and notify customers immediately if something unusual is detected." More than a million Chase customers have signed up for Apple Pay.
"I'm assuming the banks' familiarity and comfort with onboarding cards into Apple Pay is not where it should be, but it's a new process so they're not sure what to do," said Andy Schmidt, research director at CEB TowerGroup. "Some will automatically onboard. My American Express card was instantaneous. For my Bank of America card I had to call and get them to load it for me."
There are a few ways banks can strengthen their processes for verifying new cards in Apple Pay.
One is to require that the cardholder call in to get the card set up on Apple Pay, and to ask for more than the basics such as the last four digits of the customer's Social Security number.
Another approach is to ask customers to use authenticate their phones with Apple's TouchID fingerprint technology. That way, "the bank knows you own the phone and is assured you are allowed to have access to that," Schmidt said.
Alerts can also be helpful. If the customer received notification every time his Apple Pay account was used, he'd be likely to identify fraud quickly.