There have been various media reports about some of the security shortcomings within Apple Pay. The shortcomings are not security holes per se, in the sense that a hole is generally unintended. No, the security issues were deliberate, done with the goal of making signups and initial usage as easy as possible for shoppers.
As ZDNet noted: "Card issuers went so far as to green path Apple Pay accounts, meaning that no additional authentication was needed for an Apple Pay user to get their wallet up and running, other than measures built into the iPhone." I would like to say that this was a bad move from Apple, but I can't. Sadly, Apple and the banks made the right call.
Why? The American consumer rarely acts on his/her own long-term interests. Despite what they tell online and telephone surveys, their purchase actions make it clear that they don't care about security. They do care very much about convenience and nowhere is that more true than when they are considering something new. Nothing turns off the American consumer more than being asked to make a key behavioral change.
Apple knew Apple Pay would need consumers to make such a behavioral change and to do so without a key benefit no initial discounts were planned, the new transactions would take longer and hiccups early on were inevitable. Apple also knew it had an uphill battle to get decent usage numbers, given that it was available in just a few stores and only for shoppers with the very latest iPhones. Usage numbers were critical because they had to portray Apple Pay as a bandwagon. Nothing motivates consumers like thinking that they are missing out on something.
Doing it the right way from a security perspective would have been one hurdle too many. Apple would get no brownie points for having a secure offering hardly anyone used.
If Apple Pay does eventually take off, it will be up to Apple and bank partners to ramp up security little by little at that time. Prioritizing convenience over security is acceptable minimally for an initial rollout. But if it becomes the status quo, mobile payment cyberthieves will have a field day.
There's actually solid payments security ROI here. Until Apple Pay usage gets to a certain point, thieves will consider it more of a novelty than as a major attack venue. As its market share rises, so will fraud attacks.
This logic, however, may be less helpful for other payment use cases. Apple Pay is not really a payments mechanism. It is simply riding atop whatever payment card the shopper associated with the mobile wallet. In that sense, the thief would be using Apple Pay as a backdoor to drop charges on the associated card, which is why the less stringent authentication rules are so worrisome. It's similar to attacking a stored value card, such as the Starbucks card or app, except that the values permitted within Apple Pay can run much higher, which increases the financial risk.
In short, if mobile wallets are to succeed, some security shortcuts are very much needed. As long as they're short-lived, payments will survive.
Evan Schuman is a reporter for PaymentsSource.