NEW YORK (MainStreet) — We do not know how much fraud is happening in Apple Pay, but early rumblings are that there is a lot more than initially expected. So the question is: what can you do to avoid becoming a victim? There are, indeed, steps you can - and should - take to stay safe.
The problem cannot be ignored. Fraud expert Cherian Abraham has blogged that at one financial institution - he did not name it - fraud inside Apple Pay is running six times higher than normal credit card fraud.
Gartner fraud expert Avivah Litan said in an email to MainStreet that Apple Pay fraud is “pervasive” and that “just about every bank issuer has been impacted by it.”
This news comes out of the proverbial left field. From the start, Apple Pay was billed as more secure than conventional credit card purchases, mainly because Apple Pay requires a fingerprint to make the purchase and, additionally, the specific transaction details are swept out of the purchase record and replaced with a token that, to a typical criminal, would be meaningless bits and bytes if stolen.
All that is true. Where criminals have entered the picture is in enrolling stolen credit card numbers into Apple Pay. That makes for a big change. For many criminals, stolen card numbers could only be used at online retailers - the criminals just did not have the equipment or the skill to press out counterfeit plastic cards. Well-organized criminals can easily press counterfeits, but average crooks, who perhaps bought a batch of card numbers at an online criminal swapmeet, cannot.
Apple Pay is for them a magic wand. Enroll a stolen card into Apple Pay and, suddenly, the iPhone 6 is a plastic card substitute that can be used at retail at Apple Stores, Bloomingdale’s, BJs warehouse stores, Macy’s, Foot Locker and many more. The crook can walk into an Apple Store, scoop up three iPad Air 2s, pay with an iPhone, and before he’s walked a block, he can sell them for $500 apiece. That is fast money.
Note: Apple is adamant that its Apple Pay processes are fine, and it points a blaming finger at financial institutions for enrolling stolen card numbers. Said Apple in a statement: “During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay.” Apple could not be plainer: where this ball is dropped is at the banks and credit unions that are onboarding new cards into Apple Pay.
At least some financial institutions have been in a rush to get their Apple Pay card enrollment numbers up, and apparently they have sacrificed caution for speed; a fraud explosion is the inevitable outcome.
Sufficiently frightened? Here are five steps to take, now, to keep yourself from becoming a victim.
Pay scrupulous attention to statements, urged identity theft expert Robert Siciliano. This is a crime that, in many cases, will be first noticed by the victim. Don’t just throw a statement in a drawer. Study it. Protections under federal law are good - but the victim has to notice theft and alert his financial institution. Vigilance is key.
Have you been informed that your cards were compromised in the big breaches of the past few years? Hundreds of millions of card numbers were stolen in the Target and Home Depot breaches and, said Stephen Coggeshall, chief analytics and science officer at ID Analytics, if your digits were among them, you are at higher risk. Redouble attention if you are in this group. And most of us are. Assume you had a card compromised, and stay paranoid.
Pick the right bank is advice from Seth Ruden, a senior fraud consultant at payments company ACI Worldwide. “Do banking with a bank with superior technology," he said. "Do your homework. Find a bank that takes security seriously, that utilizes technology that’s beyond the norm.” Does your bank offer multi-factor authentication? Has it issued chip credit and debit cards aka EMV? Has it deployed biometrics? Institutions that are ahead of the curve have taken these steps, and they are the ones that are also ahead of the card enrollment fraud problem.
Set up account transaction alerts is advice from multiple experts. Somebody just bought several flat screen TVs at BJ’s, and it wasn’t you? The transaction alert will serve as your wake up call and that can get your bank’s fraud prevention team in motion.
A related step: sign up for card and transaction monitoring services, especially if you have been offered one free of charge (as have many breach victims). It’s a quick way to stay on top of activity on your accounts and any new cards that may have been issued.
Last step: personally get your credit cards enrolled in Apple Pay is advice from Bob Graham, senior vice president and head of banking and financial services at IT consulting company Virtusa. The rationale: if a card is already enrolled in Apple Pay on one device, and now enrollment is attempted on another device, that’s a red flag that ought to trigger questions in the enrollment process. Get in there first to gain some extra protection.
Probably too, the Apple Fraud problem will largely solve itself, eventually. One reason to be confident: many experts believe Apple and the two big credit cards networks - Mastercard and Visa - have been putting pressures on banks to toughen up Apple Pay card enrollment. That’s good news - but don’t let yourself be victimized because you assumed others would protect you.
They have not been, and that is fact. So now is the time for DIY self-defense.
—Written by Robert McGarvey for MainStreet
This article is commentary by an independent contributor. At the time of publication, the author held TK positions in the stocks mentioned.