There is absolutely no reason for anyone using Apple Pay to be concerned at all about using Apple Pay.
It's important to keep saying that because publications keep making it a point to link Apple Pay and "fraud" in their headlines. It's important because those publications are spreading fear, uncertainty, and doubt about Apple Pay, which makes mobile payments more accessible and secures the very data often used to actually commit fraud, to the people for whom it is most beneficial. That's why, as the FUD keeps coming up, we're going to keep addressing it. Latest case in point, New York Times:
The vulnerability in Apple Pay is in the way that it — and card issuers — "onboard" new credit cards into the system.
There's no "vulnerability" in Apple Pay. Apple Pay remains so secure the only way fraudsters can take advantage of it is though traditional social engineering attacks against banks.
Because Apple wanted its system to have the simplicity for which it has become famous and wanted to make the sign-up process "frictionless," the company required little beyond basic credit card information about a user. Nor did it provide much information to the banks, like full phone numbers and addresses, that might help them detect fraud early.
Apple publicly documents the information it provides to banks, which includes the last four digits of the phone number, as well as select device and iTunes account information. If my bank gets the last four digits of my telephone number, and compares them with what they have on file for me, they should easily be able to get my address and any other information on that file. Likewise the iTunes account information. And compare it. And come to an informed decision as to what path needs to be followed for verification.
Some bank executives acknowledged that they were were so scared of Apple that they didn't speak up. The banks didn't press the company for fear that they would not be included among the initial issuers on Apple Pay.
This very much feels like banks throwing Apple under the bus — or into the headlines — because they didn't take action to prevent fraud and want to shift blame. Here's what was previously reported:
The effects of those incidents are being felt for some time after the breaches in large part because financial institutions that issue cards typically don't launch broad-scale replacements of the affected plastic after a merchant is hacked.
The card companies figure that the cost of potential fraud is often less than giving each customer a new card, according to payment experts and bank executives, and customers sometimes complain about the inconvenience of having to switch to new cards.
In other words, the banks ran the numbers and chose not to take measures that would have prevented fraud because it was cheaper for them simply to handle the fraud. That's fine. That's their business and their choice. Their choice not to cancel the card data, their choice to approve it for Apple Pay, and their responsibility for the resulting fraud.
Back to the Times:
It also appears that banks set up a flawed process to deal with the credit cards that it did flag. Affected users were directed to a customer care phone center, not a fraud prevention center. A customer care center's mission is to help customers use their cards, leading more fraudulent cards to be approved for use on Apple Pay.
Again, banks.
Some Apple supporters have sought to discredit Mr. Abraham based on his affiliation as an adviser to a company that is based on Apple's main competitor, Android. While he may indeed be conflicted, he has rightfully raised an important security issue that all sides have acknowledged is a problem, though perhaps not to the extent he has contended.
It should have nothing to do with who is affiliated with whom. It should only have to do with accurate reporting of the facts.
Apple has now begun providing additional information to the banks that should help deter some of the fraud. The banks, which are responsible for the costs of the frauds, have toughened standards to review customer sign-ups on Apple Pay. No bank executive would speak with me on the record for fear of upsetting their company's relationship with Apple.
Apple Pay provides enormous usability and security benefits. If the process on the bank's end can be strengthened as well, that's great for them, and great for retailers. (Apple has created a new Apple Pay FAQ to help.)
It's still incredibly curious that so many headlines appeared so quickly, all based on one blog post. Single sourcing isn't usually what publications the stature of the Wall Street Journal or New York Times pride themselves on. It's also unfortunate that a problem facing banks and retailers was spun in a way that could, potentially, scare end-users who have absolutely no reason to be scared.
Worse, if there ever is a real problem with Apple Pay, something that people need to be made aware of, there's a risk of it getting lost in all the not-real noise.
The latest round reads like they're aware initial coverage has been recognized for the FUD that is was and is simultaneously trying to back away while still maintain as much cover under Apple as it can. My guess is they're not back away far enough, fast enough, and people are going to continue to realize the bad, potentially harmful coverage for what it is.
And that could be an even bigger problem for the people behind it.
No comments:
Post a Comment