California, US (BBN)-Some banks are witnessing a growing incidence of fraud on Apple Inc.’s mobile-payment service as criminals exploit vulnerabilities in the verification process banks follow when users add a credit card to the service, according to people familiar with the matter.
Banks are tightening this process in an attempt to curb the fraud, these people said, reports The Wall Street Journal.
The problem was brought to light in late February in a blog post by Cherian Abraham, a payments expert who works with banks and retailers on mobile-payment strategies.
He said fraud “is growing like a weed, and the bank is unable to tell friend from foe.”
Mr. Abraham said it isn’t “an anomaly” for fraud to account for about 6% of Apple Pay transactions, compared with about 0.1% on transactions that involve swiping a credit card.
He said that fraud rates on credit cards vary, depending on the bank that issued them.
Mr. Abraham is an adviser to SimplyTapp, which provides the host-card-emulation technology for contactless payments on devices using Google Inc.’s Android operating system.
Those payment systems compete with Apple Pay.
Mr. Abraham said other mobile-payment services might be exposed to the same fraud problem, “irrespective of origin, scale, intent or patron saint.”
Stolen identities and lifted credit-card numbers aren’t unique to Apple Pay.
Stolen cards have long been a problem in e-commerce transactions, which have higher fraud rates than credit-card purchases made in a store.
Apple Pay, thanks to its quick and easy checkout process, in which users pay by waving an iPhone in front of a wireless reader, can combine some of the vulnerabilities of online shopping with the instant delivery of buying a product in store.
The service has been a success for Apple. As of the end of January, the company says, Apple Pay accounted for two of every three dollars of contactless payments made with Visa , MasterCard or American Express cards.
The fraudulent Apple Pay purchases are being coordinated by sophisticated organized criminal gangs who are capable of scaling the fraud very quickly, according to Mr. Abraham.
However, making the verification process too difficult and time-consuming could deter potential Apple Pay users.
Apple has gone to great lengths to secure Apple Pay. It uses a “secure element” within the latest iPhones to store the encrypted payment data separately from the rest of the phone.
It uses a fingerprint reader to ensure that the phone’s owner is making the purchase and issues a one-time code so merchants don’t see customers’ credit-card information.
The weakness identified by Mr. Abraham occurs at an earlier stage.
When a user adds a card to the service, Apple says, it sends information such as the type of phone, the last four digits of the user’s phone number and the user’s general location to the bank that issued the card.
The bank decides whether to approve the card for Apple Pay.
Banks can ask for additional information if its information doesn’t match Apple’s.
In those cases, a bank may ask a user to call in to answer additional security questions.
Mr. Abraham said that some banks made it too easy for cards to be approved, because they wanted to reduce the friction of adding their cards to Apple Pay.
For example, he said, some banks asked for the last four digits of a customer’s Social Security number, which is easy to answer if the perpetrator knows that person’s credit history or personal information.
Card issuers have been eager to join Apple Pay, and it is possible that some didn’t adequately train the customer-service representatives who handle authentication, one person familiar with the matter said.
Banks pay Apple 0.15% of every transaction made on Apple Pay, a concession that the company won by persuading them that its payments service was more secure than the conventional credit-card swipe.
What’s more, Apple has benefited from an advertising blitz funded in part by commercials from issuing banks.
BBN/SK/AD-04Mar15-6:20pm (BST)