thanks Apple, now I'm living the dream!
You made my life so much better, now I'm rolling in cash.
A true innovation :)
laterz xx
Apple and its banker pals may have inadvertently lowered the barrier to credit card fraud by adding pay-by-wave technology to iPhones, security experts fear. Payment cards can be added to Apple Pay by taking a photo of the card, and allowing a device to run optical character recognition over the image to fill out the long card …
Blame the banks not Apple. Their lax security procedures are to blame.
Sadly that won't stop the Anti Apple brigade who lurk here from having a field day.
Just remember that the article does say the Google Wallet etc will also suffer from this problem.
Did I hear............"Anti Apple" ???
Apple is equally to blame, they are the enabler. They signed up with these banks, they know how the banks operate, they go along with it for profit. Remember, this is "Apple Pay", not "$BANK_NAME Pay". What, you give a kid matches and you have no blame for the fire?
As far as the article goes, Avivah Litan is way, way, WAY out of the loop. If he ever thought that having just the details was NOT enough, he clearly never read about #CC on Efnet or all the various versions of paypal's ability to add anyone's e-mail to anyone's account (countless other sites work too).
But, I came for Anit Apple....stay focused! Apple pretends it's now cool to pay with credit cards via the internet. If they would of waited longer than 20+ years, they might of missed the window.
"Is entrusting credit card verification to banks as irresponsible as giving a child matches?"
..........it would appear so. Although I also do not have much time for the fact that:
" These numbers can be entered manually, so physical access to a card is not needed."
........was something that Cupertino failed to notice was not the smartest thing that they could be associated with.
In short, neither the (w)bankers or the fruity company have exactly covered themselves with intellectual glory on this occasion.
Although the banks are playing their part, Apple Pay is allowing a photo of a credit card to be used indefinitely as a payment option.
The banks shouldn't be allowing it, but Apple Pay isn't being blocked by the banks either - so presumably Apple Pay are doing something in order to allow this situation to occur.
If Apple are relying on the banks to authorise the transaction, they are still storing all that data and - presumably, like Amazon - taking the liability on it to an extent. Notice that Amazon don't put you through the Visa/MasterCard secure schemes where you have to type in codes and verify to the source bank - they are storing your information for 1-click and then taking the hit on fraud themselves.
Presumably, Apple are doing the same here OR have negotiated their way out of liability with the banks.
Seriously, people, all that Chip-and-PIN stuff that the EU fought for for years? It's worthless here. We're still doing transactions with just the card number. Do they even use the CCV code on the back of the card?
If the number is enough (and it appears so for Amazon and Apple Pay) then the Chip & PIN stuff is worthless, even if the liability is shifted from the card issuer to the retailer. If the number isn't enough, Apple Pay wouldn't be able to operate as they are doing - and nor would Amazon. If the number is enough but liability is pushed to Apple, then it's partly Apple's fault for allowing this to happen for the sake of simpler business processes.
I wouldn't really compare Apple Pay with Amazon in their use of number only.
With Amazon you have to have an account, perhaps with dodgy details but you do typically need to get stuff delivered somewhere (well except the digital stuff though I doubt crims would bother with stuff they couldn't fence). With Apple Pay you can walk into a store, buy real stuff and walk out without anyone the wiser about who you really are.
This post has been deleted by its author
If the bank sent a snail mail letter to the account holders address with a code attached, then the owner of the card would a) know it was stolen and b) be able to prevent the card been added to apple pay. If the hacker wants to get round this then they need to intercept the letter. At which point it's no longer a remote attack.
Goddammit! The social security number is not to be used for identification purposes other than by the social security administration. How many times do the witless f*ckers in banking IT need to have that screamed at them? And then, having decided to ignore that stricture, to only use less than half the digits?
Jesus f*cking Christ on a bike.
How in f*ck's name could this level of stupid be deployed in this day and age in light of what we as an industry have learned regarding electronic banking and the methods to subvert them?
To paraphrase the short guy from Game of Thrones:
Hands. Coal hammers.
Maybe that is the scam! A way for apple to bring those billions back into the USA and avoid tax?
Apple agents would also be the "scamming party" that scams Apple. The foreign fund holding division would make a loss as it refunds fraudulent payments in the USA from foreign held funds.
Someone else work out the detail for me.
In what alternate universe are Social Security Numbers "guaranteed to be unique"?
Not in this one they ain't. I work at the sharp end of this and can state from actual knowledge gained at the expense of much pain, suffering and cries of "why me?" that the SSN is far from being guaranteed unique.
Even if you discount the possibility of fraudulent SSN coinage, latency in the SSA's system can cause perfectly legitimate applications to be granted the same number, or could, 15 years ago. To design systems that use SSN as a unique identifier is to be shown to be the sort of IT professional who should be forced to wear very large shoes on their feet and a red rubber ball on their nose.
I would hope that the latency issues have been addressed in the 15 years since I last investigated this, but nowhere will you find a statement to the effect that the SSN may be used by every Tom, Dick and Harry as a unique identifier without let or hindrance.
Precisely! These banks take the piss. I worked for an investment bank a few years ago... 2 days after starting I recievied an email from my manager telling me to put all my passwords in the Macro enabled Excel spreadsheet that was attached and upload to an SMB Share for "backup purposes". No S/MIME, nothing.
I resigned the following week. Pathetic.
The implantation has, shall we say, issues. So the crooks are using the iPhone to rip-off Apple in order to rip-off banks, private citizens, etc. The poetic is using a product to rip off the maker.
The problem still boils down to the banks. IF they were serious, you'd take your phone and proper ID into the bank for verification. But that might inconvenience some users, right. It also, wouldn't let the bank off the hook when it's bailout time. Once again, users/taxpayers/honest citizens are screwed by the few and the mighty.
In the past, they have not been afraid to dictate to both users and companies alike, exactly how they are to do business with Apple.
If Apple release this form of payment method, without demanding a high threshold of identification and verification parameters to be able to use this service, they they are just as much to blame as the banks.
And yes, I would say the exact same thing about google wallet if they allow such lax measures to be used for verification.
ApplePay is far more secure than carrying your credit card around in your wallet. It is far less likely for fraud due to the inbuilt security mechanisms.
However, fraudsters will always try different ways - and these apply to any contactless payment, not just ApplePay (just Apple is so visible, putting Apple in a headline makes for a good headline).
If fraudsters access a retail vendor's server database it is the fault of the vendor who are in turn a victim of the fraudsters.
However, loading it on to a smart phone is a risk to the fraudster since it is more likely to be tracked (as in Find My iPhone). Maybe those anti-fraud measures are not in place at the moment, but it is easy to see that the backend could be tightened up in this way. No need for FUD against ApplePay, thanks.
I dont get how Apple Pay is more secure than carrying your credit card in your pocket.
With my card, its a physical card, it has my signature, chip and a PIN number to verify that it is in fact me using a physical card.
With Apple Pay, the physical card is not present. It looks like all you need is a PHOTO of the card to load it into Apple Pay, and the SSN's last four digits.
To compare, that would be like me giving the card to a friend along with the PIN number and telling them to go buy something for me.
I'm sure all contactless payment systems may have the same problem, although it seems that Paypal and Google Wallet may not have had it to this extent. This could be either due to Google's registration process or through low usage. I dont know how rampant fraud was with GW.
I guess "ease of use" and "ease of fraud" go hand in hand
"I dont get how Apple Pay is more secure than carrying your credit card in your pocket.
With my card, its a physical card, it has my signature, chip and a PIN number to verify that it is in fact me using a physical card."
The physical card can easily be stolen. If they steal your iPhone, they need your finger print to access the credit information. ApplePay is more secure than physical cards.
"I guess "ease of use" and "ease of fraud" go hand in hand"
No that is absolutely not true.
It can also easily be cloned. All that data in the magnetic strip and onboard chip is very poorly protected and duplicating it all onto a blank card is child's play once you've got a copy of the data. The only bit that's not easily copied is the signature, and any competent fraudster should know how to forge a signature too. Not that anyone ever looks at the signature on the card any more, even when it's not a CNP transaction.
Got any references to this? You can't just read it via NFC, the chip is a tiny CPU and contains a private key you can't access. OK, you can probably use an electron microscope to read the chip if you know what you're doing and, you know, have an electron microscope, but if you're able to do that you can probably commit some more lucrative crimes instead of wasting your talents on card cloning.
"I guess "ease of use" and "ease of fraud" go hand in hand"
I'll address that another way - making systems hard to use is security by obscurity and that is known not to be a good security strategy. Excellent security systems are also simple and provide ease of use. Apple has really excelled on that count with ApplePay.
Since Apple Pay is only in the US, you need to realize that in the US there is no "chip" and no "PIN" on a credit card number. It is processed with your signature alone. They'll take ANY scribble at all, they don't look at it and never check the signature on your card - I can say that for sure since I've never signed my cards! When you sign for a charge in person, it is considered "card present". If you phone in or web in an order there isn't a signature, so they ask for the three digit "security" code that's on the back of your card but not encoded in the mag stripe. That's "card not present" and the retailer pays a bigger cut for that type of transaction since fraud is more prevalent.
What the article is talking about is that getting someone's card number is enough to enter it into Apple Pay, and those transactions are considered "card present". I suppose they could bump up the security a tiny bit making you enter the three digit code so you have to actually have the card (in theory) but that's not going to help much since such info is readily available from all the online retailers that have their databases cracked and contain millions of customer card numbers & codes.
The best solution is what someone suggested above. In order to activate Apple Pay, the credit card company has to send you a snail mail letter to your billing address with a code that needs to be entered to activate the card in Apple Pay. That would make it less convenient and get rid of the instant gratification, but it would avoid the possibility of card numbers stolen online being used in this manner.
I disagree somewhat with your conclusion there...
I'd be interested in a quick straw-poll of the commentators on here to see how many have actually used Apple Pay.
I'd be willing to wager I'm one of the few. I use Wells Fargo for my main credit/debit cards. When I got an iPhone 6 (in the UK incidentally), part of the setup noticed that the cards were iPay compatible, and would I like to use them. Once I'd done that I got an email from Wells Fargo telling me that someone had asked to add them to an Apple ID for use with iPay (I forget if it included the account details/phone #, but I'm due a new credit card soon, so I'll report back if I remember). I had to sign into the online banking, and run through additional security procedures before Wells Fargo would authorize the cards to be used with my iPhone (more than just the username/password to get into the online banking). Because the wife hadn't used her online banking in a long time, the bank actually insisted that she called up
Another thought too, they'd have to be a fairly well heeled criminal to do this, as I'm sure if the transactions were flagged as suspect, then you'd lose the apple account and (one would assume) the iPhone attached to it...
I dont get how Apple Pay is more secure than carrying your credit card in your pocket
But you don't just carry the card in your pocket, do you. You get it out and, typically, stick it into a reader where you start typing your PIN. Your PIN can easily be sniffed by someone watching over your shoulder, or putting the card in a compromised reader. Your card/PIN can be cloned and used quite happily in parts of the world where they don't use Chip & PIN yet.
Apple Pay uses secure tokens to ensure that your credentials are never divulged to anyone. Ergo: more secure.
"Apple Pay uses secure tokens to ensure that your credentials are never divulged to anyone. Ergo: more secure."
That's exactly right Mike. When you put a credit card in a reader, your numbers can be skimmed. With ApplePay, the iPhone does the job of the reader, validates you by your finger print, only unique numbers to do with the transaction are passed to the bank encrypted.
Much safer than using your credit card. These stories really are FUD against ApplePay (and by that I could probably say Google Wallet and others).
In the US they still use magnetic stripes and not even on-card chips, which are much harder to copy than mag stripes. So the US is way behind in security.
Some years ago back in the mid 1990s I met with credit card companies on a project that was being developed. There were two issues then, limited imagination and the huge cost and near impossibility of adding security functionality to the streaming processes then used. I am pretty sure that number two still exists and we can see (1) being exhibited now. I am amazed that people were not aware that all this talk of 'very secure', is frankly hog wash - it is with all systems. Make a more secure anything and people will look for the easy way round the security. This is no exception. I suspect that the first error was to major all efforts on one device/method of initial verification. After that it was to allow a basically insecure method to 'verify' the voracity of the set up. If you do not employ a bit of lateral thinking and periodic re-verification your security will be breached. This is a consumer product so one perceived need is an easy ride for the user, but easy rides always come with costs.- The CVC code is pretty weak, and even the secondary card not present checks are not hugely strong but at least they are better and can be updated if/when needed via an established route.
Frankly I do not care who allowed this to come about, the banks, apple, the man in the moon, or whoever, it makes no difference. It is still like making a secure vault with thick walls and armoured locks and having an unsecured air-conditioning duct or a plywood roof (it's safe at 10 feet off the ground). The product is end to end and the weakness is where ever and when ever it is found.
The risk to the well organised fraudster is zero, phone cost is a few units of currency, (probably paid for with a stolen card), load it, use it for a few days make money, dump phone, bingo.
An article about bankers and lax controls around money. Who'd have thought the very people entrusted with our hard earned dough would overlook things like proper security. Only a few million in losses you say? Lol. Let us know when it's reached billions. That'll be a story and likely when bankers actually do something.
As nicely pointed out by Bruce Schneier a while ago (https://www.schneier.com/crypto-gram/archives/2005/0415.html#2), until the financial institutions are held accountable for fraud, there won't be an incentive for them to build proper user data protection and identity verification.
In this case Apple should take some share of responsibility but it seems their mechanism is reasonably safe, and far above what banks are doing.
The Bank of England have been slammed that their new banknotes allow rampant fraud, banking experts are claiming.
The problem is that whilst the notes themselves contain various security measures and are hard to copy, banks are being lazy and not checking the notes presented to them carefully enough and consequently are allowing people to deposit Monopoly money.
What is surprising is that it has taken this long for the issue to come to light. As with M&S in the NFC fiasco with double charging, the transfer of any form of payment to NFC, registered cards on devices and so on is always going to be a magnet for fraud. It is simply too easy to bypass the control with the information that the criminals can access. This is squarely at Apple's door or any other outfit that uses this technology. The banks are part of the loop but the end point has to be where the buck stops. Many of the problems surrounding this is that "While Coller crime" is not unacceptable in the way traditional crime is. The offer problem is that the individual amounts are small. The total may be large but the spread of small transaction simply makes it far too difficult for the Police to do anything about it.
At the end of the day we all end up paying in back charges.
People are worried because even though you get the money back eventually it can be a right royal pain in the Harris to identify the frauds, get a new card, claim the money back etc. My housemate a few years ago ended up having his credit rating adversely affected by a credit card fraud that cleared out his bank account and resulted in several missed payments. Even though the back refunded him the money after a week or so, it took him a few months to get his credit rating back to normal which was jolly inconvenient at the time as it meant his mortgage application was rejected, he lost the house he wanted and - worse of all - he had to live we me an extra month.
Reading the article, it seems that, in order to register a card with Apply Pay, all you need is the card number, and poor security by the bank allows the card to be used without any further checks.
Whenever I use by debit or credit card online, I am redirected to the Verified By Visa or Mastercard Securecode verification site to enter digits from my password.
Why is this not part of the Apple Pay registration? Seems to me that a card number and SSN are available from the darker corners of the internet. Have Visa and Mastercard also had lists of passwords stolen too? I don't remember reading about that.
It may not be the smoothest of processes but, surely this would be better:
You type in your card number and 3-digit code off the back
You enter your Visa/Mastercard verification details
Your bank then calls you on the number they have for your account, that you provided
They confirm some details that are not easily accessible
They post a registration code to your registered postal address
You enter that code into ApplePay
Now you can use it to buy things.
Not 100% foolproof, but, having access to your card, phone and home are all required. A card number and SSN are useless on their own. Yes it's a little more inconvenient and may take a week to get it all sorted, but, is that really such a big problem?
The only way I can see this working is if the second factor authentication (e.g. the SSN) is requested via the iTunes account that is registering - via a call to the associated iphone, rather than calling the number that the bank has on record.
This means all it can validate is that the person registering knows the information in question, it can't validate that the card holder is aware of or authorising the cards addition. This is made of stupid.
Or, you know, those Visa and MasterCard SecureCode things where only the cardholder you reasonably can provide the second factor? But ApplePay / Amazon choose not to use them and absorb the liability.
Or, you know, texting you when a transaction occurs on your card like EVERY BANK IN EVERY OTHER EU COUNTRY DOES, for free.
Hell, I was able to tell the woman in B&Q that they'd double-swiped my Italian relative's card because he got two text messages from the bank before we'd even finished bagging up. And that's across international borders.
In the US, at some major chain retailers (Fry's Food, Ross Stores, Home Depot, to name a few) and other minor chains, it is sufficient to swipe the card thru the reader as a credit transaction, and if the amount is under 50 dollars, no further check is done, not even requiring a signature on the reader screen, or the cashier to even look at the card. This is security?
The problem here is the credit card, or rather the use of an easily stolen credential across multiple transactions.
Alternatives do exist, but are successfully avoided by charging the merchant (and ultimately the consumer) to insure the fraudulent transactions, and always reversing the transactions at the expense of the merchant (who then loads the price even further to self-insure much as they do for "shrinkage"). Banks are rewarded for this with termination fees creating a cartel.
Until the greedy bankers/schemes are removed from the equation this will always be so. For those in the industry, PSD2 is coming, and that will change things for the better, assuming our politicians can stomach the loss in income.
"Apple is known for making things easier to use, even for fraudsters."
Wong making things easier for your legitimate users does not necessarily make things easier for fraudsters. In fact, most often it makes it harder for fraudsters. Fraudsters in fact love complicated systems because they have more holes in them.
The phrase is that "security by obscurity" is not good security.
Amazing how the comments went straight to assuming that a problem with Apple Pay == a problem with Google Wallet. Know why Google Wallet doesn't suffer from this? After all it's been around for years, Android devices are plenty available and if it allowed this type of attack, why would it be just now that we have this issue?
I've used Wallet for years, the only way you can add a card requires 2 factor authentication. https://support.google.com/wallet/answer/3230760?hl=en
Just because you're a fan of Apple, please stop assuming that they are the only way of doing things and thus every issue found in an Apple device is an issue found elsewhere. It gets old and annoying.
Google uses the same banking systems. The problem is with the banking systems. Google could also be subject to this attack if someone steals you credit card numbers from a site and sets up wallet on their own Android.
Misinformation and attacking Apple gets old and annoying.
So who takes the dive on this one?
Apple? No, I think they have probably done a good job protecting themselves. Their system is not broken.
The Bank? Hopefully since it is their shoddy verification process that is causing the issue.
The Consumer? Hopefully not but possible. The poor guy gets the bill and when he claims fraud:
Cons.: "I didn't buy anything from XStore."
Bank: "Yes, sir....the charge is from XStore in XTown. You do live in XTown don't you?
Cons.: "Well, yes....but I don't shop there."
Bank: "I'm sorry sir, but that appears to be a valid charge."
Cons.: "That's not possible....I have my credit card right here."
Bank: "Indeed, sir. The transaction was authorized by ApplePay."
Cons.: "But I don't use ApplePay."
Bank: "We have your validated request to add your credit card to ApplePay.
Cons.: "But....but....I don't have an iPhone."
Bank: "Ooh...you should use ApplePay when you purchase one."
Cons.: "But....but....but...."
and SCENE.
Cons.: "That's not possible....I have my credit card right here."
But I didn't buy anything that cost that much."
But I didn't buy a new TV." the bank comes back and says it is is valid charge. Yep....transaction properly authorized Much worse if the fraud happens in the same local area where the consumer lives.
As I've had to say to people several times: You are not liable for fraudulent charges on your card. Ever.
When the bank question it, you tell them it was fraudulent.
It is then up to them to prove otherwise. If you're lying, and caught on CCTV buying those goods, or whatever, they can charge you with intentional fraud, etc. as well as theft of the money/goods.
But once you've said "I did not authorise this transaction number 12854738", that's the end of it. Refund me (and all incurred charges because of it) or take me to court and prove otherwise.
Sure, it's hassle. But never pay a charge that you didn't authorise, not even for a second. Doing so could even be taken as an admission of your part in a fraud, or even that you were present at a certain place at a certain time when you weren't.
I registered a card with AP - it required the card number, exp date and security code. If all this information AND the SSN is already compromised, they could be minting all kinds of copies of your cards and dozens of bad guys could be using those. How is Apple supposed to do anything about that?
Banks needs to come up with some serious verification steps that really work (good suggestions above). Also sounds like a really great idea to make banks liable for at least some of these losses (as also stated above) to give them real incentive to stop allowing crims to piss away the money of hardworking citizens.