BOSTON—The rush to enroll with Apple Pay may have some FIs overlooking standard security protocols, widening the door for fraudsters, several sources have told CUToday.info.
One expert, too, feels Apple could be doing a better job of monitoring for fraudulent transactions.
FIs are giving fraudsters an advantage when they do not use a second authentication factor—such as an e-mail or a text message—to confirm that individuals enrolling in Apple Pay are who they say they are, according to Thad Peterson, senior analyst at Aite Group.
“The fraudster simply obtains stolen credit card data, enrolls in the new service and then is good to tap and pay,” he said.
The rush to enroll in Apple Pay, sources agree, has led to poor risk-management among some FIs coming out of the gate with the new payments platform.
“Every time there is a new product the fraudsters figure it out a little faster,” said Peterson. “But I think this issue can be quickly fixed—FIs simply must ensure there is a second authentication factor when a card is enrolled into Apple Pay.”
Bob Roth, managing director of payments at Cornerstone Advisors, Scottsdale, Ariz., says the problem is FIs are letting their guard down on the FFIEC’s Know Your Customer guidelines.
“Financial institutions should be doing callbacks and really find out who these people enrolling are,” said Roth. “If they need a cardholder to come into a branch to look at their photo ID, then that is what they need to do. Maybe with their interest in Millennials here, FIs are being too flexible in their Know Your Customer responsibilities and now you have a weakness.”
Richard Crone, principal of Crone Consulting LLC in San Carlos, Calif., contends that many FIs felt they had “a gun to their head” when Apple announced the new service late last year, giving most banks and credit unions about five business days to sign a contract.
Crone does not think the new fraudster angle will gain much traction among criminals.
“Crooks can only use Apple Pay at limited locations, and by loading a stolen card into a phone they now have added a degree of audit that does not exist with a simple stolen plastic card. It makes the crooks easier to ID and convict. This way they are not just dropping breadcrumbs for authorities to follow, they are dropping rocks.”
But FIs may not be the only ones to blame for some of the fraud on Apple Pay transactions. There are steps, too, that Apple can take, according to Brian Scott, VP at The Members Group, in Des Moines, Iowa. He says Apple’s rules for detecting fraudulent transactions on the front side could be improved.
He thinks that with Apple being new to payments, some fraudulent transactions are slipping by that seasoned payments companies would not allow.
“There may be some fraud rules they are choosing not to use. There are some basic things that are not happening around Apple Pay’s fraud rules. But even in the last five to six days we are seeing a lot of updates from Apple, Visa and MasterCard to fix this.”