retail news in context, analysis with attitude

The Washington Post reports that "a sharp rise in reports of fraudulent Apple Pay transactions is raising questions about the security of the first mobile payment system to find a measure of popular success. One payments analyst, Cherian Abraham, estimated that as many as 6 percent of Apple Pay purchases are completed with stolen credit cards, or 60 times the rate of the old-fashioned plastic swipe."

The story suggests that "the problem is that Apple Pay may be too simple to set up, security analysts said. Fraudsters have been loading stolen cards onto iPhones to buy things at stores. As it turns out, it might have been better if Apple Pay required users to do more to prove their identities when they sign up for the service, these experts said."

Here's how the problem is framed by the Post:

"The essential problem with Apple Pay is the setup, security analysts said. Users need only to open the app on their smartphones and enter a credit card number, the expiration date, and the three- or four-digit verification code. That information is instantly sent to Apple, which rates consumers as safe or risky, based on what it knows about their buying habits at its stores or on iTunes. The bank or company that issued the card is also notified and has ultimate say on whether to reject a user.

"In most cases, the decisions by Apple and the card issuers occur within a few seconds.

"Compared with traditional credit cards, Apple Pay does not do enough to weed out bad consumers from good ones, security analysts said. That has made it easy for the unscrupulous to trick banks and other financial firms into approving stolen cards, they said.

"Criminals can buy credit card numbers and their verification codes by the bundle - and cheaply - online, said cybersecurity blogger Brian Krebs. They then plug those numbers into unlocked Apple devices that are hard to trace."
KC's View:
There seems to be no question that as new mobile payments systems are developed, the bad guys are very quickly going to be developing ways to abuse them.

The interesting thing is that, at least as I read these stories, the problem isn't that my data is more at risk when I use Apple Pay ... it is that data stolen in other ways can be easily plugged into the Apple Pay system. That doesn't mean the problem is less serious ... but it requires a different and broader sort of fix, I think.