By Daisuke Wakabayashi And Robin Sidel
It didn't take long for fraud to find its way to Apple Pay.
Some banks are witnessing a growing incidence of fraud on Apple
Inc.'s mobile-payment service as criminals exploit vulnerabilities
in the verification process banks follow when users add a credit
card to the service, according to people familiar with the
matter.
Banks are tightening this process in an attempt to curb the
fraud, these people said.
The problem was brought to light in late February in a blog post
by Cherian Abraham, a payments expert who works with banks and
retailers on mobile-payment strategies. He said fraud "is growing
like a weed, and the bank is unable to tell friend from foe."
Mr. Abraham said it isn't "an anomaly" for fraud to account for
about 6% of Apple Pay transactions, compared with about 0.1% on
transactions that involve swiping a credit card.
He said that fraud rates on credit cards vary, depending on the
bank that issued them.
Mr. Abraham is an adviser to SimplyTapp, which provides the
host-card-emulation technology for contactless payments on devices
using Google Inc.'s Android operating system. Those payment systems
compete with Apple Pay.
Mr. Abraham said other mobile-payment services might be exposed
to the same fraud problem, "irrespective of origin, scale, intent
or patron saint."
A spokeswoman for Apple declined to comment on the fraud rates,
but said Apple Pay is "designed to be extremely secure and protect
a user's personal information." She added that "banks are always
reviewing and improving their approval process, which varies by
bank."
Stolen identities and lifted credit-card numbers aren't unique
to Apple Pay. Stolen cards have long been a problem in e-commerce
transactions, which have higher fraud rates than credit-card
purchases made in a store.
Apple Pay, thanks to its quick and easy checkout process, in
which users pay by waving an iPhone in front of a wireless reader,
can combine some of the vulnerabilities of online shopping with the
instant delivery of buying a product in store.
The service has been a success for Apple. As of the end of
January, the company says, Apple Pay accounted for two of every
three dollars of contactless payments made with Visa, MasterCard or
American Express cards.
The fraudulent Apple Pay purchases are being coordinated by
sophisticated organized criminal gangs who are capable of scaling
the fraud very quickly, according to Mr. Abraham. However, making
the verification process too difficult and time-consuming could
deter potential Apple Pay users.
Apple has gone to great lengths to secure Apple Pay. It uses a
"secure element" within the latest iPhones to store the encrypted
payment data separately from the rest of the phone. It uses a
fingerprint reader to ensure that the phone's owner is making the
purchase and issues a one-time code so merchants don't see
customers' credit-card information.
The weakness identified by Mr. Abraham occurs at an earlier
stage. When a user adds a card to the service, Apple says, it sends
information such as the type of phone, the last four digits of the
user's phone number and the user's general location to the bank
that issued the card. The bank decides whether to approve the card
for Apple Pay.
Banks can ask for additional information if its information
doesn't match Apple's. In those cases, a bank may ask a user to
call in to answer additional security questions. Mr. Abraham said
that some banks made it too easy for cards to be approved, because
they wanted to reduce the friction of adding their cards to Apple
Pay.
For example, he said, some banks asked for the last four digits
of a customer's Social Security number, which is easy to answer if
the perpetrator knows that person's credit history or personal
information.
Card issuers have been eager to join Apple Pay, and it is
possible that some didn't adequately train the customer-service
representatives who handle authentication, one person familiar with
the matter said.
Banks pay Apple 0.15% of every transaction made on Apple Pay, a
concession that the company won by persuading them that its
payments service was more secure than the conventional credit-card
swipe. What's more, Apple has benefited from an advertising blitz
funded in part by commercials from issuing banks.
Write to Daisuke Wakabayashi at Daisuke.Wakabayashi@wsj.com and
Robin Sidel at robin.sidel@wsj.com
Access Investor Kit for Apple, Inc.
Visit
http://www.companyspotlight.com/partner?cp_code=P479&isin=US0378331005
Subscribe to WSJ: http://online.wsj.com?mod=djnwires