Tag Archives: Apple Pay

Banks Warn Users About Storing Family Member’s Fingerprints On Apple Pay iPhones

iPhones can store multiple fingerprint images – some phones can store up to 10 different fingerprints.

HOWEVER, if you use Apple Pay, you might want to think twice about storing more than one fingerprint on that phone.  Like the fingerprint of your spouse.

This is where old school businesses and new school tech need to meet somewhere in the middle.

Banks – at least in the UK – are warning customers that if they have their phones set up for Apple Pay AND they store more than their own fingerprint on the phone – they will be violating the bank’s terms and conditions.

The result may be that banks will refuse to refund disputed transactions or may not assist customers if they become victims of fraud.

Lloyd’s customer agreement says “you must ensure you only register your own fingerprints (and not anyone else’s)”

HSBC and First Direct have similar warnings in their terms and conditions.

The banks and Apple probably need to get together and figure out how to deal with this.  All the banks are concerned about is that other fingerprints don’t authorize transactions on your behalf.  Beyond that, it doesn’t seem that the banks should care how many fingerprints are on the phone.

While the article talks about British banks, I wonder if US banks have the same terms and conditions – that haven’t made the news yet.

Information for this post came from SC Magazine.

Apple Pay Not Living Up To The Hype

American Banker is reporting that banks are not terribly happy with their customer’s adoption (or not) of Apple Pay.  This probably has less to do with anything that Apple did or did not do, but rather with the fact that people don’t deal with change very well.

While 84% of the banks reported they were involved in a mobile payments rollout when surveyed in January of this year, only 0.68% or less than one percent of the eligible debit cards were enrolled in Apple pay.

To make matters worse, the same survey said that consumers were only making 0.34 transactions per month per enrolled card.  That means that they use Apple Pay once every 3 months.

Suntrust Bank reported that 15% of the iPhone 6 owners had set up a card on their phone and 25% of the 15% had made at least one transaction.

On the small bank side, First Financial CU reported that of their 65,000 members, 48% are iPhone users and 345 of them use Apple Pay.

While it is way to early to predict the demise of Apple Pay or any of it’s competitors, the early forecast of kicking MC and Visa off their throne was clearly a bit optimistic.

It seems to indicate that it is going to take something big to get consumers to change their ways.  It is just too simple to take your credit card out of your pocket and slam it into the checkout terminal.

In addition, predictions of merchants saving money due to lower interchange fees and Apple getting richer over transaction fees were both a bit overly optimistic.

Information for this post came from American Banker and Payments Source.

The Changing World Of Transaction Payments

If you either use credit cards or are a merchant that accepts credit cards (I think that covers most of us), your world is changing and changing rapidly.

Sorry, this is going to be long, so you might want to get a cup of coffee and possibly some aspirin before you start reading.

First, if you are a merchant that accepts credit cards, effective Oct 1, 2015, if you do not accept Chip based credit cards (the so called EMV card that has been the standard in Europe for 10 years – we are just a little bit behind), if there is credit card fraud, you, as the merchant, become financially liable for the loss (for gas stations that does not happen until 2017).

This means that as a merchant, you have to change your credit card reader equipment, train your employees and if your credit card process is tied into your point of sale system, likely have to change that as well.  All this is at your cost as a merchant. Here is Visa’s guide for merchants on how to migrate from the old mag stripe credit cards to the new chip based card.

One thing that is still different between the U.S. and Europe is that Europe requires that you enter a PIN with the chip card and we are going to use the old fashioned signature.  PIN is likely much more secure – retail clerks rarely check whether your signature matches the back of the credit card.  Mastercard and Visa opted not to use a PIN because they thought that people might use their cards less if they were harder to use – and that is like a knife to the heart for credit card processors.  They would rather eat the losses, which they pass on to the merchants in the form of fees, who pass them on to you and me in the form of higher prices.

The second change that will affect merchants is the release, in April 2015, of the PCI 3.1 standard.  The main reason for this change is because of all of the SSL bugs that I and others have been writing about for months (including Heartbleed, POODLE, FREAK and Bar Mitzvah, among others).  This likely will require a number of software upgrades as SSL is no longer allowed, only the current version of TLS.

In addition, as of PCI 3.0, released in January, merchants are now required to conduct penetration tests at least annually, which are much more complicated than that the old requirement for doing vulnerability scans (see guidance on conducting penetration tests here) .  Merchants also have to implement intrusion detection and prevention technology.

Now the part that affects consumers – which, of course, also affects merchants if they choose.  Apple released Apple Pay earlier this year.  Some merchants embraced this;  others are totally fighting it – by either turning off the NFC feature on their credit card terminals that are required to make it work or not fixing that part of the terminal if it breaks.  This is so much of a problem that some customers have reported that they have only completed ONE Apple Pay transaction successfully since they registered their cards.

But if that wasn’t confusing enough, customers and merchants will have to deal with other competitors to Apple Pay, including:

Samsung Pay – which only works with the Samsung Galaxy 6

Google Wallet – which has been around for a few years, but has not gained much acceptance.

CurrentC – the big merchants alternative to Apple Pay. This is supported by the retailers and they will give you discounts and freebees if you use this rather than Apple Pay.  This will be hard for Apple to counteract because the merchants are in control of these discounts and freebees.

Stratos – a small high tech startup with their own solution

Here is a guide to these options.

If you are a consumer, you can choose to use one of these alternatives or not.

If you are a merchant, you will need to make a bunch of decisions – running the risk of offending customers and having them go elsewhere.

And, I am sure, there will be more choices before this all settles out.

Apple Pay – A Credit Card Thief’s Dream

When I wrote a couple of weeks ago about the issues with Apple Pay security problems (see post), I didn’t really understand the scope of what I was writing about.  Thanks to Brian Krebs (see his post), I now  understand the problem is bigger than I thought.

Let’s assume that you are a crook and you bought a bunch of credit card numbers on the dark web.  How do you monetize this.  One way is to go to some web site and buy some stuff with the stolen credit card numbers that you have.  Now you need someone stupid enough to be your mule to accept the delivery and give you the merchandise.  And that assumes that the merchant does not verify that the delivery address is one that is set up for that card.  That also gives the merchant and credit card company a starting point to track you down.

Alternatively, you could go into a store and use the credit card.  No one asks for ID, and you don’t have to give a name and address, so that should be safe.  Oh, wait, you don’t have a card – just numbers.  You could get the equipment – credit card printer and embosser, mag stripe writer.  The big guys do that, but it is expensive and you have to know how do that.  Also, the price for the information needed to burn a fake card is way more than just the numbers.

You think for a minute.  POOF – APPLE TO THE RESCUE.

You take the stolen credit card numbers and your handy iphone that you bought earlier with another stolen credit card.  You either create a bogus itunes account or buy a hacked one for $8 retail.  You now tie your stolen credit card data to your hot iphone and voila, you have a virtual credit card.  No fuss, no muss, no bother. You can now go into any store that accepts Apple Pay (like the Apple Store) and buy stuff just like you had the real credit card.  You then turn around and sell the stuff for cash.

All of this only works because, as I wrote about in the earlier post, banks don’t do a very good job of validating people prior to linking their account to a phone.   They are so worried about offending a customer and missing out on the Apple Pay hysteria, that they wind up with a very high level of fraud – right now about 6%, which is, as I said in my earlier post, a great way to go broke since the bank’s fees are no where near 6% (more like 2%).

And the bad news is that you don’t even need to be an Apple user to be a victim of this kind of fraud.  If your credit card bank supports Apple Pay, there currently is no way to say that I do not want my cards to be linked to an Apple Pay.

Apple and the banks will eventually figure this out, but in the mean time, the crooks are making a LOT of money.

Mitch

Apple Pay Hacked (well, sort of)

As I suspected when Apple Pay was released, the hackers did not just give up and say “this is too hard” and all get jobs at Burger King.

No, instead they said, what vulnerabilities does Apple Pay have?

The first one (at least that we know of) is something called yellow path.  The hackers have figured out that they can set up an iPhone with stolen personal information and then call the bank to authorize the card.  Apparently, Apple has a red, yellow, green process for doing this where red is rejected and green is approved, but yellow requires additional verification to add the card to the phone.

At least some banks are being lax about this and just asking for the last 4 of the social and if the hacker has that, the bank sets up the card on the phone.  Since the hacker controls the phone, they pass the fingerprint check and run bogus charges on the card.

The karmic part of this is the crooks are often buying Apple products at Apple stores with the bogus iPhone/Apple Pay setup.

Apparently this is a REALLY BIG problem.  Card issuers had expected about 2 or 3 cents of fraud per hundred dollars of charges.  Instead they are seeing about 6 dollars of fraud per hundred dollars of charges.  That is a good way to go broke.

The fraudsters are way better at conning the bank’s call centers than the banks are at detecting the fraud.

And, has been the case since the beginning of time, since the banks are much more worried about not offending customers than having good security (hence the $12 billion a year in credit card fraud), we have a problem.  For example, how often does a clerk in a store really examine the signature panel on your credit card.  I have some cards that are not signed and I have seen many clerks look at the signature panel, see that it wasn’t signed, and hand me back the card rather than ask me for ID – they don’t want to offend anyone.

In any case, given the fraud rate is about 200 to 300 times what they planned for, they are going to be forced either to do something about it or discontinue accepting Apple Pay.  Talk about a rock and a hard place for banks.

See this article for more information.

Mitch