ApplePay fraud points to looming problems with mobile payments

Avivah Litan, Vice President and Distinguished Analyst, Gartner Research

Last week, I participated in the ISMG Fraud Forum in Los Angeles, and one of the more interesting things I learned was how rampant ApplePay fraud is. Turns out the bad guys are loading iPhones with stolen card-not-present card information (which is much easier to steal than card present magstripe data) and essentially turning that data into a physical card ala ApplePay.

The banker speaking about this topic at the conference insightfully pointed out that this scheme was enabling the fraudsters to bridge the CNP (card not present) world with the CP (card present) world. Now they don’t have to even bother with their elaborate infiltrations of large retail chains like Target and Home Depot. They can just steal or buy cheaper CNP card data used for ecommerce transactions and load that data onto a smartphone, thereby transforming the CNP data into a counterfeit physical card used to commit more lucrative CP fraud. For more information on this see

This isn’t necessarily an ApplePay problem. The responsibility ultimately lies with the card issuer who must be able to prove the ApplePay cardholder is indeed a legitimate customer with a valid card. Apple does provide the issuer with information to help inform that decision. But the bankers I spoke with at the ISMG fraud conference complained that they don’t get enough information out of ApplePay to properly support their fraud processes. If that’s the case they have the right to refuse accepting it — assuming they can get the support of their marketing colleagues.

In the meantime, Apple does provide a lot of rich customer data to aid banks with identity proofing, including information on a customer’s device and iTunes account such as; device name, its current location, and whether or not the customer has a long history of transactions within iTunes. So I’m not exactly sure what else the banks are expecting. Interestingly, neither Apple nor the banks get any useful identity information out of the mobile carriers – at least that I know or heard of. And mobile carrier data could be particularly helpful with identity proofing. For example the banks could compare the mobile service’s billing address with the card account holder’s billing address.

For years, we have been briefed by vendors offering a plethora of innovative and strong user authentication solutions for mobile payments and commerce. And for years, we have been asking the vendors touting them how they know their mobile app is being provisioned to a legitimate user rather than a fraudster. That always appeared to me to be the weakest link in mobile commerce –making sure you provide the app to the right person instead of a crook.