How Secure is Apple Pay?

by Sid Kirchheimer

Since debuting in late October, Apple Pay has certainly proved to be easy, convenient and popular. Upstaging previous efforts by Google, eBay and various start-ups, the latest mobile-wallet venture is now accepted at some 700,000 locations across the United States and has 2,500 partnering banks and institutions.

But is it secure? Not according to recent reports, which suggest that Apple Pay has actually made for easier credit fraud — and has already resulted in 60 times higher rates of fraud than traditional credit card transactions.

With Apple Pay, after linking a credit or debit card for payments, users of the iPhone 6 or iPhone 6 Plus just hold their device to a reader while pressing the Touch ID sensor. With a subtle vibration and beep, you’re alerted to a successful transaction. (Meanwhile, Samsung is all set to follow in Apple’s footsteps and launch a payments platform with its upcoming Galaxy S6 and Galaxy S6 Edge smartphones.)

Register for Life@50+ Digital Experience. New AARP RealPad included! Learn More

The reported vulnerability isn’t with Apple Pay’s technology or fraudulent use of stolen iPhones; rather, it’s in how Apple allows its partnering banks to authenticate Apple Pay cards: They can either require more secure two-factor authentication or simply have cardholders telephone a call center for authentication.

Because most vendors are choosing the less secure call-in option, “fraudsters are buying stolen consumer identities complete with credit card information, adding the information to Apple Pay and convincing manual checks that they are indeed a legitimate customer,” contends the Today’s iPhone website. “Banks are clearly the weak link in the chain and are not taking the proper measures to ensure that the card owner is the one adding the card to Apple Pay.”

With two-factor authentication — offered by Google, Facebook, Twitter, Amazon and others (including Apple) — users must add a second level of authentication to passwords or PINs during log-in. This second factor is usually something you physically possess, such as a phone or ATM card, but can also include a “biometric,” like a fingerprint or voice print — and some suggest that Apple needs to put more pressure on banks to require two-step verification.

Until that happens, call-in authentication is “much easier for fraudsters to pass,” notes the Cult of Mac website.

The sixtyfold fraud rate was first reported by mobile commerce advisory firm Drop Labs, which notes that credit card issuers typically keep losses to fraud to about 10 cents per $100 worth of transactions — a rate of 10 basis points, in industry jargon. But the company finds that at least one issuer’s fraud rate with Apple Pay is 600 basis points — or $6 per $100 in transactions.

>> Get discounts on electronics with your AARP Member Advantages.

Apple representatives did not respond to the Fraud Watch Network‘s requests for comment on these reports or its plans and recommendations of stronger security for Apple Pay users. Some surveys find that a majority of consumers don’t plan on embracing Apple Pay, but if you do plan on using it or other smartphone payment platforms, here are ways to reduce your fraud risk:

1. Link to only one card. Unless you know that your payment-card issuers require two-step verification to use Apple Pay, test the security waters by linking just one payment card for Apple Pay. Although most Apple Pay purchases will be made in store, experts often recommend dedicating one payment card for all “online” purchases — whether made with a smartphone or a traditional computer.

2. Make it a credit card, which provides stronger fraud protection than debit cards.

3. Avoid Apple Pay for likely returns. Because sales clerks may be unfamiliar with Apple Pay, payment-card consultant Peter Olynick tells CIO magazine that it’s wise to initially use it for purchases you’re unlikely to return.

4. Closely monitor your Apple Pay card. Especially in coming months, pay special attention to all charges to the payment card linked to Apple Pay. While you should be doing that with all your accounts, it’s even more important as Apple Pay experiences growing pains.

5. Practice smartphone smarts. Apple Pay aside, smartphone users should lock the device’s screen with a secure PIN, activate offered encryption to protect stored data in case of loss or theft, and use security software recommended by their carrier or phone manufacturer.

6. Protect your identity. Because scammers are buying consumer information for fraudulent Apple Pay use, consider placing a credit freeze to prevent the opening of new accounts in your name. Also, get your free credit reports, three times per year, at AnnualCreditReport.com, to help spot fraudulent accounts.

For information about other scams, sign up for the Fraud Watch Network. You’ll receive free email alerts with tips and resources to help you spot and avoid identity theft and fraud, and gain access to a network of experts, law enforcement and people in your community who will keep you up-to-date on the latest scams in your area.

Photo: pixdeluxe/iStock