While speaking at the American Bankers Association Risk Management Forum on April 15th on mobile risk, several institutions indicated they were in the process of signing up for or considering Apple Pay™. So we shifted the conversation a bit to really dive into an institution’s risk when offering the service. One aspect became clear; some institutions weren’t aware of the liability for consumer claims that originated through this mobile platform.
Mobile Fraud
According to a 2015 survey released by LexisNexis Risk Solutions, mobile devices now make up a disproportionate share of the near $6 billion of fraud losses charged to merchants and card issuers in the U.S. While mobile payments account for only 14% of transactions among merchants who accept them, they equate to 21% of fraud cases. While some recent improvements have been made to the authentication process for Apple Pay, institutions are still looking for ways to minimize the Apple Pay fraud problem, which is already running into tens of millions of dollars in losses for financial institutions according to Drop Labs. Yes, you read that right: tens of millions of dollars in losses for financial institutions in its short lifespan.
The Apple Pay Difference
After years of false starts and failed attempts, mobile payments are just beginning to stand out. Mobile payments accounted for $52 billion worth of transactions in the U.S. in 2014, up from $32 billion in 2013, and are expected to rise to an impressive $67 billion this year, according to analyst Forrester Research. And consumers are adopting mobile wallets, aka digital wallets, as the way to initiate a mobile payment more frequently.
No two mobile wallets are created exactly the same and liability is an area that institutions should pay close attention to when supporting or sponsoring a mobile wallet. Apple Pay does have some impressive security to authenticate the cardholder, but it’s not infallible. Bad actors have already figured out how to load stolen card data to the platform to initiate purchases, usually buying prepaid cards and gift cards, which are essentially untraceable. And who’s holding the bag on these losses? Typically, the issuing institution.
When a consumer wants to load a card to the Apple Pay wallet, they can take a picture of the card or enter it manually (criminals using stolen card details of course preferring the latter). The information is collected by Apple, then transmitted with other pieces of information to the card issuer for authentication. The authentication methods used by institutions to confirm a card are proving easy for fraudsters to dance around.
Some institutions are requiring the last four digits of the card holder’s social security number (SSN), something online criminals frequently nab because the last four digits of a person’s SSN are a common “authentication” method. Other institutions are authorizing by having the iPhone owner call into a call center to authenticate themselves, often requiring things like mother’s maiden name (ever check out the FREE mother’s maiden name database in online state records or Ancestry?) or yet again requiring nothing more than the last four digits of the card holder’s SSN (we already covered the problems with this).
Once the issuer authorizes the card, all transactions are considered card present, which leaves the issuer in the position of loss if fraud is reported.
In Closing
I’m not attempting to steer an institution away from Apple Pay by any means. As with any third-party arrangement, enter into this agreement with a clear understanding of liability and the overall process so you are prepared for inevitable fraud claims. There’s no easy solution to this problem. Until Apple Pay and card issuer’s figure out a stronger authentication method, bad actors using stolen card data will continue and losses will continue to mount.
Also, this is a constantly changing environment; while these are the common processes today, they may be different tomorrow. I've heard rumblings that Apple and issuers are both looking at alternatives to thwart these common fraud attempts. More to come I'm sure.