Worries that fraudsters are using Apple Pay to load stolen credit cards on iPhones are overblown, according to Apple and several banks.
Apple Pay — the new tap-to-pay system that uses your fingerprint to approve transactions — is the safest way to buy stuff right now. But recent reports have noted that some criminals are using it for stolen credit cards.
One industry consultant, Cherian Abraham, estimates that Apple Pay fraud rate can reach a whopping 6% of transactions at some banks — 60 times the average credit card fraud rate. He stressed to CNNMoney it’s only that high at some banks — not all.
Some put it even higher, at 8%. The New York Times cited quiet complaints from banks.
But CNNMoney spoke to the nation’s largest banks, an association of community banks and Apple. The takeaway? This high level of fraud isn’t really widespread.
Banks also make this point: Banks get stuck with fraud costs. Yet dozens of small banks are in a long line to join Apple Pay by the end of 2015, according to L. Cary Whaley III, a technology policy expert at Independent Community Bankers of America. Why would they want to join if fraud is truly rampant?
Still, neither Apple nor the major banks would say what level of fraud they’re seeing on Apple Pay.
Those who worry about Apple Pay fraud say it’s happening because it’s too easy to load up credit cards on an iPhone. But Apple and its largest bank partners pointed out that they carefully authenticate customers every time.
“During setup Apple Pay requires banks to verify each and every card,” an Apple spokesperson said in a statement. “The bank then determines and approves whether a card can be added to Apple Pay.”
CNNMoney tested this out by setting up Apple Pay with debit and credit cards issued by several banks. The authentication process was indeed robust.
Bank of America requires a phone conversation in which you must state your name, card number, driver’s license number and the details of the latest check you wrote.
JPMorgan Chase and Wells Fargo sends you a one-time verification code to the email or phone number it has on file.
According to its website, American Express also uses a one-time code. Sometimes the company even calls the customer to double check it’s actually them.
In all these cases, you also get an alert from the bank that says you set up Apple Pay. Combined, these are big barriers for the typical fraudster.
So, if there’s a high rate of fraud, why is it happening? Industry sources say there’s only one possible hole: Not all banks are doing Apple Pay setup right.
Some make it too easy without making sure you’re actually you.
Consider that a lot goes on in the background too. When you add a new card on an iPhone, Apple sends the bank your current location, the last four digits of your phone number, a snapshot of recent iTunes purchases, and it tells the bank how long you’ve used that card on iTunes. It’s up to the bank to use that information to make sure it’s you.
For example, if you live in New York but you add a card in Miami, that should raise flags at the bank. It’s the same if you add a card to a phone that’s different than the one your bank has on file, or if your iTunes purchases don’t match up with the bank’s records.
Two companies with knowledge of the Apple Pay process say that some banks ignore this data.
So, if someone steals your card and uses it on Apple Pay, blame your bank.
Then again, Apple could fix this by demanding stricter verification from banks. That’s the point made by Mike Dudas, a former Google Wallet executive.
“It is both a bank and an Apple problem… but since Apple controls the platform, they can dictate the best practices,” said Dudas, who’s now at the startup Button.