Cybersecurity and the Apple Payment System

After reporting that hackers had stolen more than 500 million financial records worldwide in 2014, the director of the FBI’s Cyber Division issued a warning saying, “You’re going to be hacked. Have a plan.” (Heartland Blog)

The US payment system provides one the greatest challenges within cybersecurity. This vast operational network of laws, rules and standards act as a conduit system that unites bank accounts in order to provide an exchange of funds from a payer to a payee. It’s essentially the network that lets you pay your student loan, use online banking, or in the case of a company, to process a payment to a vendor for services.

In the wake of collapsing financial markets, the Federal Reserve is only now starting to understand the strong need to shield the payment system from flux by maintaining proper liquidity within the market through the mass printing of low-interest money. Like any other network, this system of networks has to be protected.

This hard but true reality was recently uncovered by Apple Inc. when they learned, with the introduction of the Apple Payment System, that fraud and cyberattacks are foregone conclusions within the financial industry.

The Challenge with the Apple Payment System

The problem apparently is linked not to a compromise of the mobile device’s security, but payments and security experts say fraud has resulted from some early Apple Pay transactions, although no banks contacted by Information Security Media Group would comment for attribution. (BankInfoSecurity.com)

Relaxed authentication practices used by the banking institutions have led to new exploits linked to Apple Pay. These gaps are quickly proving how easy it is for thieves to take advantage of virtually any secure payment system once vulnerability is detected. The issue is tied to shortcuts that banks are taking in verifying cards that are loaded to the iPhone for Apple Pay purchases.

One executive with a mid-tier institution on the West Coast that just launched Apple Pay last month, who asked to remain anonymous, says issuers have been talking about fraud levels as high as 6 percent – the equivalent to millions of dollars in fraudulent transactions.” (BankInfoSecurity.com)

Considering that the average loss for fraudulent credit card transactions is typically less than 1 percent, an increase of 600 percent is alarming. The staggering increase to six percent fraud underscores the speed at which fraudulent activity escalates. It also signals the need for robust security protocols, mainly authentication, within this sector. It also beckons two additional questions:

• What can organizations do to protect themselves?
• What can individuals do to protect themselves?

Oddly enough the answer is the same for both. Both institutions and individuals need to step-up their level of vigilance with regard to their own financials. Financial Institutions need to continue to scan their payment system for vulnerabilities and build actionable intelligence acquired from their efforts. Retail organizations need to monitor their customers and look for suspicious activities, particularly with this payment system. Retail groups also need to focus on sharing as much as they can with their financial partners and the federal authorities when fraud is detected.

On the consumers-side of the equation, it is challenging to overstate the importance of monitoring bank accounts and credit scores. Pay close attention to statements and report any suspicious or erroneous financial transaction as soon as possible. Lastly, from the tech-side, organizations and consumers who use Apple Payment System need to ensure their banks perform their due diligence when authenticating their users on the system.

According to a recent Wall Street Journal story, some banks were making their customers go the extra mile in verifying their identity. Some reported techniques where to send a one-time authorization code to the customer’s email or mobile phone that must be entered into the Apple Pay set-up. A few banks are taking the extra step of asking the customer to authorize their Apple Pay request by logging into their online bank account. Some banks even took the extra step to ask the customer to call a toll-free number where a customer-service representative verified the person’s identity through a series of personal or behavior-based questions about the customer.