I am a cynical, grizzled veteran of the technology wars. I implemented my first payment system in 1995, and just a few weeks ago was programming in PHP to handle refunds through the online payment processor Stripe's excellent interface.
But when I saw the variants on the headline, "Fraud Comes to Apple Pay," I figured what was stated wasn't true. Apple retains so very little information about credit cards registered to a phone, and tucks it away so securely, that this scenario seemed exceedingly unlikely.
And that's turned out to be the case--including in the further explanation in the body of articles that led with that banner. In truth, the problem has little to do with Apple, and you have additional tools by which you can can protect yourself should you experience what I describe below.
A blog written by a consultant in the financial industry, Cherian Abraham, noted two weeks ago that Apple Pay was facing a high level of fraud based on his ongoing conversations with clients and others in his field. Fraud rates as high as 6 percent have been seen. It's impossible to verify or contradict his claims, but his track record is excellent, and let's take it as accurate.
The fraud, however, isn't in Apple Pay: it's in the verification process by which banks allow a card added to an iPhone to be enrolled in Apple Pay. That process is entirely controlled by the banks. Along with your credit card number, expiration date, and other details, Apple sends several signals to banks that are used to determine whether a valid user of the card is trying to enroll it.
As noted in Apple's iOS Security Guide:
Additionally, as part of the Link and Provision process, Apple shares information from the device with the issuing bank or network, like the last four digits of the phone number, the device name, and the latitude and longitude of the device at the time of provisioning, rounded to whole numbers.
Apple declined to offer more insight, such as whether taking a picture of a card, which is then analyzed on the phone to enter the credit card number and expiration date, was a signal sent as well, or any unique attributes of the phone, like its cellular network IMEI number. As for latitude and longitude, while it's possible to fake out a GPS receiver, the kind of criminal involved in fraud is unlikely to have the equipment and interest in that kind of fiddly work; they engage in bulk fraud.
An Apple spokesperson provided a statement about its stance:
Sign up for Computerworld eNewsletters.