Among other things, Apple's Second Coming of the Mobile Payment Solution currently trialling in the US right now but potentially landing on our shores in March was meant to fix our broke-ass credit-card security system. Only, according to (unconfirmed) reports, it's doing exactly the opposite.
The blog of Drop Labs, a mobile commerce advisory firm, has a good (if technical) post on how Apple Pay security does -- and doesn't -- work. In essence, the hardcore tech stuff for Apple Pay works just fine: no one is breaking TouchID, stealing iPhones to pay for stuff, or hacking the NFC transmission protocol. Rather, the flaw lies in credit cards themselves.
According to Drop Labs, people are buying credit-card numbers online, then loading those same numbers into Apple Pay, in essence making themselves a handy fake credit card, without going to the trouble of making a physical fake. And it's not a small problem: Drop Labs claims that for some issuers, fraud levels are as high as 6% (meaning $6 of every $100 is being spent fraudulently in the US). That's bad even when compared to regular credit cards, whose fraud rate averages out at under 1%.
This is possible because of two flaws with the system. Most problematically, it's easy for hackers to steal credit-card numbers from shops and then sell those numbers online. That's a fundamental problem with the credit-card system (and especially the stupid dumb magnetic stripes they all use) and something that Apple Pay is just an unwitting victim of.
The second issue, however, is specific to Apple Pay. In short, banks aren't taking the proper measures to ensure that the credit-card owner is the one using the credit card in Apple Pay. According to Drop Labs, most banks use a phone call to authenticate when a card is loaded into Apple Pay, a method that's woefully inadequate.
While there's obviously not a lot that can be done about stolen credit-card numbers (bar burning the whole broke-ass system to the ground, but that's a different conversation), banks *should* be able to fix their authentication system to make Apple Pay less fraud-ridden in the short run.
But what this data really tells us is that while credit cards and their stupid unencrypted magnetic strips continue to exist, no system -- not even one that uses fingerprints and special super-secure chips -- can prevent nefarious hackers running up Supermarket Sweep-style consumer binges with your credit card. Worth pondering before Apple Pay takes the UK, at least. [Drop Labs]