The Risks of Apple Pay for Banks and Credit Unions

In the race to remain competitive more than 1,600 banks and credit unions have signed on to Apple Pay, probably hoping that some of Apple’s cool will rub off on them.

But how high is the price of that affiliation? I’m not talking about Apple’s cost per transaction fees. I’m talking about the potential risks to your client data.

In the event of fraud, your institution should not look to Apple. If there is another party involved in initiating the transaction, you may have recourse, but Apple is not taking responsibility.

This may seem ridiculous. Apple owns the operating environment and controls the app store. But it doesn’t own the responsibility.

People will try to tell you this isn’t a big deal. Apple’s security is amazing, they say. Apples uses cutting edge technology, including near field communications (NFC) and EMV tokenization standards. Neither Apple, the device nor retailers store actual credit card data so there is nothing for hackers to steal. The device must be used with the finger-print reader or the phone’s passcode for NFC to work.

But never say never. Hackers always find a way, and some already have by making individual phones targets.

The Apple Pay Risk We Know

The scam is simple. Fraudsters enter stolen credit cards into Apple Pay accounts and start shopping, according to the LA Times. Apple doesn’t require issuers to do much to verify the authenticity of accounts, and this security matter is left to the issuer and those standards vary greatly from institution to institution. Even those that require a phone call often ask questions that can be answered with a Google search (a process called social engineering), according to an article by Forbes, “Here’s Proof Apple Pay Is Useful for Stealing People’s Money.” Some sight fraud as high as 6%, according to Bank Info Security.

The Forbes article goes on to cite a source that this process is easier on Apple Pay than on Google and Samsung’s platforms because Apple doesn’t use “rate limiting” to limit the number times a person (or computer) can guess the three-digit CVV code. But that’s not really Apple’s problem, is it? They bear no financial responsibility for the fraud.

The Apple Pay Risks We Don’t Know

That’s just the threat we know about. There are other potential issues as the CNBC article “How hackers could still get around Apple Pay security” points out. It suggests other threats including:

  • Third-party apps. Most people think of Apple Pay as a point-of-sale (POS) tool where consumers use their iPhones and Apple Watches for NFC transactions. Yet Apple Pay can also be used within apps for card-not-present transactions. Retailers can design apps to accept Apple Pay—and you have no control over how secure these mobile payment apps are. There could be security flaws hackers could exploit—and Apple’s not responsible for them.
  • Touch ID. Apple’s fingerprint reader, Touch ID is, an extra security feature for Apple Pay on iPhone 6 and later models. Yet it’s been hacked in experiments.

 

And who knows what else hackers will think of? It’s not entirely an exercise in speculation. Just think of the iCloud scandal back in 2014 when celebrities’ phones were hacked and personal photos and other information was stolen. There could be an unknown flaw in the NFC system. And then there are the consumers who “jailbreak” their phones, changing the iOS, Apple’s operating system. Who knows what kind of vulnerabilities they introduce?

Weighing the Mobile Risks

That’s why it’s essential to weigh the risks when you think about signing up for Apple Pay or any other emerging mobile service. Ask if this is something your customers are really going to want or if you’re just going along with the crowd. If you have just seven customers using the product, is it worth the risk?

Apple Pay, like all mobile and cloud technologies, carry risks. Risk can be okay but only if:

  • You know what those risks are; and
  • You know how to mitigate them.

Talking about Apple Pay Risk

Not every financial institution has this discussion, but the ones that do are the ones with a vendor management process. It makes sense. A robust management program is built around risk management, which means finding the right balance between risk and reward.

These FIs have policies and procedures in place for assessing vendor risk across as many categories of risk (including operational, transaction, compliance, credit, strategic, reputation, cyber, cloud, concentration and country risk). This gives institution’s the structure and concentrated knowledge to make educated decisions about the risks they are willing to take on and the opportunities available to mitigate those risks.

Without these kinds of conversations, your Apple-loving technology team might enthusiastically sign off on Apple Pay without considering transaction risk. When they find out they are dealing with a platform they don’t own and can’t control, they might have second thoughts.

The struggle for market share is real, but that doesn’t mean you should jump into mobile payment technology or any other emerging technology just because everyone else is doing it.

Every institution is different. Before you follow the pack, make sure you have a vendor management program to examine your mobile strategy choices from every angle and avoid unforeseen consequences.

Don’t take a bite out of the apple until you consider the potential risk.