Where is Apple Pay Vulnerable? John Sarreal, 41st Parameter Weighs In

 

With the forthcoming launch of Apple Pay on October 20th, everyone’s favorite topic of conversation is variations on a single questions—how is Apple going to change payments as the world knows it today? For all the conversation, however, there is one element of the discussion that is conspicuously missing—transacting via the browser – online, which as of yet Apple doesn’t address.

That’s likely to change, says John Sarreal, Senior Director of Product Management at 41st Parameter, a part of Experian. Sarreal sat down with MPD CEO Karen Webster on the same day Apple released the new iPad into the world and officially confirmed Monday’s Apple Pay launch. Sarreal told Webster that he believes that Apple’s obvious next step is to tie in with at least one browser, likely Safari as it moves to bring its payments platform online.

Apple Pay brings a lot of potential to the market, he says, but it also brings with it unique challenges, particularly where security is concerned. First, he noted that though Apple’s POS security solution will likely hold off “Target-style” cyber-attacks that leave customer data exposed , it will also likely drive more thieves online where fraud detection is less robust. Second, he noted Apple will need to develop a strong verification system so that a criminal can’t get access to cardholder data by hacking iTunes.

Check out the full text of Webster’s conversation with Sarreal below.

KW: What’s your perspective on Apple Pay and the environment for transacting online via the browser? It’s a channel that Apple Pay really hasn’t addressed yet – we have Apple Pay in-store, Apple Pay in-app but not Apple Pay via the web browser.

JS: We see two effects of Apple Pay online transactions and fraud online. Apple Pay is a new payment method that we believe that because of Apple’s dominance, will drive some adoption of mobile wallets and cause some customers to leave their cards at home. And, just like the upcoming EMV shift, what that essentially does is make point of sale card fraud harder to do for fraudsters.
So, what that will do is to move more fraud online, into the card not present channel. For Apple Pay involved in card not present transactions, they’re not necessarily the first digital wallet to come on the market, they are however probably going to be the most widely adopted.

Because it is riding the existing rails, we already have mechanisms in our current tools and our customers already have mechanisms for handling digital wallet type payments. But, again what will be important from an online fraud detection perspective is differentiating Apple Pay transactions from other normal card not present payment schemes and keeping an eye towards specific risk factors if they do eventually come to bear.

KW: You made a couple of points. Apple Pay brings a lot of visibility to transacting with the mobile wallet, obviously because of the power of their brand. I also agree, as we move to EMV, there is the pattern that fraud moves online – and we have more and more connected devices that allow us to get online. But Apple Pay hasn’t focused on a browser-based payments experience yet, so what is your feeling with respect to keeping those kinds of transactions safe and secure?

JS: So what we’ve seen and we’ve worked with our customers on integrating Apple Pay into their downloadable apps so it definitely will have a role to play in future online or mobile commerce. But you’re right, in terms of using Apple Pay to conduct a browser based transaction, today there really isn’t a great mechanism. We perceive that Apple will be creating extensions, specifically to the iPhones browser to allow some integration between mobile Safari and mobile web browsing iPhones and iPads to take advantage of Apple Pay, however in general, mobile commerce via the browser will not necessarily will not be able to take advantage of Apple Pay yet.

The big Achilles heel of Apple Pay, in our eyes, is the account origination and account takeover aspects of the account, the payment method is only going to be as secure as the authentication mechanisms there are to both originating accounts and registering cards to an account as well as the protection around granting access to a particular account.

KW: Interesting, so where do you think could go wrong?

JS: I think Apple Pay is providing a lot of great innovations along that payment stream and the way that they’re tokenizing the data, basically removes the vulnerabilities that you have been hearing about in the news, like the Target breach, the Home Depot breach. Those kinds of attacks aren’t going to affect an Apple Pay transaction because the hackers or the fraudsters would be obtaining tokenized data, which they couldn’t use anywhere else, unlike the card data they were able to exploit.

For us, what I think the vulnerability will be is how are they authenticating the onboarding of new cards, how are they insuring that when I take a photo of a credit card that I want to add to my Apple Pay wallet, that it legitimately belongs to me, in addition to securing the association with that an iTunes account, for example, to my Apple Pay wallet. What’s to prevent a fraudster from hacking into my iTunes account and associating it to their own iPhone and then going around and using that to pay for things or conducting transactions online through mobile apps?

KW: And here I was worried that someone was going to want to chop off my finger so that they could use it to enable my TouchID <joke>, but it sounds like consumers need to be worried about someone actually stealing their cards and provisioning their phone with those cards, is that what you’re saying?

JS: Or hacking into your iTunes account and then associating it with their own device.

KW: Apple is one ecosystem but there are others. There are a lot of players now really trying to generate some momentum around getting critical mass in the Android ecosystem with respect to mobile wallets. Is the process for securing credentials and transactions different?

JS: I think the problem is universal and the awareness that we want to raise out to the consumer environment as well as the merchant environment is that you have to look for where the vulnerabilities are going to be and right now we do see that originations process and onboarding process to be the one place that everyone isn’t necessarily suspecting the fraud to move to.

KW: So what’s the answer?

JS: I guess the key to this is really having a multilayered security strategy. Definitely continue to monitor card not present transactions, look for signs everywhere within a transaction, look at the billing and shipping addresses, look at the other factors within the transaction, add something like device intelligence which are more covert ways of detecting anomalies or discrepancies in a transaction. Those are great ways to protect the card not present transaction base but then also keep an eye toward the account origination process and account takeover vulnerabilities so definitely leverage things such as customer profiles as part of a CNP risk assessment. That helps to correlate that even though a consumer might be coming with a known account or an email address perhaps they have used before, with anything that may be different from past behaviors. So it’s really about layering the controls that merchants have in place and then taking advantage of all the different data that are present in a card not present transaction.

KW:Device intelligence is an area I know is becoming more and more important but one of the things that is really intriguing about this tokenization process that underpins Apple Pay is that it really takes that personal account number and it assigns encrypted tokens to multiple devices. So the idea is that it’s easy for a consumer to have a tablet, a smartphone, a smart watch, a smart refrigerator, a smart whatever and that token follows that personal account number and the token follows that device path. How do you develop device intelligence in a world where we’re always adding new devices to the portfolio of what consumers own?

JS: The answer really lies in with not having a single bullet. Our solution for example doesn’t rely on a single device ID to assess whether or not this is a good transaction or not. We absolutely recognize that in today’s world, any single consumer is likely to have various devices and so the key and the dissolution of the market will acknowledge that, the fact that there are devices associated to a particular consumer and smart device profiles that will allow the risk engine to assess “this may be a new device but is it consistent with the other devices that I’m seeing in this users history?” That’s kinda the way you have to treat device intelligence in today’s world.

KW: The topic of fraud has always been something that merchants and issuers have worried about but it’s become a very complex world and the solutions, obviously, have to take into consideration that complexity. It almost seems mind numbing to really try to figure out what to do. You do require a multilayer strategy but the layers seem to be getting deeper and deeper as we have more and more things that connect to more and more things.

JS: Our advice to customers is, divide and conquer. Our merchants know their business inside and out. They can spot and have already developed patterns and they know what sort of patterns to look for within the merchant specific data. Let the device intelligence or the device research – leave that to your vendors, leave that to an outsource provider of device intelligence. Rely on them to do all of that legwork for you. The mobile ecosystem these days is very fragmented, highly complex and changing with sort of unprecedented degree of frequency. So that the core competency of certain companies out there and the market. That’s what they build their core capabilities around. Stand on the shoulders of their research, let them figure out all those device specific nuances and build on top of that, layer in your own merchant specific strategies to really get the best fraud detection rates.

Listen to the full podcast here