Here's how Apple Pay can be used to rip you off
It’s 9.42pm in Selfridges Department Store, London and a financial crime is taking place. We could easily be in Ballantynes, Christchurch or Smith & Caughey’s, Auckland. With only 18 minutes until closing, a criminal begins a furious shopping spree.
The button on an iPhone is clicked twice and a Visa card pops up. This is Apple Pay. A stolen card number has been loaded.
The device hovers over the payment terminal and $11,000 is spent. Ping, approved. Apple Pay is not the same as PayWave. Like any physical card the limit is the amount of money in the account. The criminal’s own face, fingerprint or passcode on their iPhone authenticates the transaction.
Two minutes later using a different currency, $3100 is gone, and it only takes five more minutes to spend $1900. The fourth transaction is rejected. Fun over, the bank account has been drained.
The whole operation took seven minutes to pay for $16,000 of luxury goods with smiles, chatting and the all the customer service you’d expect at a top-notch department store. That level of slickness makes you wonder if the stolen card was loaded on three different phones and used by a gang of criminal shoppers.
It didn’t raise the suspicion of the bank concerned – UK newcomer, Revolut. It has a homepage in New Zealand where Kiwis can add themselves to a waiting list for the Revolut Visa or Mastercard in multiple currencies. It is obviously hoping to enter our market.
The plot thickens
What is perverse about this case, is the cardholder has never used Apple Pay in their life. You read that correctly and it's ominous. It’s never been loaded on their own phone or verified.
A few days before the shopping spree, the cardholder received several text messages purporting to be from their bank. These contained a code to have Apple Pay verified on their iPhone. The message read “Don’t enter it anywhere unless you want to add your card to a new device. Don’t share this code with anyone, even if they claim to be from Revolut”.
So what did the customer do? They had never used Apple Pay and didn’t want it. There was no link or phone number in the message and they didn’t enter or verbally give out the code. They simply ignored the texts.
Somehow, somewhere, someone, had applied for Apple Pay using their stolen bank card data and accessed the code sent to their phone.
The bank’s own fraud systems failed
The customer purchased a bus ticket using their card in a Scandinavian country on the same day as the London shopping spree. This simple location mismatch escaped the bank’s fraud algorithm. It dismissed the customer’s proof of flights and whereabouts and refused to repay the money. It opens a can of worms regarding the monitoring of Apple Pay by the fraud systems of all banks.
Are you imagining a couple of old duffers on holiday, getting confused about technology and not recalling they were tricked into giving out a code?
The money in the Revolut account belonged to two ex-British Army Officers; a Colonel and a Major. They work for Nato and have top-level security clearance (for that reason they need to stay anonymous). They would recall sharing a bank code and offered Revolut the opportunity to put the iPhone through an independent security check. This was declined and Revolut stated two-factor authentication proves they are responsible for the spending.
How can a fraudster gain a security code?
Very few options remain for surreptitiously obtaining a code sent only to a cardholder’s device. But one method is known as zero-click technology. You only need to receive a message from a fraudster to have your phone compromised. You don’t need to give out the code verbally or click on any link. Apple has issued software updates in the past to close up the zero-click loophole, so it’s not new.
What is shocking is that banks are still claiming two-factor authentication is impenetrable and making customers liable for any fraud.
Fraud protection from Visa was worthless
In normal circumstances card fraud is covered by Visa and Mastercard’s well-publicised Zero Liability Protection and chargebacks occur within days. This is the glue that holds the payment system together and seals our trust.
In an outcome which will put the financial heebie-jeebies into consumers, it appears Visa and Mastercard are running a mile from Apple Pay fraud, despite their brand being on the card.
The Selfridges transactions don’t qualify for Visa’s fraud protection, because two-factor authentication was used, proving the cardholder’s guilt. The banks and Visa pretend this is a slam-dunk, but the argument feels weak. Apple Pay has previously been breached by zero-click technology. Once a fraudster loads a stolen card on their own phone, each purchase is made with their own face or fingerprint biometrics, not the real cardholder’s.
In the UK, a code is more commonly obtained by phishing (tricking you into giving out the information).
Banks try to claim customers are grossly negligent when they fall for phishing, but in 2021 the UK Financial Services Ombudsman announced that 75% of cases had been overturned. The customer might have been careless, but not purposely negligent. Banks were ordered to repay the money.
By rights, the case of our Nato contractors should take the same course. Negligence will be difficult to prove and it’s beyond comprehension why Revolut would try, given the evidence their customer has provided and offered.
The offshore experience is Visa, Mastercard, banks and Apple Pay do not support consumers in sophisticated fraud situations. The loss of Visa and Mastercard fraud protection is not widely known information.
Even in the UK where regulation is higher, banks are not taking heed of multiple precedents set by the Ombudsman. That’s called running the customer down in a highly stressful situation.
We’ve had several payment frauds in New Zealand which have only been solved by media intervention. If these take hold in volume, our own ombudsman is unlikely to keep up. Regulators need to look carefully at the UK mess and think about setting expected protocols now. It’s inexcusable that customers can do very little to protect themselves and are forced to carry the liability.
Janine Starks is a financial commentator and author of www.moneytips.nz with expertise in banking, personal finance and funds management.