Start Paying

People my age who are reluctant to dive into new technologies and new products are frequently accused of getting more conservative and/or cautious with age, but the truth is that I wasn’t a particularly early adopter of new products or technologies when I was young. Today, after witnessing any number of new ideas that looked wonderful right out of the box but took years to fully mature, it has become second nature to me to wait and see what happens to a product before I consider buying one. The first few generations of mp3 player had issues, for example; it wasn’t until three or four years later that an iPod version appeared that was actually reliable, and the same could be said for most types of smart phone, tablet, or even laptop computer. So when Apple Pay came out, offering to provide you with a revolutionary new way to buy things (“Store all of your credit cards in your phone!”) I was immediately skeptical of the idea. Now it appears that Bank of America, Citigroup, Capital One, American Express, Chase, and several of the other “Launch Partners” who got in on the ground floor with Apple’s new service are wishing they’d been a little more skeptical, too…

You can find the New York Times article here, if you want to, but it appears that thieves have been stealing credit card numbers and using Apple Pay to charge things on the linked accounts at an amazing new rate – estimates go as high as 6% of all Apple Pay transactions, compared to 0.1% for traditional credit cards. Or, to look at it another way, $6 out of every $100 on Apple Pay versus ten cents per $100 on traditional credit accounts; more than sixty times the “usual” rate for identity theft. One might reasonably expect all of the affected banks to be screaming bloody murder at Apple, or at least demanding that the company do something about the situation. But the really interesting thing about this case is that not only are the various financial institutions bending over backwards to avoid angering Apple, but it might not be Apple’s fault this fiasco is occurring…

As near as I can tell, all of the financial institutions in this story were so worried about being left out in the cold under Apple Pay that they failed to require anything more than basic credit card information (the kind that identity thieves steal every day in job lots) before allowing a user to upload credit card information onto their phone. Even the sort of security questions, billing address and telephone information, or passwords normally used for online transactions would have made a difference, but none of those measures were used. Even worse, when the issues with Apple Pay began to emerge, several of the banks detailed general customer service call centers – rather than actual fraud prevention teams – to deal with the situation. As a result, there have been numerous reports of thieves actually calling in themselves to tell the banks not to flag an account that is being used in another state or country (the old “we’re on vacation this week” scam repurposed for a new generation)…

Now, I don’t mean to suggest that the original oversight wasn’t completely understandable; new technologies and methods for separating consumers from their money that actually work don’t come along every day, and if Apple Pay ends up being as pervasive as some of their other products and services then any financial institution would have to be crazy not to try to get in on the ground floor. What is less excusable is failing to implement industry standard security measures at the same time, or at least devote appropriate anti-theft and anti-fraud support, although both would have been better. It seems highly unlikely that Apple would have objected to greater security, given that they also have a vested interest in getting as many people to use Apple Pay as possible. And, in fact, now that this story has gotten out and people are having second thoughts about the whole concept, Apple has started working with the banks to provide more account information and security measures…

Maybe once the technology companies and financial institutions get all of the bugs worked out, I’ll look into Version 3.1 or 4.3 of Apple Pay, or however many iterations it takes before the risks involved are no higher than any other form of credit card account. In the meanwhile, I may still be coming off as a grumpy and conservative old man, but at least I’m not having to call my credit card provider and demand to know why I am being billed for $12,000 worth of kumquats purchased in a country into which I have never set foot…