This week the Geek writes about digital financial services like Apple Pay. Are any of them safer than traditional banking services?
Q: One of my co-workers had their car broken into. The Sheriff's Office was called and when a deputy arrived he warned them against using Apple Pay because his office has received a lot of complaints from people who have had their accounts hacked and money stolen. I was really surprised by that because Apple usually has really good security. Is Apple Pay safe or do you recommend people stay away from it? Thanks for your help.
— Dusty R., Fort Walton Beach
Editor’s note: This question was submitted by weeklies editor Dusty Ricketts
A: Far be it from me to contradict the advice of a member of the law enforcement community. However, I think it is a gross oversimplification to categorically state that Apple Pay is “unsafe.” Further, I think it is rather unfair to single out that one service for such warnings.
That is not to say that Apple Pay is fully secure. It is not. There are documented instances amounting to millions of dollars that have been lost to hackers who have figured out how to exploit Apple Pay-related loopholes. Note the way I said that. The loopholes I mentioned are related to Apple Pay, but usually the actual fault lies with banks whose cards that end-users link to their Apple Pay accounts rather than with the Apple Pay service itself.
It is the credit card companies, not Apple, who are ultimately responsible for detecting fraud against their cards. Only the actual credit issuer knows the details of all the card transactions, and thus has the ability to detect and identify patterns of suspicious behavior.
What a service like Apple Pay does do is remove the necessity to produce a plastic charge plate in order to make a purchase. That allows fraudsters to steal or purchase card information and program it into Apple Pay. Such data is available in vast quantities in the dark underbelly of the internet for as little as $2 per account number.
Again, it is not incumbent on Apple to validate this card information. That is the purview of the credit issuer, and industry analysts have said that the level of verification that issuers have implemented are woefully inadequate. Some few are calling customers to ask for identifying information before their cards can be linked to Apple Pay. Others were sending single-use codes via text message to be entered on upload. Far more were not doing any additional checks at all.
If you think dumping Apple Pay is going to make you safe, you’d better be prepared to dump all your credit cards, online banking, electronic bill paying, and more. The sad truth is that any activity that is involved with handling of money is vulnerable to a determined-enough hacker. It doesn’t even matter how big or small the target might be either.
The credit card reader at your corner gas station can be rigged to collect the information of any card used to purchase fuel. National chain stores such as Target and Home Depot have had their systems breached and personal information including account numbers stolen.
Remember so-called cashier’s checks, that are supposed to be guaranteed funds? Not anymore. Last time I needed to do a transaction that required guaranteed funds, the payee informed me that they no longer accept cashier’s checks due to — you guessed it — fraud.
Even the credit bureaus are not safe. Not too long ago, it was revealed that Equifax — one of the big-3 credit reporting companies — was breached, and the personal information of some 145.5 million consumers was taken. One would think that the typical consumer would have a reasonable expectation that an agency that handles data of that level of personal sensitivity, with the potential to cause catastrophic financial harm in the wrong hands, would be virtually impregnable.
And it was — until it wasn’t. An unpickable lock is only unpickable until someone figures out how to pick it. With that in mind, every (that is every) financial service is to some degree vulnerable. For this Geek’s money (pun intended) Apple Pay is no less safe than any other service you might use.
To view additional content, comment on articles, or submit a question of your own, visit my website at ItsGeekToMe.co (not .com!)