Blog Post

It’s time someone solved the US credit card fraud problem. Will it be Apple?

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Three hours.

That’s how long it takes me to drive home from our New York City offices. I made that very trip yesterday, leaving just before the Friday afternoon rush hour on a weekend already challenged by Super Bowl traffic in the area.

Three hours.

That’s also how long it took for my credit card data to be stolen and used in four unique transactions in Quebec, Canada while I was driving home to Pennsylvania. The normally quiet drive was interrupted by several emails and calls from American Express to warn me of fraudulent activity for four transactions ranging from $18 to $45.

The art and hassle of the scam

This particular credit card is one I don’t even use often. It’s an AMEX(s amex) Business account that I opened years ago when I was an independent blogger. I only use it now for my Gigaom activities, simply because it’s easier to separate work expenses from personal ones. Yet, for the second time in as many business trips to New York City, the card information was stolen and purchases were made. The last time, just a few months ago, created nearly $1,500 worth of fraudulent transactions.

amex fraud

Thanks to diligence on the part of AMEX, I don’t have to pay for any of these transactions. The company didn’t even approve the charges from yesterday. But I had to spend time on the phone reviewing all the transactions with the credit card company and of course, my current card is now invalid. Another card with new numbers is on the way.

What a waste of time, effort and money for all involved.

For an innovative country, we’re behind the times

So why haven’t we figured this out yet? We have a number of mobile payment initiatives and products available to us in the U.S. but we’re still dealing with an outdated magnetic stripe system that’s easy to hack for data. That’s partly why this country accounts for a disproportionately high amount of overall credit card fraud: Although we process only 24 percent of global payment volume, we account for 47 percent of the overall global fraud according to BusinessWeek.

Google Wallet

Market politics is one big challenge. For example, I had high hopes for Google Wallet and NFC payments a few years ago but they were soon dashed.

In 2011, I first bought a tank of gas by tapping my phone to a payment terminal knowing that there was no easy way for anyone to see or get my credit card account data. Contactless payments have been held up however, as companies jockey for position to “own” this market. The oft-delayed Isis mobile payment project backed by Verizon(s vz)(s vod), AT&T(s t), and T-Mobile(s tmus) is a perfect example of this: It offers no additional benefit over the older Google Wallet initiative, but it has basically blocked Wallet from taking off.

How? Isis partners typically don’t allow Google Wallet on their handsets.


The expense of contactless payment terminals is also an obstacle, but I suspect the cost of such upgrades would be less than the amount of annual credit card fraud. And many retailers already have capable terminals that could be used: There are more than 300,000 retail locations in the U.S. that use Master Card PayPass(s mc); I’ve used them for Google Wallet contactless payments.  Last week, Incipio debuted an NFC-capable case for iPhones so they can use Isis for mobile payments at similar terminals.

Coin is a new twist on the old model. Instead of carrying individual credit cards, you have one card with magnetic stripe. Using a mobile app, the stripe can be instantly programmed with your card account numbers to become a universal credit card. I thought about spending $50 on Coin but the truth is: While Coin is more convenient, it doesn’t solve any fraud problems. The card can still be “skimmed” for its data through the stripe.

The market is ready for disruption and that’s where Apple thrives

I do have some hope though: Apple is reportedly looking at expanding into mobile payments in a way that would eliminate the magnetic stripe approach. The company already has hundreds of millions of credit card account information. And with the new iPhone 5s, it has a strong user identification process in the Touch ID fingerprint sensor.

In fact, Apple CEO Tim Cook noted this on the company’s recent investor call, saying “The mobile payments area in general is one we’ve been intrigued with. It was one of the thoughts behind Touch ID.”

iPhone touch ID

Personally, I prefer solutions that are device and platform agnostic so I won’t suggest that Apple will save the mobile payment industry from fraud alone. The idea of personal authentication in place of a physical magnetic strip, however, is the best overall solution I’ve heard of yet. Google Wallet comes close by requiring an NFC-enabled phone to be present, along with the added protection of a PIN for transactions. Fingerprint data stored in a secure storage area is better though.

If Apple does provide a solution for this issue, I’ll welcome it with open arms. Yes, it means providing trust in Apple for all of that credit card data but if you’re an iTunes user, don’t you already do that today? Of course, the recent Target data breach affecting up to 70 million customers may give some pause but my faith in a tech company is generally greater than that of a retailer.

Again, I’d like to see a widespread solution that doesn’t rely on a single company, platform or device line. But I’ll take what Apple has to offer if it eliminates or at least greatly reduces payment fraud.

Then I can enjoy my three-hour drive home in peace.

15 Responses to “It’s time someone solved the US credit card fraud problem. Will it be Apple?”

  1. Too long has the US market whined about “ease of use” and customer experience. Look east – let’s see you use a combination of EMV and two-factor authentication.. then we’ll take about enough being done to solve the fraud problem.

  2. Apples iwatch reads heart rate, blood pressure, dissolved oxygen, and glucose levels, and matches this with your activity level via three axis accelerometer. There is only one person with your unique biometric patterns: you, and the iwatch provides absolute verification of that.
    The iwatch only talks to iOS8 and I Beacon devices. Together, your iwatch in proximity with your iPhone/pod Works with apple’s i-dentify app to provide absolute verification of your identity with any IBeacon-based retailer. Procurement validation with itunes will only go through if you’re iwatch/iPhone can validate that you (and your iwatch) were proximate to the point of presence of that purchase.
    Identity theft becomes impossible. You can just walk into a Starbucks or Apple Store, and walk out with whatever you want. Solves many problems at once (plus tells your doctor how sick you are). Apple may open up a few new market segments on this one.

    Sent from my iPhone

  3. rottenbittenfruit

    It’s claimed that although Apple has 600 million or so credit card accounts but I’ve heard only a small percentage of them are being used very often. Although I’ve had an iTunes account for about ten years, I’ve only used it about ten times in that whole time to buy a couple of Macs and iPods and a few smaller things but that’s about it. On the other hand, I’m always using my Amazon account about once a week. I feel both accounts are safe but Amazon has so many products, I’m just always buying all sorts of items from large to small, food, vitamins, candy, electronic equipment, clothing, you name it. I’d think Amazon could have a faster start with mobile payments if they actually put out their own smartphone because it would be low-priced so more people would easily buy one.

  4. Isis provides a lot different solution than Google and infact provides a better security. Google does not do a card-present transaction and that in itself has a bigger risk of fraud.

  5. I booked a trip with a known internet company, my card info was stolen, I called the place the card was used they gave me the name and address of the person and package, went to area an collected my money plus some for my expenses. the internet concerned balked and said they were not at fault me showing them it was the only transaction in a year??. Told the bank the address and the name of the person they did not care so why are you complaining? I have been to 3rd world countries were no one carries money all the transactions are thru the phone. they deposit money on the corner drugstore and spend it somewhere else. We are far behind.

  6. James Chao

    Biometric authentication has one tragic flaw: once they’re stolen, you can’t change them. For that reason I don’t think that should be the basis of mobile payments.

    • Summary
      Biometric security concepts are based on a biological element (fingerprint, retina scan, face recognition, voice recognition etc.) ideally unique to the specific consumer and non-transferable. There are security and transactional weaknesses as well as a significant infrastructure expense.

      Transactional & Security Weakness
      Know that the end result of a biological scan is generally a digital data stream which is transmitted to storage local on a consumer’s device, a merchant system device, or some larger repository of such information serving as a reference. Transmission and storage may, or may not, be encrypted.

      Scanner – If the biological scanner is at the merchant facility then only card-present transactions may be processed. If the biological scanner is part of the consumer’s equipment (i.e. present in their smart phone) then someone else’s biological information could be prepared for use, and the biological scan would report someone other than the person presenting themselves, defeating the security concept.

      Reference – The biological scan requires a reference for comparison. This means that the consumer’s biological element has to be on record someplace.

      Reference – At Consumer: If the reference is internal to the consumer device then a criminal, given someone’s real biological element, could hack the consumer device to present a faux-sample and compare it to a prepared reference, thus defeating the security concept.

      For example: At the store Joe Criminal scans his own fingerprint using his own smartphone which has been altered so that no matter what fingerprint is scanned, the comparison is “confirmed” as belonging to Bill Smith, about to be a victim of identity theft.

      Reference – Merchant: If a consumer based reference is undesirable the next step up might be reference at the purchase point. Think on that, your fingerprint (or voice print, retina scan) on file at a merchant? These are the same merchants who have been hacked compromising the information for hundreds of millions of charge cards. This puts your biological information at risk and reliant on the security of the weakest merchant.

      Also consider that regardless of someone’s actual biological element the merchant’s record could be altered to another person’s biological element. As an example Joe Criminal hacks the merchant database so that Joe’s face appears in Bill’s account. At checkout Joe presents his face for “authentication”, Joe’s face is scanned, confirmed and the transaction takes place. Joe hacks the database again to restore Bill’s face.

      Reference – System: Even if merchant security is considered inadequate storage of biological reference materials at a system level (such as a charge card provider) require the scanner be at the merchant. Recall that several major compromises were based on hacks of the scanners themselves so that when you put your finger on the store scanner a copy goes to the crook as well as the store.

      Consider also, unlike a new password or a new account number, you cannot change your biological information. Imagine if your biological information was compromised. At some point in the future that biological element appeared up at a crime scene. Clearly you were there, right?

      Infrastructure: There is no significant existing infrastructure for the gathering of biological samples. Certainly there are some company level standards for employee timekeeping and local security, but none at general merchants. This is why something that uses existing infrastructure is less expensive.

      CHANGE DIRECTION – We need a conceptual shift from marginally better locks and vaults toward protecting the vital consumer data by never having critical information at the merchant. The merchant gets paid, the consumer gets billed, and even if crooks grab everything at the merchant, they can’t make purchases. Rather than expend considerable human and financial resources in what will be a perpetual battle between large IT shops and smaller, more nimble, crooks I suggest a simpler solution from the distant past that will stop damage today and in the future.

      In the Art of War Sun Tzu wrote, “Hence to fight and conquer in all your battles is not supreme excellence; supreme excellence consists in breaking the enemy’s resistance without fighting.” This is psychological warfare: breaking the enemy’s will to fight. Here, consider removing the crook’s motivation to steal by taking away even the possibility of reward. Think a moment on this question:

      If crooks are eventually going to breach the vault,
      why put jewels there in the first place?

      The challenge is to create a transaction system capable of paying the merchant and billing the consumer without ever exposing the credentials necessary to successfully impersonate that consumer. Such a solution should work within existing transaction and communication infrastructures and serve not only card-present commerce, but growing volumes of electronic and mobile commerce. Even better, the solution should provide additional functionality for operational efficiencies for consumer and merchant and provide benefits to all three parties: consumer, merchant, and provider.

      Can it be done? I think so and it would be a cheaper than 300 million EMV cards & readers, or the equivalent in biometric scanners, and a whole lot cheaper than another breach of this size.

  7. Apple Canada still does not have two factor authentication on their AppleIDs almost a year after they announced it in the US! As of Jan 6th Canada is no longer mentioned on the Apple website nor are other countries that were at one time supposedly been mentioned. I would not put my faith in Apple securing credit card fraud when they can not even secure their own accounts properly. My god Apple wake up!!

  8. Patrick Stevens

    Chip and Pin technology reduce fraud dramatically in the countries/areas that adopt it. Europe, Canada and other parts of the world experience a dramatic drop in fraud after implementation. Why the US still resists it is bizarre.

    • EMV may (I repeat may) be protecting the information, but it fails miserably in cost-effectiveness, ease-of-use and, oh yes, it has been compromised and will continue to be compromised. Crooks are not stupid and because they don’t have committee meetings, they are a lot more efficient.

      Read the description of how EMV is used in electronic commerce (from a computer) and mobile commerce (from a web-capable cell phone) from the horse’s mouth (see below). I have to have my own reader, another gadget to carry. I have to manually transfer a one-time password from one device to another. What a PITA!

      If internet connectivity is not available, or expensive to use, for an offline EMV transaction “… the card and terminal communicate and use issuer-defined risk parameters that are set in the card to determine whether the transaction can be authorized.” (see #q15 below) So I can’t make a purchase because my smart card wasn’t pre-configured for that level of “risk”, even though the cost is within my credit limit.

      OR, someone who has cloned my EMV card uses it for low-value purchases where there is no internet used to authenticate. Can’t be done? Already been done: See referring to researchers at Germany’s Ruhr University. How did they do it? ” [ the researchers ] … extract the secret key material non-invasively, basically by pointing a radio probe at the card and monitoring it as it performs a transaction, … This is something that’s easily replicable with a few thousand dollars and a little amount of time, so it’s practical.”

      OR, completely bypass the PIN entry process to get authorization. Can’t be done? Already has been done: see article at

      We need a conceptual shift from protection to not needing the critical credentials to pay the merchant and bill the consumer. If the information isn’t there it can’t be compromised. Think about it this way

      If the crooks will breach the vault
      why put jewels there in the first place?


      = =


      “For an online transaction, the user would insert the EMV credit or debit card into a handheld reader. Once the user enters the PIN, the reader will display a one-time password which can be used to validate the user’s identity. The user enters the password in the appropriate field on the merchant’s checkout page (or online banking site) and the password is passed back to the issuer for authentication …”

      Re offline EMV transactions.