Thanks to the new Apple Pay mobile payment system, financial institutions and card issuers are learning some valuable lessons in call center fraud preparedness.
As millions of consumers set up Apple Pay credit and debit card accounts through their banks, Apple’s card approval process consists of three different paths. The green path automatically approves cards. The red path declines cards. The yellow path isn’t as straightforward; it was designed to provide additional security verification and fraud protection before approving a card.
According to the recent article, “Apple Pay: a new frontier for scammers,” Apple changed the yellow path requirements from optional to mandatory just weeks before Apple Pay was released. This change caught some banks by surprise. Because they were still relying on existing methods like knowledge-based authentication (KBA) to identify callers over the telephone channel, this created a gap in the authentication process beyond Apple’s own hardware and software security measures, which Apple says have not been breached.
The problem is when it comes to verifying customers over the telephone, we know that trusting sensitive customer data can be a recipe for disaster. Using stolen personal information obtained from data breaches, public records or the underground economy, social engineers can fool contact center agents by answering challenge questions such as the last four digits of a Social Security number, date of birth, or a mother’s maiden name. Once criminals defeat knowledge-based defenses, they can take over accounts and start purchasing goods from Apple Pay vendors.
With criminals focusing on provisioning channels to exploit these vulnerabilities, mobile payments expert, Cherian Abraham, said banks are rushing to do whatever they can to meet these new authentication requirements.
“Fraud scales – call centres don’t. There has to be an automated process that is invisible but secure. In hindsight the only thing Apple could have done better was to anticipate the problem, made it mandatory [to call] and helped build a better ‘yellow path’.”
With some banks unable to identify good callers from the bad, Tim Sloane, VP of payments innovation with the Mercator Group, said more robust methods for verifying customer identities over the phone will help curb growing fraud rates on the Apple service.
“These are probably just some teething problems. If the banks can nail down the authentication, they should see less fraud on Apple Pay.”
A solution like the TRUSTID® Physical Caller Authentication, which doesn’t rely on KBA to proactively validate the caller’s identity before the inbound call is answered, is one way financial institutions can automatically authenticate customers without relying on sensitive customer data. By using telephone network forensics to locate the exact location of the telephony device pre-call, TRUSTID protects call center environments by invisibly identifying spoofed calls in real-time to stop bad actors before they can socially engineer telephone agents.