-
Suggestions that Apple Pay is unusually vulnerable to fraud were quickly refuted this week. The fact remains, though, that extra care is needed when verifying cards for Apple's mobile wallet.
March 5 -
Two small U.S. banks will begin offering an alternative remittance option. The development may signal a new era of competition in foreign exchange, but some critics see danger.
September 24 -
Apple is betting that tokenization systems offered by payment processors will provide a security boost to its new Apple Pay system at a time when consumers are wary of Apple's cloud-based services.
September 9
AUSTIN, TEXAS For banks, payments innovations like Apple Pay and Bitcoin tend to be a double-edged sword. Such groundbreaking technology will almost necessarily be accompanied by security and compliance vulnerabilities.
This conundrum was a recurring theme at American Banker's Retail Banking 2015 conference in Austin on Tuesday. A panel on Apple Pay delved into
Apple Pay is vulnerable to fraud for the same reason it's attractive to customers, according to Steve Mott, principal of payments consultancy BetterBuyDesign: "It's easy to do."
"That's the beauty of it and the tragedy of it," Mott said. While he lauded Apple for introducing tokenization to mainstream mobile payments, he said the company had rushed rollout of the service to the detriment of banks' and issuers' security defenses.
"They effectively stampeded the industry, banks and merchants to get it out as fast as possible," he said.
The issue at the heart of the Apple Pay fraud lies in the way that many partnering banks verify customers' identities when they upload their cards to the mobile wallet. Banks frequently ask for authentication information such as the last four digits of customers' Social Security numbers.
The problem with this kind of static data is that hackers can easily steal the answers to such questions, Mott said. He pointed out that hackers were able to access as many as 80 million customer records containing Social Security numbers, birthdays and employment information in the
"The moral of the story is, if you try to make payments too easy, you're going to have real tradeoff in making them secure and scalable," he said.
Banks should be also aware that payments security problems typically arise from a confluence of factors, according to Neff Hudson, assistant vice president for emerging channels at USAA, which supports Apple Pay.
"The fact that Apple Pay came along after the credit card breach is what created the vulnerability," he said, referring to
Further out on the edge: Wells Fargo has concluded there's too much compliance risk involved in banking cryptocurrency businesses, according to Lester Joseph, manager of its global financial crimes intelligence group. The San Francisco-based bank conducted what Joseph called a rigorous study of cryptocurrencies last year.
"We determined that at this point, we would not be in a position to bank any Bitcoin businesses or Bitcoin exchangers because there's a certain lack of transparency in Bitcoin currency as far as determining who the payments are coming from and where they're going to," Joseph said. "Without being able to identify parties on either end of the transactions, we're not able to do effective sanctions or [anti-money laundering] screening."
While Bitcoin users are pseudonymous (unless they opt to link their addresses to their identities), its public transaction ledger provides a trail that authorities can potentially use to track down criminal suspects. Some cryptocurrency businesses have taken additional steps to address regulatory concerns about sanctions, terrorist financing and AML rules.
Companies such as Bitcoin wallet provider Coinbase have
But none of this is enough to soothe big banks' compliance jitters, according to Joseph.
"With respect to OFAC sanctions screening, there's zero toleranceit doesn't matter if it's a quarter or a million dollars," Joseph said, referring to the rules enforced by the Treasury Department's Office of Foreign Assets Control. He did, however, express interest in learning more about the cryptocurrency technologies offered by firms including Ripple Labs.
In fact, small but bold financial institutions like the Weir, Kansas-based CBW Bank are already
Ramamurthi said he was well aware that "anything you do that's new" involving cryptocurrency technology will be highly scrutinized by regulatorsall the more so when the institution in question is "a little bank in Kansas."
"I'll probably have to document everything in triplicate and notarize it personally with my blood before we go live," he said.
But the reality of regulatory scrutiny shouldn't deter banks from exploring new payments technology that can help them send money around the world more efficiently, Ramamurthi said.
"You assume regulations are a constraint," he said. "You set up an equation under a constraint like you do in algebra and get on with life. We don't fight them."
