Tag Archives: electronic payments

Apple Pay warning: Storing your partner’s fingerprints is like ‘giving away your Pin’

Banks warn users of Apple’s Touch ID that storing partners’ or spouses’ fingerprints will be seen as ‘you failing to keep your details safe’

Banks have warned customers that if they store other people’s fingerprints on their iPhones they will be treated as if they have failed to keep their personal details safe.

This means the bank can decline to refund disputed transactions or to help where customers claim they have been victims of fraud.

Extract from the Ts & Cs applying to debit and credit card customers of First Direct. The same terms apply to customers of HSBC

The banks’ position, typically buried in the detail of bank account Ts & Cs, could trip up spouses, couples, parents and children, for example, where multiple fingerprints have been stored on a phone in order for it to be used by other family members.

This is because Touch ID – Apple’s process of storing encrypted finger prints – works to unlock phones, as well to authorise payments through Apple Pay.

It comes as growing numbers of consumers embrace Apple Pay to make payments at shops, bars, restaurants and on public transport.

The Apple Pay system was launched in Britain in July.

• Apple Pay: everything you need to know

When the phone is near the payment point, the user’s bank card – which has been previously set up in Apple’s electronic “wallet” – flashes up on the phone screen. The user then authorises the payment by placing his or her registered finger on the phone’s scanner.

The process takes seconds, or even less, and is thought to be highly secure, as payments will only be made where a fingerprint has been scanned and verified.

Most models of iPhone carrying the Touch ID facility allow up to 10 prints to be stored, meaning users have plenty of opportunity to register family members’ prints on their device.

But banks are effectively warning customers that if they want to use Apple Pay, other people’s prints need to be deleted.

Santander, NatWest and Royal Bank of Scotland customers were the first to be able to use their accounts with Apple Pay, with HSBC and First Direct joining later July, the month the system first became available.

Lloyds, Halifax and Bank of Scotland customers were able to use the service from September.

Barclays, which was the only major UK bank not to partner with Apple Pay, has since announced a collaboration is coming “in the future”.

Lloyds Bank said: “If Touch ID is available on your device, you must ensure you only register your own fingerprints (and not anyone else’s).”

Tagged , , , ,

JP Morgan to launch a rival to Apple Pay called Chase Pay

Bank has already signed a deal with a group of major retailers including Wal-Mart, the largest US retailer, and Best Buy

JP Morgan Chase is to launch its own competitor to Apple Pay that will allow consumers to pay retailers using their smartphones in stores.

The largest US bank, which has already won the endorsement of a major group of merchants, is the latest company to try to profit from the prevalence of smartphones, which many financial executives believe will one day be consumers’ preferred way to pay for everything from milk and eggs at the supermarket to a rental car at an airport.

The companies that figure out how to convince consumers to stop pulling credit cards out of their wallets and start paying with their phones stand to earn vast sums by taking a percentage of the trillions of dollars that consumers spend annually.

No clear front-runner has emerged in the business yet. JP Morgan believes its smartphone application, known as Chase Pay, has one key advantage: the caliber of retailers it has brought on board, Gordon Smith, chief executive of the bank’s consumer business, said.

JP Morgan has signed a deal with the Merchant Customer Exchange, a group of major retailers including Wal-Mart, the largest US retailer, and Best Buy to accept payments through the bank’s technology.

Retailers included in the Merchant Customer Exchange ring up more than $1 trillion of sales per year and have more than 100,000 outlets.

Rivals like Apply Pay have struggled to sign up retailers to accept their payments. In June, Reuters interviewed the top 100 US retailers and found that two-thirds said they did not plan to accept Apple Pay this year.

The Apple Pay website lists Best Buy in its “Coming Soon” section but has no mention of Wal-Mart.

JP Morgan signed up the Merchant Customer Exchange mainly by promising to cut retailers’ costs, Mr Smith said. Whenever a consumer pays for something with a credit card, the retailer pays fees to banks and credit card networks to process the transaction.

JP Morgan is willing to accept a lower fee for Chase Pay transactions than for other transactions, and hopes to make up the difference by getting more volume over its network, Mr Smith said.

“As merchants give us more business, we will give them better pricing,” Mr Smith said. JP Morgan declined to comment on how much it would cut fees.

JP Morgan expects to market its product heavily in the middle of next year.

Chase Pay is also promising superior security, a critical selling point after retailers including Target and Home Depot were hit by hackers, Mr Smith said. Longer-term, JP Morgan also hopes merchants will offer more discounts through Chase Pay, encouraging consumers to use the technology more.

Chase Pay will initially work for consumers that already have Chase credit, debit and prepaid cards, Mr Smith said. There are about 94m of those cards outstanding now in the US, and the bank has more spending on them than any other issuer. The app will work on Apple and Android-based phones.

JP Morgan’s consumer bank has already factored the system’s near-term launch costs into its expense estimates, and expects the benefits to come over the medium to long term.

The bank will continue working with Apple Pay and other services even as it builds a rival, Mr Smith said.

Chase Pay is just one of a series of companies trying to become the go-to payment technologies, including Apple Pay, Samsung Pay and Alphabet’s Android Pay.

Tagged , , , ,

Privacy groups call for investigation into Experian hack

US consumer privacy groups have called for a Federal investigation into Experian, following a major hack at the credit database firm.

Experian claims personal data on 15 million T-Mobile US customers was stolen in the breach.

But the Public Interest Research Group (PIRG), backed by 28 other bodies, fears the hack may have extended to the rest of Experian’s credit database.

This holds personal information about some 200 million Americans, it said.

“A data security breach that affected Experian’s credit report files would be a terrifying and unmitigated disaster,” it added.

‘Troubling possibility’

The Experian breach occurred at Decisioning Solutions, a subsidiary of the credit agency which T-Mobile uses to process information on subscribers.

Names, birth dates and social security numbers were among data stolen, but not financial details, the firms said.

Experian has said the business was “completely separate” from its main credit bureau business, which was “not affected”.

But in a statement, PIRG’s consumer programme director, Ed Mierzwinski, urged both the Consumer Financial Protection Bureau and the Federal Trade Agency to investigate whether other Experian databases had been breached.

He said: “If the server holding the T-Mobile files was subject to fewer security protections than the full Experian credit reporting database, why?

“If it was subject to the same protections as the credit reporting server, doesn’t this raise the troubling possibility that the server holding highly sensitive credit and personal information of over 200 million Americans is vulnerable to a data hack by identity thieves?”

Credit cards

Breached before

Prominent cybercrime journalist Brian Krebs has also raised concerns about Experian’s internal data protection policies.

In a blog, published on 8 October, he claimed to have interviewed “half a dozen security experts” who recently left Experian frustrated with its approach.

“Nearly all described Experian as a company fixated on acquiring companies in the data broker and analytics technology space, even as it has stymied efforts to improve security and accountability at the firm,” he said.

Experian data has been breached before – such as in 2012, when an attack on an Experian subsidiary exposed social security numbers of 200 million Americans.

This prompted an investigation by at least four states, including Connecticut.

Commenting on PIRG’s campaign, an Experian spokesman said: “Experian understands the concerns raised and we are prepared to respond promptly to requests from regulatory agencies for more details about the incident.”

He added: “Security is a top priority for the company, and Experian is committed to continuous investments in upgrading talent, processes, and technologies needed to protect our systems.”

He said the firm had invested of “tens of millions of dollars” in the last three years to strengthen its security.

A number of lawsuits seeking class action status are under way against T-Mobile and Experian, on behalf of victims affected by the breach.

Tagged , , , ,

New credit cards aim to protect consumers, banks from hackers

A chip implanted in new cards is designed to stop cybercrime. Starting Thursday, stores that haven’t upgraded their card-reading terminals will be on the hook for fraudulent charges.

US consumers are about to get a new defense against cybercrime. The armor will take the form of credit and debit cards with a built-in chip, which retailers must be able to read as of Thursday.

Short for EuroPay, MasterCard and Visa, EMV chips create a one-time-use code needed for each purchase, which makes stolen card numbers less valuable on the black market. Consumers may see slightly longer transaction times as in-store readers run the EMV cards, assuming merchants have set up the new payment terminals in time.

Industry watchers don’t expect every merchant to meet Thursday’s deadline, which was set last year by MasterCard, Visa, Discover and American Express. Retailers do have an incentive to act quickly, though. Stores that don’t have EMV-reading terminals will need to make good on in-store purchases made with counterfeit cards. ATMs and gas pumps will face the same liabilities in 2017.

The card companies wrote that rule after cybercriminals stole about 40 million credit and debit card numbers from the payment system of retailer Target during the 2013 holiday-shopping season. Currently, the banks that issue cards are on the hook for fraudulent charges.

There are two ways hackers steal sensitive information. They can use card skimmers to read a card’s magnetic stripe at an ATM or gas pump. They can also penetrate retailers’ corporate information systems, as they have with Target, Home Depot, Neiman Marcus and many others, to copy card numbers. Those stolen numbers can be used on fake cards to make fraudulent purchases. Two-thirds of fraudulent purchases inside stores are made with counterfeit cards, said Stephanie Ericksen, Visa’s vice president of risk products. Authentic cards that were stolen account for the other third.

That’s where these new chip cards can help. Because the chips send encrypted, one-time codes for each transaction, the cards are harder for fraudsters to read and duplicate, experts say. While the cards are just rolling out in the US, the technology isn’t new. Europe started using cards with embedded chips in 2005. Apple Pay and Android Pay mobile payments work on the same underlying rules.

Despite the impending retailer deadline, many consumers still don’t know about the new kinds of cards. In an August survey by electronic payments company ACI Worldwide, 59 percent of consumers reported they hadn’t received credit cards with EMV chips. Only a third knew the United States is shifting toward chip readers. What’s more, only 27 percent of merchants are prepared for the October deadline for card reader technology, according to a report released in mid-September by the Strawhecker Group, a consulting firm for the payments industry.

Experts say the slow rollout could be due to the cost of new card-reading equipment. Merchants must weigh the expense of buying new payment systems and training employees on that gear against the unknown hit from fraudulent charges. Some may even consider their new liabilities the cost of doing business.

Consumers will need to adapt to the new system too, experts said.

“There may be some initial inconvenience at the point of sale,” said TJ Horan, vice president of product management at FICO, which helps banks determine a consumer’s credit risk.

Despite the increased security, industry watchers don’t expect card fraud to disappear. Horan likens it to squeezing a water balloon: If you push fraud out of the system in one place, it will simply shift somewhere else.

Tagged , , , , ,