Yellow Path Authentication Measures for Banks

How Banks Can Fix Apple Pay Vulnerabilities

Yellow path authentication uses a color coding system to flag unverified users for further confirmation. This is intended to prevent digital wallet fraud on iPhones and other Apple Pay-compatible devices. Unfortunately, cybercriminals have developed methods to exploit vulnerabilities in the yellow path Apple Pay procedures. Banks and credit card providers need more robust measures to prevent Apple Pay fraud. Fortunately, security experts have been developing responses to fix yellow path vulnerabilities.

Here we’ll look at what your company can do to protect your customers and business against yellow path exploitation. First, we’ll look at what yellow path authentication is supposed to do, and this will help highlight why yellow path procedures can be vulnerable to fraud. Then we’ll look at how these vulnerabilities can be addressed using cutting-edge identity proofing methods, strengthening yellow path authentication to make it more effective.

What Is Yellow Path Authentication?

Yellow path authentication is a color-coded security procedure used by digital wallet providers such as Apple Pay and Google Pay to flag events where a user attempting to add a payment method fails an initial check for the risk of identity theft. A failed attempt classified as yellow represents caution and triggers a workflow path to perform additional identity verification checks before the payment method can be added.

Yellow path authentication functions within a three-color coding system that uses a scorecard to measure identity theft risk. When a user attempts to add a credit or debit card to a digital wallet, the digital wallet provider contacts the issuing bank to assess identity theft risk. The bank uses a scorecard system to measure the risk, and the result is simplified by representing it using a color code:

• A green path result indicates that a user has passed the scoring system’s basic identity verification checks, and the payment method is cleared by the issuing bank to be added to the digital wallet
• A yellow path result indicates that the user has failed to pass one or more identification verification scoring criteria and additional verification checks need to be done before the payment method can be added
• A red path result indicates that the user has failed to verify their identity, and the attempt to add the payment method is rejected by the issuing bank

What happens when a payment method addition attempt gets flagged as yellow? A yellow result triggers additional identity authentication screening by the issuing bank before the payment method can be added to the digital wallet. For example, a bank may request that the cardholder pass a multi-factor authentication check by providing the last four digits of their Social Security Number (SSN).

If the user passes the additional authentication check, the payment method is approved to be added to the digital wallet. Otherwise, the payment method cannot be added.

Why Yellow Path Authentication Is Vulnerable to Fraud

In itself, yellow flag authentication is a sound procedure. There is no inherent problem with the practice of flagging payment method additions that fail to pass security checks the first time for additional scrutiny.

But the effectiveness of yellow path procedures depends on the follow-up security checks used. And while every Apple Pay card issuer is required to use yellow path procedures, the exact procedures used are left to the issuer’s discretion. This is where vulnerability can enter into the process.

Many banks respond to yellow path flags by requiring users to provide the last four digits of their Social Security Number. Unfortunately, identity thieves often steal Social Security Numbers from wallets, tax returns, security breaches, and the digital black market. If an identity thief has already stolen a victim’s SSN, they can bypass this method of yellow path authentication.

This vulnerability isn’t limited to Social Security Numbers, either. Any type of authentication based on a piece of a victim’s identity that has already been stolen is risky for yellow path authentication. For example, the same problem can arise if a bank uses a knowledge-based authentication method, such as asking for the user’s mother’s maiden name.

One way banks counter this exploit is by cross-referencing user address data with smartphone location to verify that the payment method addition attempt is being made from the cardholder’s geographical location. But some thieves set the stage for a yellow path exploit by calling a bank or credit card provider to claim that the account holder will be traveling out of town. This removes the suspicion which would normally arise if someone attempted to add a credit card or debit card from a different location than the cardholder’s usual locale.

As this illustrates, identity thieves go to great lengths to bypass yellow path precautionary checks. Security teams must be equally diligent in staying a step ahead of cybercriminals seeking to exploit yellow path vulnerabilities.

How to Fix Yellow Path Authentication Vulnerabilities

The general fix for yellow path authentication vulnerabilities is using more vigorous follow-up identity authentication checks rather than simply asking for a user’s Social Security Number. Both banks and digital wallet providers can contribute to this solution, and several more robust measures may be deployed.

Part of the solution is using dynamic authentication data rather than static. A Social Security Number is classified as static data because it doesn’t change, allowing a thief an unlimited time window to steal it. In contrast, banks can use multi-authentication methods with dynamic, limited time windows. For example, texting or emailing a user a one-time PIN reduces thieves’ opportunity to intercept the authenticating data.

Another effective way to augment yellow path authentication is to use biometric authentication identity proofing checks. For example, requiring a user to provide a photo ID and then upload a selfie enables security teams to harness document authentication and facial recognition technology to verify user identity. Other biometric methods such as fingerprint and voice identification can be used similarly.

Protect Your Yellow Path Processes with Incode Omni Identity Proofing

Yellow path authentication may slow down cybercriminals, but it won’t stop them by itself. To prevent exploitation, you must strengthen yellow path cautionary procedures with rigorous identity proofing, incorporating dynamic data and advanced authentication tools such as biometric facial recognition.

The Incode Omni platform provides an end-to-end identity authentication solution that can patch up holes in yellow path processes without compromising your customers’ experience of your brand. Best-in-class identity verification tools, including high-quality capture of ID data and photos and facial recognition of live selfies, provide strong identity proofing, which can thwart thieves’ attempts to bypass basic yellow path procedures. Contact for a demo to see how Incode Omni can strengthen your yellow path and give your customers the green light for a frictionless shopping experience.