New Ways to Pay Require New Ways to Secure
By Lisa Stanton for Finextra
Although only recently introduced, the trend lines for the adoption of mobile wallet technologies like Apple Pay, Google Wallet and Android Pay resemble those of smartphones—hockey-stick growth curves.
One report anticipates global mobile wallet transaction volume will become the leading payment method in 2019, enabling $647 billion in transactions compared to $577 billion with credit cards and $412 billion with debit cards.
As remarkable as this development is, the millions of mobile wallet users still only represent a fraction of the total number of mobile phone owners. The 90 million users expected in 2019 will make up less than half of the total smartphones in the U.S. alone. So the growth potential of this platform is wide open.
Mobile Wallets—The Next Big Thing for Fraudsters
The proliferation of mobile wallets is good news for consumers, retailers, financial institutions, and fintech companies. Unfortunately, it’s also good news for thieves. Nothing invites fraud quite like the introduction of a new technology and the potential security holes it often opens up. A rushed rollout can create massive opportunities for fraud, as we’ve already seen in the initial rollout of Apple Pay. In their zeal to provide a frictionless experience for customers, gaping security holes were exposed.
While both the banks and Apple moved quickly to rectify that situation, fraudsters continue to target mobile wallets. According to Javelin Strategy & Research, approximately 112,000 mobile wallet-related accounts were taken over by fraudsters in 2015, back when only 23 million mobile wallets were in circulation. It is therefore reasonable to predict mobile wallet fraud will increase as adoption rates climb.
Additionally, the switch to the EMV (Europay, MasterCard and Visa) chip card security standard is expected to accelerate the mobile wallet fraud. While the migration to EMV has been successful in dramatically reducing the production of counterfeit plastic cards, today’s sophisticated, adaptable fraudsters continue to go after the vulnerable digital channel. And mobile wallets are no exception. Malware with capabilities such as overlay attacks, rogue apps, and message interception abilities are specifically targeting mobile wallet users.
Shoring Up the Holes
To counter attack, many organizations are upping their security game by incorporating device intelligence technology designed specifically to protect the mobile channel.
One of the primary problems in mobile wallet fraud lies in the current enrollment process. In this process, when a new payment card is added to a digital wallet, the mobile wallet provider attempts an initial verification to determine if card information matches the user information on file.
If there is a discrepancy and additional verification is required, the card issuer then requests additional authentication, typically done through one-time codes sent through text message or through call center verification. Unfortunately, both of these methods for authentication are insecure, and are the weak link inviting the fraudsters to the party.
Verification by text message is susceptible to man-in-the-middle attacks and other forms of fraud. For this reason, the National Institute of Standards and Technology (NIST) recommends it not be used for authentication.
Likewise, call center verification doesn’t fare much better. In addition to being time consuming, not consumer friendly, and costly for the organization, it can be even more insecure than text message authentication and can be easily thwarted by fraudsters.
Both of these routes overlook the one method for mobile wallet authentication that is 100% secure—sending notification to users for additional verification via the bank’s mobile app or directly to the mobile wallet. Communication through these dedicated apps, coupled with device authentication software, can be remarkably secure, as it delivers point-to-point communication for server-to-client messages along an encrypted path. This is the most secure method for transmissions to be sent, which prevents interception and replay. This secure message delivery system allows payment card issuers to make authorization decisions with confidence.
Mobile wallets have the potential to become a potent force in enabling frictionless transactions, delighting customers and increasing usage. Such a development would be a big win for financial institutions, retailers, and consumers alike. However, as the title of this article suggests, new ways to pay require new ways to secure. When introducing disruptive technology, it is imperative for financial institutions and technology firms to place a priority on incorporating contemporary methods of risk reduction that have been designed specifically for the uniqueness of mobile interactions.
First appeared at Finextra