Understanding the risks of mobile-payments technology
By Holly Whitehead, R&D manager, International Compliance Association
Fraud and risk management specialist Kount defines mobile payments in its Mobile Payments & Fraud: 2016 Report as a very broad term for any payment made on a device, be it at physical point-of-sale (POS) or mobile e-commerce payments, which can be further broken down into in-app or mobile web-browser payments.
By 2019, worldwide mobile payments are predicted to surpass $1 trillion dollars and on Black Friday 2016 in the US, online sales from mobile devices totaled $1.2 billion. This made up 36 percent of the total sales for the day, an increase of 33 percent on last year, showing just how popular this channel is becoming.
Types of mobile payments and how they work
As mentioned above, there are two types of mobile payments: online and at physical POS.
Physical POS refers to methods such as Apple and Android Pay. There are several other companies also offering these services, for example, MasterPass (from MasterCard), Samsung Pay and Chase Pay (courtesy of JP Morgan Chase). Most physical POS payments work by utilizing the Near Field Communication (NFC) technology found in most smartphones and is the same technology in your contactless debit/credit card.
The card information is not stored on your phone or given to the merchant. Instead, it creates a 'token' – replacing your card details – which is given to the merchant, making the transaction itself very secure. Apple Pay takes security a step further, requiring all transactions to be verified by fingerprint ID or passcode, whereas with Android Pay you just need to make sure the phone is unlocked and hold it to the contactless terminal.
Apple and Android Pay are also versions of 'mobile wallets' allowing you to store more than one card in them and chose which one to pay with.
Another new piece of technology currently being rolled out across the US is the 'cardless ATM.' This works using a mobile or ‘digital’ wallet, whether that be Apple/Android/Samsung Pay, in the same way you would in store – with all the same security procedures – by selecting the card you wish to pay with and tapping your phone on the contactless reader. An added security step here will actually involve having to enter the corresponding PIN at the ATM for the card that has been selected, a method a lot safer than using a card at an ATM, which can be skimmed, stolen in a ‘distraction fraud,’ or even just left in the machine in a moment of forgetfulness.
Mobile e-commerce makes good use of mobile wallets that can be used on mobile websites or through apps, appearing as the option, for example, 'pay with Apple Pay.' Other choices are also fast appearing, with the option to pay for something online using, for example, Amazon, PayPal, or Facebook. Such options are becoming more popular, as they enable a 'one-tap' checkout process as all personal details are already present and all that is required is to sign into your Amazon/Facebook/PayPal/mobile wallet.
How mobile payments fraud can occur
There are, in theory, very few ways in which mobile POS payments can be abused, considering you need either a passcode or a fingerprint to make any transaction/unlock the phone.
Unless the passcode has been divulged or the customer has been seen ('shoulder-surfed') inputting their passcode by a fraudster, it is as secure as a regular debit/credit card – it is in fact safer as the card number is not divulged to anyone at any stage of the process.
However, stolen debit/credit card details can be used to set up Apple/Android Pay.
With regards to mobile e-commerce payments, a brand new account could be set up using stolen card details which can be obtained from anywhere, for instance the card could have been skimmed or a website hacked. It is also possible that, when an account is set up and the organization sends a text message or makes a phone call to verify the account, in account takeover cases, phone numbers can be hijacked. This means the fraudster can forward the victims calls/messages to their phone and verification is passed with information already phished from other organizations or even bought on the Internet; this also can happen when setting up Apple/Android Pay with stolen card details.
If an already established account is used, then how this happened would need to be identified, for instance, did the customer have a lock on their phone? According to Kount's research, 34 percent of users don't lock their devices and 62 percent of those who do have an easily hackable code such as 1-2-3-4.
With most of these apps not needing a sign on and many people saving their login information for Amazon, Facebook, PayPal, or their mobile wallet ready for next time, the need to have a lock on a mobile device is crucial. Without this, if a mobile device is lost/stolen, a fraudster is basically given free access to a victim’s bank account (or multiple accounts if more than one card is stored in the wallet) to go on a spending spree.
With the proliferation of e-commerce, mobile devices and security enhancements, mobile payments are certain to increase and likely surpass traditional payment methods in the next few years. Likewise, fraud remains a risk that mobile payments providers as well as consumers need to be aware of and take measures against, however simple.