Fraud and Mobile Payments
Last month, I was asked to give a presentation at a fraud seminar in Iceland. Normally I would focus on payment card crime, as this is an area many are in some way familiar with. However this time I decided, for the most part, to talk about fraud related to mobile phones. I had the pleasure of speaking to some of the participants afterwards, confirming that new innovative mobile payments solutions, are emerging everywhere.One of the most interesting things for a fraud geek, like myself is how payment providers are going to cope with the fraud issues, they are likely to encounter once the solutions really take off.
From my experience, the good news is that most payment providers are very aware of the risk of fraud, but because the existing payment solutions have been so fragmented and not reached a broad audience, many are not quite sure what to expect.
An interesting aspect of mobile payments is that it bridges the gap between e-commerce and face-to-face transactions also when it comes to fraud. Historically the Holy Grail of payment card fraud has been the information embedded in the magnetic stripe, located on the back of the card. That information could easily be transferred onto another piece of plastic, thereby creating an exact electronic copy of the original card. Last year, US retailers Home Depot and Target both became victims of data breaches that exposed millions of payment cards. But the era of the large data breaches is hopefully coming to an end, as the US is finally replacing the magnetic strip with the much more taper resistant EMV Chip. The EMV chip has been used for many years in Europe, and the impact on counterfeit fraud has been very significant.
However fraud has not gone away, but has migrated into other areas such as e-commerce fraud. E-commerce fraud is much easier to commit, as it often takes no more than the card number, expiry date and the three digit security code. This data can be obtained in many ways, such as through social engineering (i.e. Phishing) or for example hacking online merchants. The fraudster can then use this information to commit fraud at online merchants. The fraudsters cannot use this information to create a counterfeit card, to be used at face-to-face transactions as the vital information from the magnetic stripe is missing. At least until now, as the introduction of mobile payments at point-of-sale (POS) terminals present fraudsters with the opportunity to misuse illegally obtained card information in a whole new way.
Most mobile payment transactions are essentially processed as a card-not-present transaction, even if conducted at a point-of-sale terminal. In the past counterfeit fraud and card-not-present fraud where two different entities, as the first required the fraudster to obtain the magnetic stripe data either by means of skimming or hacking (i.e. Home Depot /Target). Today the two fraud types converge as card data from a Phishing scheme can be added to a mobile wallet and used to conduct fraud at POS terminals.
The most successful solution is without a doubt Apple Pay. Apple Pay can be used to conduct face-to-face transactions as well as online shopping. However, a few months back there started to circulate rumors that fraud levels on Apple Pay, were completely out of control and some Issuers were reporting basis points exceeding 600. The problem wasn’t caused by the design of Apple Pay, but could instead be contributed to inadequate customer authentication by participating card issuers. In order for a new card to be added to Apple Pay it has to be provisioned, or verified by the issuing bank. If a card requires additional verification, the customer would normally call the bank in order to verify the identity of the owner before authorizing the card. However some banks rely on information like the customer’s Social Security number, which can easily be obtained by social engineering.
As the Apple Pay fraud cases showed, strong customer authentication is a key part of any mobile payments scheme. This authentication can be conducted in many ways, but most mobile solutions in Denmark use the social security number, or the national digital signature (NemID) to verify the identity.
In addition to strong customer authentication, an effective Fraud Monitoring/Fraud Prevention strategy should also be implemented in order to cope with any Fraud risks that may arise. Besides being able to identify and prevent fraud, an efficient fraud solution must not generate any friction that affects the customers experience in any negative way. The solution should be completely transparent to the user and works seamlessly in the background.
In order to achieve that, most fraud solutions on the market today focus on either the device (i.e. mobile phone) used to conduct the transaction or the customers interaction with the device.
Device fingerprinting (or Device Profiling) has been around for a number of years and has proven very powerful at preventing fraud. One of the challenges facing traditional browser based Device Fingerprinting, is generating an identifier that is both unique and persistent. Mobile applications are proving much better at this, thereby ensuring that a device is uniquely identified even if the application has been reinstalled. This means that a device with a criminal history will be recognized, even if the fraudster tries to use it with new credentials.
In 2012 the “Eurograbber” banking Trojan stole more than 36 million Euro, from more than 30.000 European bank accounts. As part of the attack the Trojan compromised the customers’ mobile devices thereby circumventing any two-factor authentication the banks had in place. In order to prevent this threat, most mobile fraud solutions now also detect if any malware or malicious apps are installed on the device. In addition to analyzing the device, an increasing number of solutions are now looking at how the customer is interacting with the device. Behavioral analytics has been used in e-commerce fraud prevention for many years, but todays mobile devices allow for an even deeper analysis to be conducted. In addition to how the customer navigates the website (or app) information about for example finger pressure and finger size can be used to generate a profile of customer.
Mobile payments fraud is still in an early stage, but fraud is likely to increase as more and more fraudsters become aware of the new possibilities the technology provides. However, as the technology will continue to evolve, new and even better security measures are likely to be introduced as well, hopefully making mobile payments even more secure than traditional payment card transactions.
Post A Comment:
0 comments: