One of the great things about the advanced mobile devices everyone carries now is that they serve so many different purposes. They’re encyclopedias, world maps, communications devices, and now they’ve evolved to become wallets, too. But as convenient as mobile wallet technology is, it carries with it some unique threats and risks for both consumers and financial institutions.
The introduction of mobile wallet systems such as Apple Pay or Samsung Pay opened up an entirely new way for users to pay for goods and services directly from their phones. Consumers enroll a debit or credit card in the app, usually by taking a photo of it or entering all of the card data, and then use the app to make payments. Users can make the payments either in-app or wirelessly through terminals in stores. Security researchers have studied the NFC technology that enables the wireless payments closely in the last few years and have identified a number of flaws, which have been fixed.
However, there are other avenues through which criminals can take advantage of mobile wallet systems to steal card information or money from users’ accounts. The weakest point in the mobile wallet ecosystem is the card enrollment process. If someone has physical access to a card or has the card information–perhaps from a dump from a data breach–he can probably find a way to enroll that card in his own mobile wallet app, even if the names don’t match. Earlier this year, David Dewey, director of research at Pindrop Labs, revealed research that showed he was able to bypass the authentication checks in Apple Pay and enroll cards that didn’t match the name on his Apple ID.
Much of the authentication in these systems is on the shoulders of the issuing bank. And each institution has its own methodology for checking a user’s identity when enrolling a card. Some will send the cardholder a text with a short code, while others will send an email or ask the user to answer knowledge-based authentication questions. An attacker often can find the answers to KBAs on a victim with a Google search.
“Apple is going to provide some information to the issuer when you enroll that card and it’s up to the issuer to decide how much of that information they want to pay attention to,” Dewey said at the time. “How hard is it to sidestep that enrollment flow?”
While Dewey had success getting around these obstacles, many of the affected financial institutions changed their processes after his research to make fraud more difficult. Banks benefit from the popularity of mobile wallets because it makes it easier and more convenient for consumers to use their cards. But they also understand the risks involved in the enrollment process. A full 28 percent of executives at financial institutions said mobile wallet-related fraud is a major issue for them in their call centers, according to data from the Aite Group.
“Mobile wallet-related issues typically arise in one of two ways. First is the card registration process to associate a particular debit or credit card with the mobile wallet. This process can be rife with fraud unless strong authentication processes are followed to ensure the customer who owns the card is the one registering it for use. Second are the disputed transactions associated with a mobile wallet,” the Aite Group report says.
Fraudsters are resourceful, clever, and persistent, and when new technologies come online, they will invest time and effort to find a way to abuse them. Mobile wallets are no different, and as the use of these systems continues to expand, banks and card issuers will need to find new ways to respond to the techniques that fraudsters are developing to take advantage of them.
Image: iphonedigital, CC By-Sa license.