Mobile security remains a mixed bag
CHICAGO — Despite recent scrutiny of mobile point of sale devices, the mobile payments category as a whole has generally carried a promise of initiating a safer transaction through the use of biometrics, device ID, geolocation and other factors.
But these devices also shed many of the security methods that have long been used in e-commerce, resulting in plenty of headaches for security teams.
“Fraudsters will stick to where they succeed, and they can succeed more in mobile than in a desktop environment,” said Rafael Lourenco, executive vice president and partner at Clear Sale, a fraud prevention company. “There is a struggle to prevent fraud and defend mobile because it can be a card-not-present environment.”
Several factors make mobile an interesting target for fraudsters, Lourenco said Wednesday during the annual Mobile Payments Conference.
First, because they are built for speed and seamless experiences for consumers, mobile payments tend to have fewer data points, like customer phone numbers or addresses, for merchants and banks to track. The same factors create the need for effective real-time risk decisions, which not all merchants have, Lourenco said.
“And mobile payment transactions tend to be low-value, making them easier for different types of fraud,” he added.
Still, the progress being made with biometric authorization and the potential for that technology and far more data to move along the networks’ 3-D Secure 2.0 rails will make digital payments safer in the near future.
“The advancement of 3-D Secure will help reduce costs and fraud levels,” said Marianne Crowe, vice president of payment strategies at the Federal Reserve Bank of Boston. “In using those tools, we will see a much better risk authentication process that will still not disturb the customer.”
Banks are projecting that only 5% or fewer of consumers would be interrupted during a transaction to provide more information to approve a mobile or online transaction, Crowe added.
Mobile is already bringing a more secure environment to the restaurant industry with mobile card readers and other technologies at the tables. Without that advancement, the door is open for various fraud attempts when a server carries away a diner’s card to take a payment.
A photo of the card number and security code can easily be taken when it is out of the owner’s sight, said Frank Kerr, chief sales officer at TableSafe, a pay-at-the-table platform provider. “It is also very easy for someone to turn a $5 tip written on a receipt, into a $6 tip, and will the cardholder remember what the tip was when seeing a statement later?” Kerr asked.
Mobile has likely made the most security advancements in creating fraud alerts for cardholders, and developing two-way chat with the bank to discuss potential fraudulent transactions on accounts, said Craig Winter, senior director of project management mobile at Syniverse, which specializes in mobile network safety.
“If a text message to a cardholder does not work at the time of a transaction, mobile can also move to other channels, making it an omnichannel approach to security,” Winter said.
Ultimately, a mobile wallet can’t authorize itself, and few have entirely risk-free safeguards in place.
Fraudsters are constantly thinking of ways to crack the mobile code — and some are surprisingly simple.
“When Apple Pay first came out, a fraudster would buy an iPhone and load stolen cards into it, and then use those stolen cards to buy more iPhones and add more cards,” said Michael Reitblat, CEO and co-founder of the payments security provider Forter.