Slideshow 6 Smartphone-Based Fraud Tactics

  • August 28 2015, 9:59am EDT
7 Images Total

The smartphone can add significant security to payments, but it is also a tool that fraudsters can exploit. Researchers and scammers have already found several unique attacks that rely on mobile devices.

Facial Farce

There is a lot of attention around using facial recognition with mobile devices, such as MasterCard's SelfiePay and Alibaba's Smile to Pay. These systems typically require the user to blink to prove that they are not a fraudster holding up a still photograph, but a Popular Science writer was able to fool this type of system with a video of himself blinking.

Content Continues Below

Heat of the Moment

For a mere $150, fraudsters can buy an iPhone add-on directly from the Apple Store that can be used to learn other people's PIN codes. The gadget, a thermal imaging device, can perform the Hollywood-style miracle of detecting which keys a shopper pressed and in what order. At least one American lock maker is concerned enough about this threat to implement a countermeasure: heated PIN pads that keep all keys at the same temperature.

Mobile Wallet Miscommunication

Wallet apps like Apple Pay add tokenization, EMV and fingerprint ID when they enroll a card, but the enrollment process can still be exploited. Fraudsters were quick to discover this weak link when Apple Pay first launched, but issuers can guard against this tactic by using nontraditional challenge questions during enrollment. "Don't treat it like a card activation," a Fifth Third banker warned other issuers. "If you do it like that you're gonna get burned."

Sloppy Settings

The 2012 version of Google Wallet used a PIN to protect the use of any funds attached to the included stored-value account, but it wasn't necessary to crack the PIN to drain this account. The app's settings menu could be exploited to gain access by simply wiping the user's Google Wallet settings — and deleting the PIN in the process.

Content Continues Below

Mobile Malware

The stringent rules governing mobile app stores have lulled people into a false sense of security when it comes to running mobile software. Apple's "monoculture" even works against it in this regard, one expert warns. "Because Apple controls their environment strictly, when you find a vulnerability in the iOS space, once you've got it, you've got it everywhere."

Smaller Skimmers

Early versions of the Square mobile card reader lacked encryption, leading its rival Verifone to claim that Square's device could be misused as a low-cost card skimmer. Though Square has since improved its security, the allegation resurfaced this year when three Boston University grad students found a way to disable the encryption. The Square app is designed to detect and block payments made through a modified reader, but the device could still be used as a skimmer without connecting it to the Square app.