With fraudsters gearing up to assault mobile wallets, U.S. financial institutions considering a bank-branded mobile wallet would be wise to take note of the lessons learned when Apple Pay made its debut in the fall of 2014.
In addition to some early glitches with double-charging on Apple Pay accounts, a serious concern unfolded when it was becoming clear that fraudsters were enrolling for Apple Pay with stolen accounts.
It was a trend that cost banks little financial loss because transaction volume was low, but it exposed a weakness in mobile wallet enrollment processes and resulted in 112,000 consumers suffering account takeovers through mobile wallet fraud last year, according to a recent study from Javelin Strategy & Research.
Security is the top factor that 80% of consumers say they look for when considering which payment card to enroll in and consider as top of wallet, while less than 30% view being able to use the card in a mobile wallet as a key factor, said Al Pascual, research director and head of fraud and security for Javelin and author of the report.
As such, it makes no sense for banks to push mobile wallet enrollment as a quick process, but instead making it a high-security model with various authentication methods.
"The banks were feeling pressure to not be left behind with Apple Pay, so they signed on, and didn't have strong enrollment processes in place," Pascual said.
The mobile wallet fraud research released April 14 was based on Javelin interviews in the past year with 3,195 consumers with mobile devices and smartphones, a study with 5,111 general consumers and another with the top 20 card issuers in the U.S.
"The message behind this study is that the banks messed up with the Apple Pay enrollment, but they are responsible for that, and if they are doing their own wallets, take that lesson to heart and provide some real security," Pascual said.
Javelin predicts that by 2019, nearly 90 million wallet users will provide a valuable stream of interchange revenue and transaction data for wallet providers. So banks have to enter the mobile wallet game at some point, if they haven't already.
The migration to EMV chip cards at the point of sale may actually result in "a post-EMV fraud experience" related to mobile wallet fraud, Pascual said.
"Criminals for years have had counterfeit fraud at the POS down pat, but unlike the EMV shift in the U.K. more than 10 years ago, the U.S. now has mobile wallets to target instead," he added.
"There is going to be a tidal wave of pressure on these criminals to find alternatives, and the mobile wallet is going to be attractive," Pascual said.
In the survey with card issuers, seven reported they still rely on knowledge-based authentication during enrollment, mostly through a call center. In addition, five of these issuers rely on a one-time password as a means of confirming that the device to which a card is being provisioned is in the possession of the accountholder.
It will be more effective for banks and issuers to analyze the history of the cardholder, the account and the device during the enrollment process, even if it means bringing in a third-party provider for the service, the report stated.
Banks also need to make use of their physical channels, such as branches or ATMs, to act as a bridge to enrollment for mobile wallets for consumers who are less inclined toward technology.
For those who are tech savvy, part of the enrollment process can include social media channels or digital images from smartphone cameras, the report said.
"If a bank is rolling out its own mobile wallet, fraud will eventually find its way toward that mobile wallet and banking app," Pascual said.
In the past, Javelin has recommended banks combine a mobile banking app and a mobile wallet service to allow consumers to have all financial capabilities in one place. But such a scenario calls for an end to weak username and password authentications, Pascual added.
"Criminals can really go to town at your financial institution if they can figure out a username and password," Pascual said. "It is easy for them to try a password stolen from LinkedIn five years ago, and see if you haven't changed your other passwords."
Use of mobile anti-malware products is declining among smartphone users from 41% in 2014 to 31% in 2015, the study said. In the meantime, fraudsters' malware is targeting mobile banking credentials. This does not bode well in the future if mobile wallets become integrated with mobile banking apps.
However, the sharing of information related to previous fraud in the financial industry is getting better, Pascual said. "Financial institutions are wanting to share information now, looking past competitive issues and working with legal issues to be able to do it."
Indeed, more security vendors are emphasizing data sharing between banks and merchants as a way to minimize friendly fraud, which remains a concern despite EMV and other security technologies in play.