Mobile payments are here to stay, meaning consumers will leave their wallets and credit cards behind in favor of using their mobile devices to pay for everything from coffee to lawn care in increasing numbers.
And Javelin predicts that the value of mobile retail payments in the U.S. will exceed $220 billion in 2017 “…in addition to the billions of dollars in transactions conducted through mobile P2P payments, which are expected to converge with other forms of mobile payments as part of the same mobile apps, creating even higher profile targets for criminals.”
Of course, as the number, value and frequency of mobile payments increases, so too do the number and frequency of fraud incidents. The security lessons learned throughout the still ongoing transition from magnetic stripe credit cards to EMV chip-enabled cards showed an early uptick in online fraud, and current trends related to mobile payments show the same trend.
Security professionals should expect early and continued cases of mobile payments fraud as cybercriminals look to capitalize on security loopholes before they are discovered and patched.
Mobile payments fraud is already climbing steadily and every fraudulent $1 stolen actually costs up to $3.34, more than a fraudulent credit card swipe or browser-based transaction, according to
In addition to the hard-financial costs of fraudulent mobile payments, inertia by financial institutions hesitant to invest in best-in-class security and authentication can also have a damaging impact on reputation and consumer loyalty and can attract additional scrutiny from regulators.
So, what if financial institutions and other mobile payments providers could deploy strong identity and verification authentication to stop fraud on the mobile device before it happens? Fortunately, solutions exist to do just that, so why haven’t more financial institutions implemented them? The answer, again, comes down to perceived cost, but avoiding implementing a digital authentication and fraud prevention solution is a false economy when the true cost of fraudulent transactions is taken into consideration.
In its Future Trends for Digital Banking and Payments report, Javelin recommends financial institutions strengthen authentication by eliminating passwords and knowledge-based authentication, among other action items.
With regard to identity verification, solutions that facilitate a shift away from traditional password reliance offer the strongest level of identity verification. A permanent device ID is a way to identify a device and establish the first layer of trust. A mobile phone has thousands of unique identifying attributes that are part of the device itself and can be used to uncover and analyze risk factors that could lead to potentially fraudulent activities.
Having this insight provides financial institutions with the confidence they need to allow good consumers to transact with the least amount of friction, while at the same time, understanding devices with high-risk indicators so they can be challenged or denied outright to protect your organization.
What makes a permanent device ID permanent is the fact that it can survive an app uninstall/reinstall, as well as operating system upgrades. It also mitigates spoofing attempts. This lets financial institutions use the device itself as a trusted second factor (something you have), which is an important component of multifactor authentication (MFA). With a permanent ID, you can authenticate your trustworthy customers in a few invisible steps and risky devices can be challenged or stopped and blacklisted if they are associated with negative activity or fraud.
To mitigate the risk of threats from malware, a mobile fraud prevention solution with real time decisioning gives financial institutions the ability to detect whether a device is infected with malware before it transacts with an organization, and provides additional layers of verification if initial tests are not cleared, helping reduce friction at the point of sale for consumers, while still providing superior security.
One step involves scanning for specific malware signatures, as well as scanning for crimeware, a category of malware. Crimeware is a form of a malicious application typically used by criminals for the purpose of defrauding financial institutions, merchants or their customers using location spoofers, keyloggers, SMS forwarders and other tactics.
However, malware is not always caught by signatures, which is often the case when a new malware variant is released. A device therefore must also be scanned for suspicious behavior, for example, has the device been rooted or jailbroken, perhaps without the customer’s knowledge, or has the customer mistakenly loaded a malicious app?
Additionally, protecting the mobile device from malware and allowing it to still transact is important. To protect against a variety of attacks, end-to-end encryption from an application to the organization’s server is critical. Mobile wallet applications transmit a lot of very sensitive information: credentials, personal data, account information, transaction information, application information, and other details. If malware is running and has bypassed other detections, it is important to ensure this information can’t be decrypted, intercepted, or replayed and only the consumer within the application itself can read the messages.
As mobile payments continue to climb, mobile security and authentication solutions will cease to be a “nice-to-have.”
In the meantime, the case can be made that financial institutions prioritizing enhanced digital experience and reduced operational costs can’t afford to not to implement such solutions. Mobile payments is an emerging technology rife with opportunity that many players, including cutting-edge financial institutions and non-traditional players, are vying to capitalize on.
Both history and current trends show that along with the new opportunities, new risks will follow. There is no reason financial institutions should hesitate to grab their share of projected market growth as long as they ensure they and their customers are adequately protected.
