Payments made via mobile platforms have exploded in recent years. Are you protected?

From July 2014 to July 2015, European consumers made 1 billion contactless payments. In the U.S., payments from mobile platforms are expected to grow 175% in just 5 years.​

Mobile payments come with a unique set of fraud risks that businesses should be prepared to handle. Let’s take a look at just a few of them.

Mobile Payment Risks

Malware and account takeover are issues on a mobile platform just as they are on desktop machines. This could be even more of a problem as mobile users may believe that built-in biometrics like fingerprint scanning will protect their device 100%.

Technology like biometrics and Secure Element is not certainly not bulletproof. Take Apple Pay’s provisioning fraud (aka Yellow Path) as an example where fraudsters used social engineering on their iPhones to trick banks into activating stolen credit cards.

Google and Samsung have added extra security to protect the integrity of data. However, they do not utilize a hardware implementation. As a result, Android's Host Card Emulation, Magnetic Secure Transmission (MST), and remote payment will likely be subject to even more attempts by fraudsters. Also, there are still the risks of malware and account takeover.

Another issue affecting fraud is readily available and inexpensive Android devices. We are seeing evidence of fraud rings using multiple low-priced Android devices to evade detection.

With the growth trend of mobile commerce and other mobile wallet functionality, like digital loyalty programs, we expect the fraud rate to increase to in this area.

Real-World Mobile Fraud

At iovation, we work with some of the largest mobile payment systems, financial institutions and remittance companies, and continue to see the fraud trends to evolve through the mobile channel.

Recently, we helped one of our customers identify an account takeover attack using modified mobile devices. While this could have been done through web browsers, we identified 3 jailbroken iPads that were modified to mask the origin of transactions and hide the brute force identity attack.

A Mobile Payment Primer

The mobile payment world is divided into two types of transactions: proximity and remote. [1]

A proximity payment occurs at physical retailers when a device is in close proximity to the processing unit. Proximity payment options include Apple Pay, Android Pay, CurrentC/MCX, FeliCa (Japan), Orange Cash(Europe). The three primary technologies behind proximity payments include NFC (Near Field Communication), which requires the control of Secure Element, QRCode, and MST (Magnetic Secure Transmission).[2]

Remote payment transactions are sometimes called e-wallet or digital payments. Both Apple Pay and Android Pay can also be used as remote payment methods. Other examples include nTrust, Venmo, SnapCash. M-Pesa, which is well-known in Africa, is a hybrid option based on text messages and kiosks.

Surprisingly, QR Codes are still a major part of the mobile payment ecosystem. According to a “Consumers and Mobile Financial Services 2015” survey by the Federal Reserve, consumers still prefer to scan QR Codes versus tapping an NFC reader. In 2014, 31% (39% in 2013) paid via QR Codes and 22% (17% in 2013) via NFC. With the pending rollout of CurrentC/MCX in the U.S. and PowaTag UnionPay in China, we continue to see adoption of different payment methods.

Beyond Proximity Payments

Today, about 17% of U.S. consumers make purchases using a mobile device, but that number is growing fast. Still, challenges remain. Mobile commerce abandonment is at 97% [3], due in large part to the limitations of this payment method. With mobile payment access, m-commerce can directly integrate the “BUY” button with fewer clicks to get through the checkout process.

Come See Us at MPS

iovation will be at the 9th Annual Mobile Payment Innovations Summit Febuary 10-11, where our very own Max Anhoury, VP of Global Partnerships, will help lead a panel discussion on how fraud prevention can benefit both your mobile users and your bottom line.