Mobile payments are booming. According to research published earlier this month by Visa, the number of consumers regularly using a mobile device such as a smartphone, tablet or wearable to make payments has tripled since 2015, rising from 18 per cent to 54 per cent.
Unfortunately, but not surprisingly, mobile payments fraud is also growing rapidly. In the United States although mobile payments account for 14 per cent of transactions among merchants who accept them, they make up 21 per cent of fraud cases, according to a survey of around 1,100 companies published in January by risk management consultancy LexisNexis Risk Solutions.
“With mobility changing everything we do as humans, especially the way we bank and pay, cyber crime has fully migrated to the mobile platform, with all the threats we know from the PC in tow,” says Limor Kessem, executive security adviser at IBM Security Systems. “Despite storing large amounts of personal information on their devices, most people don’t implement even the most basic security countermeasures on their smartphones.”
According to Salvatore Sinno, chief security architect at Unisys, mobile devices are more susceptible to loss or theft than desktops and tablets. “At the same time users have the tendency to use these devices in a more personal and confidential way,” he says.
“On the technical side, the security controls and the tools available are still evolving and are limited by processing power and battery life. Moreover, by their intrinsic nature, mobile payment systems rely on wireless carrier infrastructure, which are open and designed to ‘share’ and interoperate connection, not designed with security in mind.”
As with other areas of financial technology banks and technology companies are working hard to stay ahead of the fraudsters. Passwords are unpopular with consumers and are not even particularly secure. The challenge now is to improve security while ensuring that performing transactions is quick and easy.
Transactions incorrectly declined by banks annoy consumers and lose money for merchants, points out Ajay Bhalla, president of enterprise risk and security at MasterCard, which earlier this month announced the European rollout of Identity Check Mobile, a new payment technology application that uses biometrics such as fingerprints or facial recognition to verify a cardholder’s identity.
“We take a multi-layered approach that involves biometrics in conjunction with other technology,” he says. “We want the customer experience be very smooth and convenient every time they use their device.”
Fraud isn’t at point of sale, it’s at the account-opening stage, according to Mitek, a company that provides visual and biometric identification for the onboarding of accounts to more than 5,200 financial institutions. “If you’re confident in the identity of the person who owns the account then you should be relatively safe from fraud,” says Sarah Clark, Managing Director, Identity. “The problem is that currently far too many people are simply unable to make their way through the verification processes on their mobile device.”
Among other security innovations, Gemalto, a digital security company, has developed what it calls Dynamic Code Verification. This allows issuers to replace the static three-digit visual cryptogram traditionally used for online purchases with a verification code displayed on the customer’s mobile that changes every 20 minutes, thereby limiting the time for fraud to occur. Nationwide Building Society introduced fingerprint logins to its new banking app this summer and, in the first month, produced an increase in usage of the app of more than 10 per cent, with millions of additional logins.
Already developers are ensuring that data on mobile is deeply hidden, often tokenised, in other words encrypted, and safer from theft in a way that cash or a payment card in a customer’s hand or a PIN code typed into a payment terminal can never be, explains Dennis Jones, chief executive at mobile payments provider Judopay.
“It’s just that much harder to steal your phone and your thumb print,” he says. “Yet additional layers of mobile-specific security, which track unique devices and react to unusual activity, need to be scaled across mobile commerce to avoid fraudsters trying to trick the system by changing SIM cards or using different accounts on the same device.”
VocaLink, a UK-based payments systems company, has launched a Pay by Bank app. Already in use by Barclays Pingit customers, it allows people to make instant payments from within their existing trusted mobile banking app, directly from their account, without the information ever leaving their bank.
“This adds the layer of security needed for consumers as you authorise every payment individually, without the hassle of inputting the data required, via a payment technology that prevents certain types of online payment fraud from ever happening,” says Liam Spence, head of product at Pay by Bank.
Veridu, which was founded in 2014 and now has backing from Worldpay, asks consumers to sign into their social media to verify their identity when a transaction has been flagged up.
Biometrics combined with geolocation and data analytics can start making a difference in reducing fraud significantly
According to recent research from financial technology firm Intelligent Environments, 25 per cent of consumers would like their bank to introduce biometric security, to avoid the need for them to remember a number of passwords. In addition, only 23 per cent trust traditional passwords or passcodes over biometric authentication.
“However, the traditional banks have been slow to incorporate biometric technology within their mobile banking and payment facilities, largely due to difficulties updating ageing infrastructure,” says Intelligent Environment’s chief technology officer Clayton Locke.
Instead of passwords, challenger bank Atom is employing face and voice recognition technology, the kind of biometric software used at airports and border controls. Once a customer’s identity credentials are registered, including their face, voice and passcode, they can choose how they want to login to the Atom app. They can then present their face to view their balance or say a few words to transfer money.
Biometrics combined with geolocation and data analytics can start making a difference in reducing fraud significantly, believes Jitin Goyal of financial technology product provider Polaris Consulting. “But we’re just now seeing the evolution of these technologies and they will take anywhere between two to five years to mature,” he says.
Research published by Deloitte in September shows that 21 per cent of all smartphone users in the UK are now using their fingerprints for a range of authentication-based applications, including approving transactions. Some 76 per cent of those with a fingerprint scanner use it and it’s by far the most popular biometric identifier used by smartphone owners.
Hannah Maundrell, editor in chief of money.co.uk, says: “Security is still the biggest worry and it does put people off despite phone companies giving us assurances it’s safe. It’s a new technology though and the more widely accepted it becomes, the more people will say goodbye to cards in favour of a wave of their handset.”
Mr Sinno at Unisys believes the industry should consider a simple customer education programme on security that addresses issues such as the structure of strong passwords and ensuring customers’ devices lock after a certain period. “The importance of updating their operating system and applications must be stressed, as well as other issues such as the dangers of a ‘jail-broken’ device, and the implementation of encryption and anti-virus software whenever possible,” he says.
Ms Maundrell advises consumers to keep a keen eye on their statements so that if they can spot any transactions they don’t recognise, they can take action quickly – sound advice however sophisticated anti-fraud mobile payments technology becomes.