As Apple Pay grows in popularity and the novelty of it wears off, what comes next?
Unfortunately, it might just be fraud, according to Mary Ann Miller, senior director and fraud analytics executive at NICE Actimize.
Banks, which have been wrestling with other aspects of Apple Pay, must now turn their attention to proactively fighting fraud related to the popular payment vehicle. But if mobile payments are safe — certainly safer than magstripe payments — what’s the big deal?
“Fraud follows popularity and speed,” Miller told Bank Innovation yesterday. Fraudsters look for popular products, both because the potential rewards are greater in a wider field, and because of the challenge and attention hacking popular products brings, Miller said.
The upside of mobile payments, as pointed out by Mario Shiliashki, senior vice president of emerging payments with MasterCard, is that multiple authentication methods are available, and a huge amount of data can be attached to each transaction. “Apple Pay is the first real market implementation of tokenization,” he said. “It is much more secure in terms of customer authentication than the swipe of a card.”
Banks can’t sit back and wait for fraud to find them, of course. They must be proactive. With regard to Apple Pay, Miller said banks must both evaluate the provisioning of cards to mobile and make sure that is transpiring safely, as well as monitor the ongoing tokenized transactions. Most importantly, she said, all digital transactions must be viewed with a centralized approach and monitored from a central hub.
“Scoring and evaluating risk with a centralized view means transactions can be monitored across channels to make consistent risk evaluations,” Miller said. “This means a better experience and a safer experience for customers.” An example of a multi-channel transaction would be ordering an item in advance on one’s phone, and then presenting credentials to pick it up at the store.
In Asia, where mobile use is higher in certain markets, and mobile payments use cases more advanced, new kinds of fraud are being seen, Miller said. As users become accustomed to mobile commerce, they demand increased limits and functionality, and so the risk profile grows.
In the arms race between the good guys and the bad guys, outcomes are impossible to predict. Attacks targeting mobile, even iOS, are growing rapidly. To get ahead of this, Miller said, “banks need to get fraud hubs ready and connect the dots on digital channels.” The sophisticated fraudster, Miller said, “has a strong R&D budget; they’re definitely innovating. So as we innovate on the payments side, we need to innovate on the risk side. That’s what the fraudsters are doing. If we’re not innovating too, the cycle of protection can break down.”
Shiliaski agrees. “There is front-end innovation going on, at the restaurant and store, what the consumer experiences.” But that must be balanced, he said, by back-end innovation. He is more optimistic about the security mobile can provide, however, saying, “With mobile payments, we can marry security and convenience.”
It is, of course, still early days, and Apple Pay looks to be secure, but every system has its weaknesses, and fraudsters search for them relentlessly. “It begins as a game and a challenge,” Miller said. “Our overall experience is that with popular channels, fraudsters will find their way around authentication methods, and if is scaleable and vulnerable, that will be exploited.”
As payments methods change, attack vectors shift. As EMV use accelerates, fraud will shift to the more popular payment methods. For the moment though, as recent breaches indicate, magstripe fraud is on the upswing. The Home Depot fraud was perpetrated by fraudsters exploiting a third-party system that had limited access to the chain’s POS devices. “Fraud pops up like a virus,” Miller said. Merchants and associations need to work together to educate customers to limit risk exposure as much as possible.
While some payment methods are safer than other, unfortunately, the only safe bet is that nothing will be completely safe.