The mobile channel can facilitate nearly any type of consumer payment, often with greater convenience than before. This has attracted a growing legion of dedicated users, yet wherever legitimate payments begin to flourish fraud is soon to follow — and mobile payments fraud is no exception.
With criminals’ aptitude for digital-oriented fraud rising and pressure in other channels forcing them to find new targets, mobile payments fraud will experience a rise that most stakeholders are simply unprepared for – according to Al Pascual, Senior Vice President, Research Director and Head of Fraud & Security at Javelin.
Mobile payments are a veritable drop in the ocean compared with payments in more traditional channels, but the volume of mobile retail payments is nothing to scoff at. While US consumer payments are a massive figure at $4 trillion, mobile retail payments will still exceed $220 billion in 2017 — a value with more than enough zeros to attract the attention of fraudsters in search of a payday.
This is in addition to the billions of dollars in transactions conducted through mobile P2P payments, which are expected to converge with other forms of mobile payments as part of the same mobile apps, creating even higher profile targets for criminals.
Securing the enrollment and use of mobile payment apps will be critical to managing the risk of mobile payments fraud. Unfortunately, criminals’ methods and skills are evolving more quickly than the controls that are being put in place to protect mobile payments and underlying accounts.
In fact, numerous vulnerabilities in mobile payment apps remain unaddressed, making them easy targets for fraudsters who have honed their skills. Here are two current examples:
- Mobile wallets where the ID&V process remains dependent on the same weak forms of authentication responsible for early Apple Pay fraud incidents.
- Mobile P2P apps where the time differential between a recipient being notified of a payment and the account actually receiving that payment is being misused to defraud victims of goods and services.
Mobile technology is even making check fraud an attractive proposition again for fraudsters, especially those seeking alternative counterfeiting payment cards in a post-EMV market. For many criminals, mobile remote deposit capture presents a low-risk opportunity to return to a fraud that they have already mastered.
Implication: Rising mobile payments fraud will turn key stakeholders against FIs
As mobile payments fraud becomes more common, FIs run the risk of being caught flat-footed and even making matters worse through their response, leading to unwanted attention from regulators and consumers.
More specifically, unaddressed vulnerabilities in existing mobile payment products will draw the ire of regulators who will scrutinize new high-profile failings on the part of FIs. Undoubtedly, as fraudsters take over accounts using compromised credentials, many FIs will respond with tighter controls.
This in turn will contribute to an increase in false-positive declines during mobile retail transactions, along with less generous funds availability policies for mobile remote deposit capture and mobile P2P transactions, which will negatively affect the user experience.
- FIs should assess their mobile security readiness against Mobile Financial Services guidance.
- Strengthen authentication in mobile banking and payments by eliminating passwords and knowledge-based authentication.
- Engage customers by educating them on mobile threats and by offering alerts that empower them to detect mobile payments fraud quickly.