The risks associated with mobile payments and their anti-fraud solutions

(28/09/2009)

Juniper Research recently forecast that NFC (Near Field Communication) Payment transactions will significantly grow from values of $8bn in 2009 to $30bn within three years. Such offerings are set to reach the UK commercial market later this year.

The Government recently announced new safety guidelines, which include disabling the payment functionality of a mobile as soon as a fraudulent payment occurs and verifying any transaction above the maximum contactless payment threshold – currently £10 – by additional security measures such as a PIN code. If a large number of smaller payments are noted in quick succession, these will also require verification in a bid to prevent criminals abusing contactless mobile payments. But are they really going to stop mobile payment fraud?

Ori Eisen, Founder and Chief Innovations Officer at 41st Parameter, highlights some of the risks, as well as anti-fraud solutions, associated with mobile payments:

"With any new payment form, the threat of fraud lingers. The increased use of mobile devices as alternatives to cards, offers an additional layer of protection to merchants and added convenience to consumers, making it appear as a win-win in the fight against fraud. But beneath the surface, concerns lurk that could potentially expose consumers to an old breed of fraud designed to exploit this new technology.

"Social engineering by unscrupulous shopkeepers can easily break the pin layer protection required for purchases over £10. Examples include; asking a customer for their pin due to “technical problems” at the point of sale (POS), and “keyvsdropping” – filming or eyeballing the pin key during the checkout process for later use.

But without the physical device one might ask “what good is having only a PIN?” Mobile phone cloning has been around since the early 1990s. Cloning involves modifying or replacing the EPROM in the phone with a new chip which allows you to configure an ESN (Electronic Serial Number) via software. You also must change the MIN (Mobile Identification Number). When you have successfully changed the ESN/MIN pair, your new phone is an effective clone of another phone. Mobile users must be vigilant with their phones - so as not to allow this new payment form to become the same card skimming/cloning game simply replayed with new pieces.

"A secure approach to Mobile Payments would be to utilise device intelligence gathered at the POS. Much like the way online Card-Not-Present transactions can use device fingerprints to validate the likelihood a device belongs to - or more importantly, doesn’t belong to - a legitimate account holder, merchants collaborating could vet out known bad or risky mobile devices. Furthermore, using a combination of the many signals sent from mobile devices - an outbound call, SMS, Bluetooth, GPS, etc - provides an additional source for authentication.

"Looking forward, a consortium of merchants working with credit issuers would allow for instantaneous recognition of a pin attempting to transact with mismatched devices, protecting the merchants from merchandise loss and issuers from chargeback loss. As for petty theft, there will surely be instances of stolen phones used for small purchases, then discarded. The real challenge is stopping professional thieves from exploiting the mobile payment channel, including the proliferation of dedicated m-commerce sites or dotMobis.

"The key to supporting the continued adoption and acceptance of mobile devices as forms of payment and for transacting online is to treat them like any other portal to the business. Layers include user name and password, pin numbers, device intelligence and behavioral analysis to protect both online and offline assets. The lines are blurring between personal computers and mobile devices.

"As with cash, credit cards/debit and gift cards, it is now as important to treat your mobile device in the same manner – keep track of it at all times."

Related topics:  Mobile and Wireless Security 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources