Does Mobile Payment Put You At Risk For Fraud?
Starbucks has been making the wrong kind of headlines lately thanks to a string of security breaches involving the accounts of their mobile app users. The hackers drained money from users’ accounts and transferred the balances over to fraudulent gift cards. As the Starbucks app is often held up as an example of a successful mobile payment application, it begs the question: do mobile payments expose merchants and customers to fraud?
To be sure, all transactions carry with them a risk of fraud. Cash, which has been counterfeited for centuries, is no exception. The question is whether mobile payments expose merchants and/or customers to an unacceptably high risk of fraud.
Table of Contents
What Went Wrong with the Starbucks App
The Starbucks mobile app allows users to “load” a virtual gift card with an in-app purchase. Think of it as buying Starbucks currency on a 1:1 basis. The virtual card’s QR code is then scanned at POS to make the purchase, and money is deducted from the card. Technically, the sale was made in advance of the scan, the Starbucks clerk is just decrementing credit from the customer’s account.
The vulnerability exploited by the hackers was the password security login. As the app does not lock down the user’s account, even when multiple incorrect passwords are attempted, hackers were able to use brute force techniques to get around the password protection. On accounts enabled with auto-reloading, fraudsters were able to steal continuously.
While the Starbucks app speaks to some alarming vulnerabilities around in-app purchases, it’s not a great example of either the strengths or vulnerabilities of mobile payment technology.
NFC Security Features
Apple Pay and Google Wallet are very different animals than the Starbucks app. These payment systems use near field communication (NFC) to allow two pieces of hardware (the customer’s mobile device and the merchant’s POS terminal, typically) placed within centimeters of each other to communicate.
These payment systems have additional security features not found on the Starbucks app, hardening them against both hardware and software-based fraud. Apple Pay requires customers to unlock their phone with a passcode and then scan their fingerprint to approve transactions at POS, making hardware theft alone insufficient for fraud–thieves would need to also obtain the passcode and clone the user’s fingerprints. Traditional magnetic strip credit cards can’t say the same.
The software protection is a little more complex. Apple Pay does not actually store credit card information on the mobile device or on Apple servers. Instead, “token” information is substituted for the credit card information during the sale. A new, randomized token is generated for each sale, making the tokens themselves not very useful for hackers.
Claims that Apple Pay is immune from fraud are a bit overly optimistic, however. While credit card information isn’t exchanged at POS or stored on the mobile device, users still need to enter credit card information during the initial account setup. This information can be harvested by traditional malware that exploits bugs in the iOS operating system. Thieves can then link that credit card to their own device and make fraudulent purchases through Apple Pay. Apple has blamed this security flaw on the card-issuing banks who it claims failed to effectively verify the user identities when cards are linked to Apple Pay.
NFC and EMV Security Standards
The emergence of NFC payments happens to coincide with the credit card liability shift rolling out in America in October 2015. The liability shift is designed to combat America’s roughly $15 billion in annual credit card fraud by encouraging credit card companies and merchants to upgrade the security features of their cards and terminals, respectively.
Credit cards will upgrade according to the Europay, Mastercard, and Visa (EMV) standards. EMV credit cards are outfitted with a chip similar to the one used in Apple Pay transactions that generates a random, one-time token at POS. The current magnetic strip system uses a static value tied to the strip, so fraudsters need only clone that information to make a dummy credit card. Customers then verify the purchase with a pin number or signature. There’s some debate over the best way to verify customer ID at POS, with American credit card companies seeming to favor signature verification (claiming ease of customer use), even though it is traditionally vulnerable forgery, not to mention natural variations in how a person may sign their name.
Merchants, on the other hand, are encouraged to upgrade to EMV terminals. The party who did not make the security investment, if any, will be held liable for fraud after the October shift. If both or neither party involved in the transaction has made the upgrade, liability is determined the same way it was prior to the shift.
The good news for merchants is that the security technology in NFC and EMV payments use the same communication protocol, so a careful investment in an EMV terminal should include the ability to conduct NFC payments at little extra cost.
The UK, Australia, and France all saw an increase in fraud involving transactions where the card was not present (CNP transactions) in the years following EMV adoption, suggesting that EMV security features were effective at discouraging the use of counterfeit and stolen cards at POS.
Since NFC mobile wallets meet the EMV standard, they’re considered card-present transactions when they are used at EMV terminals. When used to make online purchases, however, they are considered CNP transactions. Verifying the customer’s identity during CNP transactions will likely become more important than ever as thieves turn their attentions to lower-hanging fruit.
It should be noted that, currently, QR-code transactions don’t fall into this paradigm as a credit card is not charged at POS–the main NFC competitor, CurrentC, links directly to a bank account and store-specific apps pre-load credit via in-app purchases.
Chargebacks are a reversal of funds via a credit or debit card that can cost merchants in processing fees. Whether the transaction is conducted through NFC or EMV, a credit or card will typically be charged for the sale. That means the process of resolving a mobile payment chargeback will look a lot like that of a plastic card transaction.
There are numerous reasons a chargeback may occur, and payment with a fraudulent mobile account is among them. At minimum, the retailer will typically be charged a $20 non-refundable processing fee, and the funds from the transaction may be withheld until the dispute is finished.
Note that the previously mentioned liability shift will affect who is considered responsible for the fraudulent charges that trigger the chargeback.
Takeaway on Mobile Payment Security Issues
Despite some vulnerabilities in the setup stage–that can be addressed with more aggressive CNP identity verification on the part of issuing banks–mobile NFC payments meet the enhanced security standards of EMV plastic. These features, if adopted by the merchant, make it less likely that the retailer will be held liable on chargebacks or mobile payment fraud. On the other hand, vulnerabilities due to the negligence of customers or issuing banks can result in unwanted chargeback arbitration similar to what merchants are experiencing under the current system.