Let’s talk about security and fraud in mobile payments

October 21, 2012 by Cherian Abraham

Cherian Abraham - Experian Global Consulting PracticeI'm here in Vegas at the Mobile2020 conference and I am fascinated by my room key. This is not the usual “insert in to the slot, wait for it turn green or hear it chime” key cards, these are “tap and hold to a door scanner till the door opens” RFID key card. It is befitting the event I am about to attend – Money2020 – the largest of its kind bringing together over 2000 mobile money aficionados, strategists and technologists from world over for a couple of days to talk about how payment modalities are shifting and the impact of these shifts to existing and emerging players. Away from all the excitement of product launches, I hope some will be talking about one of the major barriers for consumer adoption towards alternate payment modalities such as mobile – security and fraud.

I was in Costa Mesa last week and in the process of buying something for my wife with my credit card, triggered the card fraud alert. My card was declined and I had to use a different card to complete my transaction. As I was walking out, my smartphone registers a text alert from the card issuer – asking me to confirm that it was actually I who attempted the transaction. And If so, Respond by texting 1 – if Yes Or 2 – if No. All good and proper up till this point. If someone had stolen my card or my identity, this would have been enough to stop fraud from re-occurring. In this scenario the payment instrument and the communication device were separate – my plastic credit card and my Verizon smartphone. In the next couple of years, these two will converge, as my payment instrument and my smartphone will become one. At that point, will the card issuer continue to send me text alerts asking for confirmation? If instead of my wallet, my phone was stolen – what good will a text alert to that phone be of any use to prevent the re-occurrence of fraud? Further if one card was shut down, the thief could move to other cards with in the wallet – if, just as today, there are no frameworks for fraud warnings to permeate across other cards with in the wallet. Further, fraud liability is about to shift to the merchant with the 2013 EMV Mandate.

In the recent years, there has been significant innovation in payments – to the extent that we have a number of OTT (Over the Top) players, unencumbered by regulation, who has been able to sidestep existing players – issuers and card networks, in positioning mobile as the next stage in the evolution of payments. Google, PayPal, Square, Isis (a Carrier consortium formed by Verizon, T-Mobile and AT&T), and a number of others have competing solutions vying for customer mind share in this emerging space. But when it comes to security, they all revert to a 4 digit PIN – what I call as the proverbial fig leaf in security. Here we have a device that offers a real-time context – whether it be temporal, social or geo-spatial – all inherently valuable in determining customer intent and fraud, and yet we feel its adequate to stay with the PIN, a relic as old as the payment rails these newer solutions are attempting to displace.

Imagine what could have been – in the previous scenario where instead of reaching for my card, I reach for my mobile wallet. Upon launching it, the wallet, leveraging the device context, determines that it is thousands of miles away from the customer’s home and should score the fraud risk and appropriately ask the customer to answer one or more “out-of-wallet” questions that must be correctly answered. If the customer fails, or prefers not to, the wallet can suggest alternate ways to authenticate – including IVR. Based on the likelihood of fraud, the challenge/response scenario could include questions about open trade lines or simply the color of her car. Will the customer appreciate this level of pro-activeness on the issuer’s part to verify the legality of the transaction? Absolutely. Merchants, who so far has been on the sidelines of the mobile payment euphoria, but for whom fraud is a real issue affecting their bottom-line, will also see the value.

The race to mobile payments has been all about quickly shifting spend from plastic to mobile, and incenting that by enabling smartphones to store and deliver loyalty cards and coupons. The focus need to shift, or to include, how smartphones can be leveraged to address and reduce fraud at the point-of-sale – by bringing together context of the device and a real-time channel for multi-factor authentication.

It’s relevant to talk about Google Wallet (in its revised form) and Fraud in this context. Issuers have been up in arms privately and publicly, in how Google displaces the issuer from the transaction by inserting itself in the middle and settles with the merchant prior to firing off an authorization request to the issuer on the merchant’s behalf. Issuers are worried that this could wreak havoc with their inbuilt fraud measures as the authorization request will be masked by Google and could potentially result in issuer failing to catch fraudulent transactions. Google has been assuaging issuer’s fears on this front, but has yet to offer something substantial – as it clearly does not intent to revert to where it was prior – having no visibility in to the payment transaction (read my posthere). This is clearly shaping up to be an interesting showdown – would issuers start declining transactions where Google is the merchant of record? And how much more risk is Google willing to take, to become the entity in the middle?

This content is a re-post from Cherian's personal blog:http://www.droplabs.co/?p=625