Buyer Beware! Despite tokenization, mobile payments are not bulletproof

Monday, August 17, 2015 - 15:57

Virtual Card Present - A New Breed of Mobile Credit Card Fraud 

As credit card fraud rises, ensuring the security of mobile payments is important for merchants and consumers alike. To combat fraud, the next generation of mobile payment platforms employ tokenization to create more secure mobile payments systems. While tokenization may reduce the susceptibility to mobile payment fraud, it is not bulletproof, leaving room for a new breed of credit card fraud. 

Tokenization is a process in which sensitive information, such as a credit card number, is replaced with a randomly generated unique token or symbol. Tokenization helps simplify a consumer’s purchasing experience by eliminating the need to enter and re-enter account numbers when shopping on mobile devices. Tokens benefit merchants too, by eliminating the need for them to store payment card account numbers. Merchants have decreased risk as they are not directly handling sensitive and regulated data. The result is overall increased transaction security and reduction in mobile payment fraud. 

For example, Apple Pay uses tokenization to ensure all personal account numbers (PANs) are replaced with randomly generated IDs, or tokens, that are then used to authorize one-time transactions. Although Apple Pay users upload credit card information to their devices, neither Apple nor retailers ever have direct access to this sensitive financial data. The security of the iPhone’s tokenization is further bolstered by the use of a biometric fingerprint that is stored on an isolated chip, separate from the token. 

Even with the use of tokenization, there remains a weak link in securing mobile payments: ensuring a mobile payment system provides its app to a legitimate user, rather than a fraudster. And criminals love a weak link. 

While Apple Pay’s use of tokenization coupled with the biometric authentication provides strong security, hackers are committing a new type of fraud by exploiting this weakness in user authentication. To circumvent tokenization (and biometrics), hackers have been loading iPhones with stolen card-not-present data to create Apple Pay accounts. This essentially turns the stolen credit card data back into a “virtual” physical card - à la Apple Pay.   

The responsibility for this new type of Virtual Card Present (VCP) rests with the card issuers, who have the burden of establishing that Apple Pay cardholders are legitimate customers with valid cards. Some banks have begun addressing the issue of user authentication by requiring customers to call to activate Apple Pay, ensuring their identities are verified. 

VCP fraud is sure to increase as additional entrants, such as Samsung and Loop Pay, enter the market with their own mobile payment systems. The largest Apple Pay competitor, CurrentC, backed by the Merchant Customer Exchange (MCX), a consortium of large retailers, is set to be launched later this year. While boasting “Security at Level” including passcode, paycode and cloud protection, how CurrentC intends to combat VCP fraud is yet to be seen. 

As cybercriminals grow more sophisticated, mobile payment providers and issuers should react to VCP by focusing on developing innovative and strong user authentication solutions.

 

             

 

Nicole Joy Leibman is of counsel in Sills’ Litigation practice. She can be reached at nleibman@sillscummis.com.