Industry News

New burst of card fraud highlights value of possession-based authentication

Issues involving security are again trumping convenience in the mobile payments world following reports of a jump in card fraud cases involving Apple Pay.

While some in the tech media framed the problem as one involving a flaw in Apple Pay – which, of course, makes for a catchy headline – the reality is more complex. As mobile money expert Cherian Abraham points out in this post, what has largely happened is that fraudsters in possession of stolen or otherwise fraudulent card data are simply using Apple Pay to better utilize these data, by (among other) things not having to create plastic cards for certain transactions.

As with last fall’s outbreak of hacking involving EMV cards, the problem lies with financial institutions failing to follow or create sufficient controls. More specifically, the issue is the often inadequate – and, at least in the United State, bafflingly inconsistent – way in which financial institutions go about verifying that those registering cards as payment instruments in apps like Apple Pay actually have the authority to do so. It would, for example, probably come as a shock to many outside of the US that some American issuers conduct the authentication process by phone. Others do it via a banks separate mobile app.

Bank card activation in OTPayBy comparison, Cellum’s mobile wallets authenticate cards through the tried-and-tested deposit/debit verification system, in which a small amount of money is credited to or deducted from the cardholder’s account, along with a reference number that the cardholder uses to verify their “possession” of the account.

As Cellum’s Director of R&D Zoltán Ács put it: “It is always hard to find the right balance between security and convenience. Users mainly long for convenience, that is, until they become victims of fraud.

Such an authentication element offers the closest thing available and practical to an airtight authentication element, and one which can be provide in addition to an issuing bank’s verification regime. Since it demands an affirmative action on the part of the cardholder it could be seen as a compromising of convenience. Though in the real world, even one fraudulent charge produces more inconvenience than a dozen effective anti-fraud measures.