Cellum Insights

The three things to remember when reading the latest scare stories about “mobile payment fraud”

Last December we implored our readers to beware alleged experts’ scare tactics on mobile payments, pointing out that a constant in the history of technological advancement is innovations facing unfounded claims of danger and calamity. And thanks to recent news about fraud and mobile payments in Europe, it looks like it’s probably time for a reminder.

The news in question flows from this report by European Union law enforcement agency Europol highlighting criminal gangs’ increasing use of smartphones to conduct fraudulent financial transaction. Techweek Europe’s version of the story was titled “Europol Warns Of Gangs Making Fake Android Mobile Payments.”

As in some previous similar articles involving security and mobile payment systems, the story makes the critical error of blaming mobile wallets for not doing what they’re not supposed to do, and otherwise conflating unrelated issues. So to set the record straight, here are three things people should remember whenever they see or hear stories about mobile payment and security.

1. So-called “mobile payment fraud” almost always involves physical cards that were already compromised
If one actually bothers to read the Europol report it quickly becomes clear that the problem they are highlighting actually involves compromised physical payment cards, notably cards outfitted with NFC vulnerable to “card skimming” and other forms of unauthorized access. So it’s not that the data is being “leaked” from mobile wallets. Rather, mobile wallets may have been used to make purchases with stolen cards.

2. Not all mobile wallets are the same, and they are not all created equal
Another common mistake people make is to assume that all mobile wallet products offer equivalent security safeguards, meaning that if there were to be a problem somewhere there would necessarily be a problem everywhere. But in reality there are important differences between the ways some different wallets lock down customer data and otherwise operate. There is even a fundamental difference between the way the Android operating system and Apple handle NFC payments, with the NFC chip in iPhone’s limited to use of the proprietary Apple Pay wallet, while the open-source Android operating system necessarily makes the NFC chip open to wallets made by third-party developers. Techweek’s retelling of the Europol report also suffered from an apparent mixing up of the Android operating system and Google’s own Android Pay, further indicating how easy it is even for professionals to keep on top of developments in the payments space.

3. Even a weak mobile wallet is stronger than no mobile wallet
And while some mobile wallets may be “more equal than others,” all tend to have safeguards that go beyond those of simple plastic. Among these are the standard KYC (“know your customer”) process by which issuing banks confirm whether a card being registered actually belongs to the user, and some form of authentication process during payment (a PIN code, fingerprint scan, etc). We can and will argue whether there is room for improvement in the area of safeguards, but in almost every case they are better than nothing.

So the next time you hear about “mobile payment fraud” remember that whatever happened would probably have been worse without mobile wallet security – and quite possibly had nothing to do with mobile payments at all.