Beyond Two-Factor Authentication: Minimizing Mobile Payments Fraud

The more things change, the more they stay the same.  This seems the case with security and mobile payments, where security has, is, and will be a significant consumer concern.  This post discusses mobile payments security and focuses on/introduces an authentication continuum for different payment methods, which can contribute to further minimizing mobile payments fraud in the future.

Security is paramount for mobile payments

U.S. Federal Reserve consumer research shows that consumers still are hesitant to make mobile payments for a variety of reasons, but security concerns are always near the top of the list.  In fact, 59% of U.S. consumers said they were “concerned about the security of mobile payments” and 41% said they “don’t trust the technology.”

Ponemon research has found the fast pace of mobile payment technology advances are outpacing the security to prevent data breaches.  Clearly, security considerations must be an integral part of solution design.

Recognizing that mobile payments solution providers today are utilizing multiple technologies—tokenization, authentication, and risk engines—to avoid some of the past fraud problems associated with payment cards, this post will now look at a new authentication continuum framework.

Authentication continuum for different payment methods

Going back to the advent of credit cards several decades ago, authentication (i.e., correctly identifying the user) has always been a key element in order to provide security and integrity of the transaction.  Credit cards had single-factor authentication which was improved upon with Debit cards and their two-factor authentication.

More recently, Apple Pay has utilized smart phone-based technology (i.e., fingerprint) to advance the level of security.  Beyond two-factor authentication, innovators are developing even more security controls—which consumers will be able to set/control from the immediacy and convenience of their mobile phone.

This authentication continuum can be represented as follows:

Level of security  Payment method  Authentication  Description

Least secure         Credit cards          One-factor          What you own (card)

More secure         Debit cards           Two-factor          What you own (card) &

                                                                                     What you know (PIN)

More secure         Apple Pay             Two-factor          What you own (iPhone 6) &

                                                                                     Who you are (fingerprint)

Most secure         Beyond                 Two-factor *       What you own (phone) &

                                                                                     What you know (PIN) OR

                                                                                     Who you are (fingerprint)

                                                                                     * Plus Freeze, Lock,

                                                                                     etc. from phone

Apple Pay has received considerable media coverage regarding their security advances; this “Mashable” article describes why one author believes Apple Pay is “the most secure mobile payment system on the planet.”

That said, even Apple Pay… or the banks—depending upon how you think about this issue—has had fraud challenges.  This Apple Pay fraud has been described by the New York Times and other media outlets.

Finger-pointing aside, the NY Times states:  “Some of the nation’s banks are privately complaining that Apple Pay may not be so great after all.  But the banks may largely have themselves to blame…. Apple has now begun providing additional information to the banks that should help deter some of the fraud. The banks, which are responsible for the costs of the frauds, have toughened standards to review customer sign-ups on Apple Pay.” 

Innovative approach to further minimize mobile payment fraud

Beyond Apple Pay’s tokenization and two-factor authentication (utilizing “who are you” vs. “what you know”), we believe solution providers can provide additional security through innovative technologies which enable a consumer to easily freeze, lock or keep locked (i.e., auto-lock) their mobile payment accounts—from their mobile phones.  These new mobile capabilities can overlay existing mobile payments fraud technologies. 

In closing, one thing is for sure.  Security is dynamic and about a continual effort to stay ahead of the “bad guys.”  Banks and consumers also need innovate tools in order to do so.  And for solution providers, it is a critically important journey without an end.  The more things change, the more this effort will remain the same.  Let us know what you think.