Has mobile payment fraud arrived?
Last week the seemingly happy, steady march that is the adoption of Apple Pay was thwarted by reports of a ring of thieves who managed to pilfer high-end goods using the mobile payment system.
The good news for Apple Pay is that its fingerprint encryption wasn’t breached. Still, thieves nevertheless were able to create that work-around by setting up new iPhones with stolen data and calling banks to verify details.
In a little twist of fate, the criminals apparently targeted Apple stores in particular because they’re guaranteed to accept the mobile payment system, not to mention stock the iPhones needed to further the scam.
Was this development a game-changer? Retail Dive takes a closer look.
Apple Pay’s bumpy road
Since its launch, Apple Pay has been hailed as the mobile wallet that will smooth the path of mobile payments, and that may be true. But it’s important to remember that there were bumps in the road, even just before that launch. Yet, till last week, that hadn’t seemed to matter much.
“Apple Pay launched in September not long after their phones were being hacked and celebrities pictures were being taken,” Matt Schulz, senior industry analyst at CreditCards.com, told Retail Dive. “Now there are hackers finding a loophole in the verification process with Apple Pay. So there have definitely been some headwinds with Apple Pay and security. If they can get that worked out, I do think that this will eventually catch fire.”
Implications for mobile security
After the initial reports last week that Apple Pay was hacked, some cooler heads have prevailed and subsequent reports on the details were less alarming.
The discovery does reveal a critical flaw in the system, but a relatively isolated one, with the problem resting largely with banks. It could still be a problem for Apple Pay and mobile payments in general if users (and retailers) don't make the distinction.
"People will perceive that as being a fault of Apple Pay rather than thinking of it as an issue with bank verification, and that sort of thing is going to be hard for Apple to overcome," Schulz says.
The fraud discovered last week, though, was really nothing new, Nicko van Someren, CTO of Good Technology, told Retail Dive in an email.
“The recent spate of fraud on Apple Pay was a decidedly low-tech attack that had little to do with Apple Pay and everything to do with legacy databases of card details being stolen and mobile payments being a convenient vector for the purchase of high-value, easy-to-resell products,” van Someren says.
“Most of the newer mobile payments systems use a technique known as tokenization to avoid having to transmit users' real credit card numbers, which helps security enormously," van Someren continued. "On the other hand, we are likely to see new attacks facilitated by these new tools and it will take a while for users, merchants, and banks to adjust to these new threats.”
In fact, when it comes to Apple Pay, Forbes’ Paula Rosenblum calls the idea that “the American consumer or retailer has anything to worry about any time soon” a “fiction.”
“So the facts around ‘Apple Pay Fraud’ are that it’s a very idiosyncratic and sporadic occurrence, affecting banks," she writes. "Banks must get better at preventing identity theft in general, and making sure they don’t issue credit cards to fake people. It strikes me that Apple Pay fraud is the least of their problems until that time.”
Certainly, though, as payments do move to mobile, hackers will follow. That means that retail point-of-sales systems, which at the moment seem to be the major access point for hackers, may become less so as the technology’s center of gravity shifts. Where or how the those new tendencies occur is yet to be revealed, van Someren says
"Some of the attacks against POS equipment will become harder as we move to both mobile payments and chip-based cards, and this will probably lead to attackers looking elsewhere for vulnerabilities,” he says. “It remains to be seen where they will strike next, though."
Mobile payments: The reality
While Apple Pay in many ways has taken mobile payments by storm, the truth is that adoption remains low-key. Consumers are no more interested in paying by phone than they were six months ago, when Apple Pay came on the scene, according to a poll of 1,000 U.S. consumers conducted this month by CreditCards.com.
Forrester Research projects the use of mobile payments will triple in the next five years, to $142 billion in 2019, especially in in-person payments, the fastest growing category. Those, like shoppers using mobile wallets at retailers, could grow 10 times in those five years, up from $3.7 billion in 2014. Other payments — like peer-to-peer and remote payments, will not likely grow at such a wild pace, according to Forrester.
'Change is hard, especially when it involves people’s money'
What that growth requires, even above security or perception of security, our experts say, is usability. In the end, it doesn’t matter much to the user that the essential transaction still rests with the credit card and the bank.
"In practice, I think that usability is going to be more of an issue than security,” van Someren says. “The existing security models for credit card transactions, particularly in North America, (where chip-and-PIN has not taken off), are pretty poor, and yet consumers are comfortable with the system. Most of the mobile payments systems released to date have had better security than existing magnetic stripe cards. And often that has been their downfall, since their security has hampered usability.”
Schulz agrees, and says that the mode of transaction is still a big adjustment for most consumers, except for Apple fans, younger people, and Hispanics, who as a group own and use smartphones much more than the general population.
“Even though you’re still leveraging your card, it is still a significant change as far as the usage,” Schulz says. “People with cards have been using them the exact same way for decades. When you introduce something new, change is hard, especially when it involves people’s money.”
Apple Pay remains important to all wallets
Last week’s Apple Pay fraud appears to be another bump in the road, but quite a small one that won’t much slow it down, thanks to its early success and high level of usability, say our experts.
“Apple Pay has seen traction because it is both clearly strong enough for the task and because it is exceedingly easy to use,” van Someren says. “As long as new mobile systems meet or exceed the security of the cards that they might replace, the barrier to adoption is always going to be whether using your mobile device can be made easier than grabbing your ‘top of wallet’ card.”
And that will continue to help move the needle on the usage of all mobile payments, regardless of whether they’re based on near-field communications, QR codes, or any other technology, Schulz says.
“My personal thought is that Apple Pay is going to up end up sort of being the rising tide that lifts all boats — Google Wallet has been around for awhile but hadn’t hit critical mass,” he says. “The place that Apple holds with consumers is such that them taking this seriously and diving in the way they have is going to lead to more acceptance to other wallets.”
Follow Daphne Howland on Twitter