Buyer Beware! Despite Tokenization, Mobile Payments are not Bulletproof

Virtual Card Present – A New Breed of Mobile Credit Card Fraud 

As credit card fraud rises, ensuring the security of mobile payments is important for merchants and consumers alike. To combat fraud, the next generation of mobile payment platforms employ tokenization to create more secure mobile payments systems. While tokenization may reduce the susceptibility to mobile payment fraud, it is not bulletproof, leaving room for a new breed of credit card fraud.

Tokenization is a process in which sensitive information, such as a credit card number, is replaced with a randomly generated unique token or symbol. Tokenization helps simplify a consumer’s purchasing experience by eliminating the need to enter and re-enter account numbers when shopping on mobile devices. Tokens benefit merchants too, by eliminating the need for them to store payment card account numbers. Merchants have decreased risk as they are not directly handling sensitive and regulated data. The result is overall increased transaction security and reduction in mobile payment fraud.

For example, Apple Pay uses tokenization to ensure all personal account numbers (PANs) are replaced with randomly generated IDs, or tokens, that are then used to authorize one-time transactions. Although Apple Pay users upload credit card information to their devices, neither Apple nor retailers ever have direct access to this sensitive financial data. The security of the iPhone’s tokenization is further bolstered by the use of a biometric fingerprint that is stored on an isolated chip, separate from the token.

Even with the use of tokenization, there remains a weak link in securing mobile payments: ensuring a mobile payment system provides its app to a legitimate user, rather than a fraudster. And criminals love a weak link.

While Apple Pay’s use of tokenization coupled with the biometric authentication provides strong security, hackers are committing a new type of fraud by exploiting this weakness in user authentication. To circumvent tokenization (and biometrics), hackers have been loading iPhones with stolen card-not-present data to create Apple Pay accounts. This essentially turns the stolen credit card data back into a “virtual” physical card – à la Apple Pay.

The responsibility for this new type of Virtual Card Present (VCP) rests with the card issuers, who have the burden of establishing that Apple Pay cardholders are legitimate customers with valid cards. Some banks have begun addressing the issue of user authentication by requiring customers to call to activate Apple Pay, ensuring their identities are verified.

VCP fraud is sure to increase as additional entrants, such as Samsung and Loop Pay, enter the market with their own mobile payment systems. The largest Apple Pay competitor, CurrentC, backed by the Merchant Customer Exchange (MCX), a consortium of large retailers, is set to be launched later this year. While boasting “Security at Level” including passcode, paycode and cloud protection, how CurrentC intends to combat VCP fraud is yet to be seen.

As cybercriminals grow more sophisticated, mobile payment providers and issuers should react to VCP by focusing on developing innovative and strong user authentication solutions.

This article appeared in the October 2015 issue of The Metropolitan Corporate Counsel. The views and opinions expressed in this article are those of the author and do not necessarily reflect those of Sills Cummis & Gross P.C. Copyright ©2015 Sills Cummis & Gross P.C. All rights reserved

© Copyright 2015 Sills Cummis & Gross P.C.

Published by

jschaller@natlawreview.com

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.