With all of the talk about mobile payments startups like Square these days, one might wonder about what kind of security issues could arise as more customers start using such payments services at the point-of-sale.
Although there haven't been any public attacks from fraudsters on alternative mobile payments providers such as Square, LevelUp or Dwolla, anecdotal stories are already circulating among security experts and regulators of such attacks, says Joram Borenstein, senior director of global product marketing at NICE Actimize, a risk, fraud and compliance solutions provider. Borenstein says that most of these anecdotal stories come from consumers' comments, vendors and regulators. And although so far there are only anecdotes, Borenstein, like many, expects there will be more public attacks down the road as more customers adopt these forms of payment.
Many of these alternative mobile payments companies are using the security capabilities built into the mobile device itself to combat fraud. Borenstein says that several of these companies are taking advantage of the geo-location functions of mobile devices to track their customers to aid in authenticating transactions. He finds this method particularly effective: "It's easier today to track individuals than it is to track transactions for alternative payments providers."
Other alternative payments companies have had to turn to more traditional transaction-monitoring security methods. For instance, Square aggregates all of its transactions at its headquarters so all of its transactions show up as occurring in san Francisco, disqualifying geo-location security methods. So the company uses the same monitoring of transaction amounts that many banks already employ to detect suspect transactions, Borenstein says. The company also imposes a transaction size limit on new users for a certain period of time to make sure they are a legitimate customer.
One thing that still has to be worked out in this area is regulatory oversight. "The regulators are not yet clear who owns the regulatory oversight for these environments. These technologies tend to fall through the cracks even in terms of card-present or card-not-present," Borenstein explains. This could complicate liability issues that could arise between merchants and issuers over fraud in mobile payments, he adds. Regulators have begun talking to mobile payments companies about some of these issues, Borenstein relates. He expects some of the issues will be dealt with proactively by regulators working with the parties involved and some will be put off until a public fraud attack actually occurs. He anticipates that it will still be some time until that occurs: "It's still easier to put malware on a PC than on an iPhone or Android. It's not yet easy [for fraudsters] to make money off of mobile."