Mobile Wallets Protect Members From COVID & Fraud
CUs can motivate members to adopt this payment option if they make it fast, easy and even more secure than swiping a card.
The U.S. has always lagged behind countries like China and India in digital wallet adoption – and so far, it doesn’t look like the COVID-19 pandemic will change that.
As COVID-19 cases spike across the U.S., a smartphone equipped with Apple Pay, Samsung Pay or another mobile wallet seems like an ideal way for shoppers to avoid physically touching keypads, pens and cards at checkout. However, the use of mobile wallets has failed to expand at the rate some analysts expected. As of mid-April, TD Bank reported that it had not seen an increase in mobile payments, even as the use of other contactless payment methods grew.
Anemic mobile wallet adoption represents a missed opportunity for retailers, card issuers and credit unions alike, and not just in the context of the pandemic. Convenience aside, the near field communications (NFC) technology used in modern contactless payments is one of the most secure payment options on the market.
Spy-movie scenarios where hackers use arcane devices to steal shoppers’ credentials from 10 feet away simply don’t happen in real life (despite the claims of RFID-safe wallet manufacturers). Advanced technology ensures the bidirectional handshake between the customer’s smart device and the point-of-sale (POS) device doesn’t expose payment data.
Credit unions can motivate members to adopt this safe, secure payment option if they make adoption and usage fast, easy and even more secure than swiping a physical card. The key is using advanced technology to layer on additional security protections without adding more friction to the experience.
Cumbersome Security Requirements & Poor Authentication
While contactless payments are secure from credential-stealing attacks at POS, they have two other key points of vulnerability that, if exploited, could lead to fraud.
When a member enrolls a new card in their digital wallet, how do you confirm that they’re the actual cardholder and not a criminal using stolen card data? When a device is used to make a contactless purchase, how do you know that the device is in possession of the cardholder and not a thief?
These points of vulnerability not only create security risks but also add friction to the mobile wallet member experience. Today, many credit card issuers deal with the first question by deploying cumbersome methods to identify the legitimate cardholder. For example, the member might have to call the issuer to confirm their identity – which could be difficult if the issuer’s contact center isn’t staffed 24/7. Even lighter-touch options, like sending the phone number associated with the card a one-time-use code via text, can lead to friction (and are vulnerable to fraud, too).
Confirming identity at POS is also an issue. Most issuers treat the theft of a digital wallet like the theft of a physical wallet – they rely on the consumer to promptly cancel any affected cards. However, this, too, may require calling the issuer or taking other cumbersome steps.
While mobile wallets are relatively easy to use, these remaining sources of friction motivate most consumers to reach for their physical cards at POS. To change consumer habits for good, mobile wallets need to be both more secure and easier to use than physical cards, which are currently most consumers’ default option. If you can achieve that shift, you’ll finally see adoption and usage significantly rise.
Removing Friction by Layering on New Protections
Traditional authentication protections like one-time passwords are an important first line of defense for account security. Along with the technology that secures the “digital handshake” at POS, they’re key reasons why contactless payments are already so secure. However, layering on additional protections can enable issuers to resolve concerns around enrollment and authorized use while minimizing friction in the form of phone calls or SMS codes.
One strategy combines two approaches, passive biometrics and behavioral analytics, to build a unique profile of each user. Behavioral analytics identifies patterns in user behavior, like when users typically interact with a certain app during the day, while passive biometrics looks at largely unconscious actions such as how a user holds their device. The combination of these characteristics is unique to each user and difficult, if not impossible, for others to imitate. While passwords and other traditional authentication methods rely on “what you know,” passive biometrics and behavior analytics add another layer of security that considers “what you are.”
With profiles built on behavioral analytics and passive biometrics, you can verify users based on their behavior and physical interactions with their trusted computing device. When a trusted user enrolls a new card in their digital wallet, you can accept the payment method automatically without a code or phone call. In the handful of cases where the algorithm is uncertain, additional measures like a one-time-use code may be necessary. But overall, the application of passive biometrics and behavioral analytics significantly reduces friction during card enrollment.
This method also boosts security at point of sale. If an unlocked device falls into the hands of a bad actor, the change in behavioral or biometric profiles can trigger a lockout before the thief makes a transaction. As convenient and simple as physical credit and debit cards are, they can’t do that.
Preparing for the Contactless Future
With COVID-19 still making headlines across the U.S., the need for contactless payment solutions isn’t going away. By layering on additional security protections to verify users, card issuers and credit unions can remove friction from mobile wallet enrollment, encouraging adoption while also bolstering fraud prevention. In the midst of a pandemic, it’s a no-brainer that benefits both members’ health and payment security.
Robert Capps is Vice President of Market Innovation for NuData Security, a Mastercard Company, based in Vancouver, British Columbia, Canada.