Biometrics and the Fight Against Mobile Payment Fraud

POSTED BY Nick Maynard
In 2020, our mobile phones, and the transactions they can handle, took on new importance. The COVID-19 pandemic meant that during large parts of the year, many of us were required to stay at home and shop from the comfort of our own armchair. Mobile payments have become a vital channel for both eCommerce and POS payments. Either through the Internet or in wallet mode, via NFC, the versatility of the mobile device has shown it can be used in a range of both remote and in-person transactions. Smartphones have now become a common platform for remote eCommerce.

At the same time, regulators are ensuring that the need to secure personal and payment data is moving beyond being a mere cost of business into a necessary part of business operations. Mobile transactions are an ecosystem in their own right. This ecosystem has many moving parts, each of which are potentially open to exploitation and fraud. For this reason, security of transactions is both a key driver and a constraint in the use of mobile devices for payments. Increasingly, the identification and verification of a user during a transaction, is becoming the pivot upon which transaction success turns. 

Indeed, the changing dynamics of the ecosystem and increasing connectivity across a myriad of platforms has increased the vulnerabilities and opened up opportunities for fraudulent activities. The number of mobile payment fraud occurrences has increased as well. Every possible entry point from social media to rogue apps to synthetic identity is used to circumvent security measures. Thanks to the increased transaction levels on smartphones, these devices will be the focus of attention for both fraudsters and those who seek to combat them.

Some of the most recent mobile fraud trends include social media – where the platforms are used as vectors for phishing posts, recruitment of fraudsters and money mules, and synthetic identity – the creation of rogue or unauthorised apps, and mobile data exposure. Though there has been a focus on using tokenisation as a security measure, this will only realistically work during the provisioning stage: with tokens frequently being generated and used, fraudsters will look for ways to hack the system. Fraudsters are highly innovative, so tokenisation will be only one area that will come into sharp focus, as payments increasingly move online.

Indeed, the future of verification and authorisation fraud, seem to be tied to another important fraud trend: synthetic identities. reported. Conversely, synthetic identity payment fraud takes place when attackers create a new identity to commit fraud, including identity fabrication, identity manipulation and identity compilation.
Biometrics have been used to counter this, as they add far more security in comparison to passwords. However, they raise the other concern that, once biometric data is breached, it cannot be replaced for use again. This can be addressed through strong anti-spoofing technologies that are separate from the stored biometric data itself.

This is typically combatted through the use of either tokenisation or encryption of stored data, to ensure that the data is unusable when a fraudster procures it. White-box cryptography can be used here, most commonly in HCE (Host Card Emulators) and TEE implementations, where hardware (such as an HSM) cannot be used as part of the encryption process. Another way in which biometric data is secured is through it never leaving the device; it is stored on a SE or TEE, and then used to validate tokens which are sent to the payment provider.
What is likely is that there is not just one single method that can counter this type of fraud. Indeed, a combination of behavioural biometric, machine learning, risk-based transaction assessment will present an ecosystem approach to mitigating against sophisticated techniques that take advantage of biometric authorisation, eg stolen biometrics or deepfake technology.

Our latest whitepaper, How to Maximise Mobile Payment Security, analyses the current mobile payment fraud trends, as well as examining different security options to counter them.

Download the Whitepaper: How to Maximise Mobile Payment Security

Related Research:  Mobile Payment Security