After years of false starts, mobile payments are beginning to live up to the hype. They accounted for $52 billion worth of U.S. transactions last year, up from $32 billion in 2013, and are expected to rise to $67 billion this year, according to analyst Forrester Research. From Uber to Starbucks, startups and old-school retailers alike see the benefits of letting customers leave their credit cards in their wallets or even at home.
Where the money goes, criminals follow. Mobile devices now make up a disproportionate share of the $6 billion that fraud costs merchants and card issuers in the U.S. each year. While mobile payments account for 14 percent of transactions among merchants who accept them, they make up 21 percent of fraud cases, according to a survey of about 1,100 companies published on Jan. 26 by LexisNexis Risk Solutions. “We certainly see a surge in mobile payment attacks,” says Tomer Barel, chief risk officer at PayPal, who says his company deals with more cases of fraud on mobile devices than on PCs. “There are many more avenues for fraudsters to try.”
The typical case begins with the hack of a trove of credit card data from a big company (think Target or Home Depot). Hackers sell the stolen cards on a black-market website, and buyers use their phones to rack up as many purchases on each card as they can online, through apps, or in stores before someone notices. The Federal Trade Commission is also pursuing scammers who obtain people’s credit card numbers using standard phishing schemes, sending e-mails or texts with links to phony websites.
Each dollar worth of misbegotten mobile payments winds up costing a fooled merchant $3.34. That’s slightly more than the cost of a fraudulent credit card swipe or mail order, 27 percent more than a similar payment made from a PC. Along with the cost of lost merchandise, the total includes investigation of the fraud. That’s tougher on phones than on PCs, because many businesses aren’t equipped to track mobile devices’ unique identifiers such as IP addresses. Stores often don’t catch when a card issued in Los Angeles is used for a mobile order from Mexico, says Aaron Press, director of e-commerce and payments at LexisNexis Risk Solutions. “It’s kind of a wake-up call,” he says.
Some mobile fraud remains low-tech. Last year, the Better Business Bureau warned consumers about a scam in which people posted absurdly cheap offers for used cars online, then tricked interested buyers into wiring funds through a phony version of Google Wallet. Other frauds are more technical, such as the hackers who found a bug in a Chilean public transportation app that let them top off their travel credits for free. Like the brief flurry of duplicate charges that accompanied Apple Pay’s debut in October, such glitches highlight the vulnerability inherent in a system that requires banks, card networks, and software makers to keep pace with thieves. “If you don’t make the proper investment, they’ll be attracted to the weakest link,” says PayPal’s Barel.
Smartphone operating systems, at least, are tougher to infiltrate than those of PCs. Phones with biometric sensors can also make a person’s identity tougher to steal. Mobile payment service LoopPay says it’s adding support for biometric features such as Apple’s fingerprint reader, despite hackers’ claims that they can fool the iPhone’s sensor. Rival CurrentC says it’s considering similar measures; Apple didn’t respond to requests for comment. “There’s no perfect system,” says Will Graylin, chief executive officer of LoopPay. “It’s always a game of cat and mouse.”
The bottom line: Each dollar worth of fraud committed using mobile devices costs the scammed merchant $3.34.