According to McKinsey & Company, digital wallets currently facilitate approximately $300 billion in transactions within the U.S. The research firm is predicting that this volume will expand to $1.2 trillion by 2020 to comprise 18-20% of total U.S. retail spending.
This projected growth is expected to become a reality for a number of reasons. First and foremost, mobile wallets create a simple, frictionless buying experience for customers, which they demand. Simultaneously, the technology opens up many new revenue opportunities for banks, fintech companies and retailers. Retailers in particular find the technology integrates well with their existing loyalty and discount programs, and stores are accordingly expected to install POS systems to accommodate and encourage their use.
However, in survey after survey, consumers list security concerns as their primary hesitation for using a mobile wallet. And at least for now, it seems to be warranted.
Fraudsters, shut out by the successful migration to the EMV (Europay, MasterCard and Visa) chip card security standard, have found greener pastures—and mobile wallets are one of the targets of choice.
In 2015, fraudsters were able to compromise approximately 112,000 mobile wallet-related accounts, for the 23 million digital wallet users. When there are 90 million digital wallet users expected to be using this technology by 2019, the number of fraud cases will most likely increase exponentially—unless measures are taken now to shore up the security gaps that currently exist in using this channel.
Mobile Wallet Vulnerabilities
The primary threat to mobile wallet security technology lies in the enrollment process, specifically when a new payment card is added to a wallet.
The mobile wallet provider must, at this point, verify if the card information matches the user information on file. When there is a discrepancy in the records, additional verification is required. That verification is requested either by one-time codes sent via text message or by call center verification.
Unfortunately, both these methods are insecure and potential access points where fraudsters can breach the system.
Text message verification (SMS) is specifically not recommended by National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, because of its vulnerability to man-in-the-middle attacks and other forms of fraud.
And traditional two-factor authentication techniques such as SMS are not only insecure as noted, but cumbersome for customers. Call center verification is equally ineffective. Despite extensive training in security precautions, operators are often easy targets for social engineering scams. Call center interactions are also time consuming and costly for the organization to operate and maintain.
Verification via Device Authentication
A far better and more secure option would be to send requests for additional verification to mobile wallet users via the issuer’s mobile app.
Communication through these dedicated apps, coupled with mobile device authentication software, is a secure method for sending transmissions, as they are point-to-point communication sent along an encrypted path. When verification requests are sent along this channel, fraudsters can be frozen out.
In this scenario, the mobile device then becomes another authentication factor, combined with a secure message that can be pushed to the issuer’s mobile app on a trusted device that the customer can simply click to confirm the card addition to the wallet.
Leveraging the mobile device itself as a trusted token is done through the individual characteristics embedded as part of that device such as its operating system, location, application data and other data. In combination, these attributes form a unique identifier—a permanent identifier that serves as a secure token that the customer will have in their possession.
Then, instead of cumbersome and insecure verification methods like an SMS-based, one-time code, a contextual message can be pushed for the customer to confirm their activity. The message can be encrypted and directed solely to the customer device of record, ensuring that there is no possibility of a man-in-the-middle interception or transmission to the wrong party.
Using this combination of authentication factors creates an innovative method to resolve the common business conflict between security and the need to deliver a satisfactory customer experience.
Looking Toward the Future
Mobile wallets have the potential to improve the shopping and engagement experience for millions of consumers, while simultaneously boosting revenue for retailers, financial institutions, and fintech companies. As mobile wallets continue to gain popularity and adoption grows, those organizations that can ensure the security of their customers and provide them with a heightened level of confidence that their transactions are safe and efficient will emerge as the leaders in their respective space.
About the Author
Michael Lynch serves as Chief Strategy Officer, where he is responsible for leading InAuth’s new products strategy, along with developing key domestic and international partnerships. Lynch brings two decades of experience in key roles within financial services, consulting, and Fortune 500 companies, specializing in security and technology leadership. Prior to joining InAuth, Lynch served as a Senior Vice President for Bank of America, responsible for Authentication Strategy. He served at Bank of America for 14 years in various leadership positions within technology, customer protection, and online and mobile security strategy roles. Prior to Bank of America, Lynch specialized in information technology in various financial services, Fortune 500, and consulting services roles.