‍

All transaction types carry a risk of fraud, but recent security breaches involving Starbucks’ mobile app, have shined specific doubt on mobile payments. The incident found hackers breaching their system, transferring users’ balances over to fraudulent gift cards. Starbucks’ mobile app is often lauded as a success in the landscape of mobile payment applications, is this breach a sign of prominent vulnerability to fraud in the now commonplace payment type?

The Problem with The Starbucks App

Starbuck’s in-app currency works on a preloaded system, with customers given a set amount of credit that gets deducted post-sale, as opposed to you trading credit for a product. The hackers exploited the app’s security system, which provided no limit to incorrect password submissions, nor any account lockdown procedures, allowing hackers to brute force their way in.

However, Starbucks’s app is not a shining example of the strengths or even the main vulnerabilities in mobile payment security.

NFC’s Security Benefits

Big players like Google Wallet and Apple Pay utilizes near-field communication (NFC), a much more sophisticated piece of data transfer tech than the QR code provided by the Starbucks app.  NFC allows customers’ devices to communicate directly with the POS, similar to the tap-to-pay option featured in EMV cards.

They’re also both robustly equipped with a vast array of safety measures that the Starbucks app lacks. Utilizing similar security procedures featured in most physical payment methods, like using your phone’s security code to authorize a transaction. While also offering even greater layers of security to deter fraud-thieves, such as utilizing face id as a second method of identification.

Apple Pay specifically borrows even more from the features of EMV chips, utilizing Its data transfer method of Tokenization. For each new sale, a randomized token is generated to provide a secure safe way to identify a customer. This skirts the need to directly store valuable client credit card data on either the device or Apple Servers.

However, it’s not without its faults, as other areas in Apple’s payment process have proved to be vulnerable to fraud seekers. Exploiting the fact that users need to formally submit their credit card information when initially setting up the Apple Pay service. While at the same time easily extracting the data, hackers can link cards to their own devices and efficiently make fraudulent payments.  However, Apple has stated this is more the fault of card issuing banks, who seemingly fail to effectively authenticate user identities when a card gets linked to Apple Pay.

Identify Verification in Card-Not-Present Fraud

In the years post the adoption of EMV cards, France, the UK, and Australia saw a drastic decrease in card-not-present (CNP) transaction fraud. Signifying EMV’s effectiveness in combatting the use of counterfeit cards or POS Systems.

As stated before, many NFC mobile wallets utilize the same tokenization system as the EMV standard, categorizing mobile payments as card-present transactions when employed at an EMV terminal. However, when utilized in online purchases, mobile payments are still considered CNP. Fraud seekers will likely target these vulnerable online purchases, so constant and vigorous identity verification must become a priority.

Are Mobile Payments Inherently Vulnerable?

Despite the proven heightened security, there will always be a potential for fraud in any payment type. Therefore, the effectiveness of your security will always vary based on the tech and the payment method used. For example, NFC payments reach the same enhanced security standards of EMV, but solely for card-present transactions.  Ultimately, beyond implementing these state-of-the-art features, constant awareness of fraudsters’ main techniques is key to actively protecting your business. You can integrate a brand-new NFC-based mobile payments system into your retail store, but if you additionally conduct transactions online, then extra awareness and identity verification procedures will need to be independently implemented. So be cognizant of your business’s potential vulnerabilities if integrating mobile payments becomes a priority.

RevitPay is a merchant services provider offering a slew of NFC-compatible POS systems and fraud protection software. Contact us today if you’re looking to expand your client’s payment options while simultaneously defending your business.

‍