The United States Secret Service (USSS) and the Payment Card Industry (PCI) Security Standards Council released a Joint Advisory Bulletin on September 8, 2015, titled “Mobile Payment System Vulnerability.” This bulletin addresses a growing trend in information theft related to contactless payments processed through Near Field Communications (NFC) such as Android Pay™, Apple Pay™, and Samsung Pay™.
What Are the Weak Points in the Contactless Payment Process?
One major weak point in this growing payment process is the ability to use a person’s account information that’s been stolen from other online merchants that have been compromised. Fraudsters can often use account information that’s stolen from digital stores to enroll the associated payment card in an application so they can then make NFC purchases.
The USSS points out that the information necessary to pull this scam off can be purchased for as low as $8.00. Even when fraudsters do not have all of the necessary information for the stolen account, they can find the answers to many of the standard security questions right on social media websites.
Additionally, with the information they used to steal an individual’s credentials, fraudsters are also able to enroll in additional accounts that are compatible with NFC payment applications.
What Can You Do to Protect Payment Credentials?
To help protect customers’ payment credentials, financial institutions should remind their merchants that they need to implement stronger, logical and physical controls. There are a number of publications (see “Useful Guidelines” below) that provide guidance for securing data. Additionally, organizations should consider incorporating additional controls to their new account registration process such as:
- Device Fingerprinting
- Behavior Analysis
It’s also suggested in the Joint Advisory Bulletin that various financial institutions open up dialogue amongst themselves to try and identify duplication registration attempts.
Preventing NFC payment fraud needs to be addressed at each stop along the transaction-processing trail. The merchants that accept these payments should be implementing additional controls to protect payment credentials from theft. Similarly, the companies that issue new payment credentials need to ensure that their vetting and enrollment process is adequate enough to catch these identify theft attempts.
- Joint Advisory Bulletin: Mobile Payment System Vulnerability, September 8, 2015
- Payment Card Industry Data Security Standards (PCI DSS)
- ISO 9564 Financial Services – Personal Identification Number (PIN) management and security: Part 1 & Part 2
- ISO/TR 13569 Financial Services – Information Security Guidelines
- ANSI X9.112 Wireless Management and Security