Millennials and Fraudsters First to Embrace Mobile Wallets
Millennials are leading the charge where technology and financial payments come together. Unfortunately, fraudsters also like to jump on new technology while businesses are still working out the kinks and have not yet discovered critical process gaps. This time, the fraudsters are pulling an end-around with mobile wallets, effectively bypassing EMV to commit credit card fraud at the point-of-sale.
The scheme does not involve counterfeiting the chip but instead exploits vulnerabilities in mobile wallet enrollment processes that allow bad guys to put virtual cards right on their mobile phones. The retailers are off the hook from a liability standpoint because the card is not physically present—it is essentially like an in-person version of CNP fraud.
How are the fraudsters doing it? They have made some slight adjustments to classic account takeover schemes. This is how it’s done:
Obtain Stolen Information (This is a time-honored practice that is well honed by the bad guys)
- Acquire credit card and personal information that was originally stolen via a massive data breach or simple social engineering.
- Contact the issuer and change the victim’s email address and phone number.
Set the Stage (This is account takeover and takes a few minutes)
- Enroll in the mobile wallet (e.g., Samsung Pay, Apple Pay, Android Pay, etc.) by entering the credit card information (i.e., Name on the Card, Card Number, Expiration date and CVV).
- The card issuer will usually send a One-Time Password (OTP) to either an email address or a mobile phone number.
- The fraudster enters the OTP in a pop-up window.
- The mobile wallet provider verifies the credit card and the cardholder information with the issuer and the bank sends an ID for that card to the mobile wallet provider. The mobile wallet stores that ID in the app.
- The issuing bank sends an email alert or a text message that the card is added to the mobile wallet.
Cash Out (This is in-person CNP fraud)
- Once tokenized, the fraudster is free to use the card at brick-and-mortar retail stores, purchasing fenceable goods or making small purchases and requesting cash back.
Did you notice the critical step above that makes or breaks the scheme? The fraudster has to change the legitimate cardholder’s email address and/or the phone number before the card can be added to the mobile wallet. If this step is not completed, the enrollment cannot occur and the card cannot be tokenized in the wallet.
Therefore, it is critical for issuers to determine if an existing customer-initiated phone number or email change is legitimate. When the financial institution can determine if the phone number or email address change is suspicious, they can then put procedures in place to avoid fraud losses.
Millennials and fraudsters are not going away anytime soon. Last year, according to Javelin, CNP Fraud increased by 40 percent and Account Takeover Fraud increased 60 percent. Having controls in place to ensure that all contact information (i.e., mailing address, email address, phone number) in the customer profile actually belongs to the legitimate customer is best practice. It would certainly help stop this scheme.
Written by Jack Sundstrom
Chief Product and Marketing Officer
Jack has over twenty years of experience in building data strategies and developing advanced analytics solutions on behalf of clients across several industries including financial services, retail, telecommunications, consumer packaged goods, and automotive. He is passionate about developing products that use data to distinguish “good” from “bad” so that clients can make informed and profitable business decisions.