Merchants and customers want the same thing – a frictionless payment experience. Everyone from Walmart to city governments and local merchants are making it easier to tap, pay, and go. While these transactions are safer than traditional POS payments, it hasn’t stopped hackers from using new fraud techniques to make millions.
Contactless payments use advanced technology
Near field communication (NFC) is the technology behind contactless payments. Much like RFID technology, it uses radio waves to collect nearby information from smart devices. NFC reads these devices from about 1.5 inches away and no further than 4 inches. (This disrupts the urban myth that hackers with RFID scanners can secretly collect payment data when walking near people.) NFC technology involves a direct, almost instant transfer of encrypted data to POS devices, as opposed to more traditional chip and PIN technology that takes longer to process.
NFC payments are quickly gaining popularity but there are additional types of mobile payments including sound waves-based payments and MST payments. Some payment methods can use sound waves in areas without a sophisticated infrastructure to securely transmit data, especially in areas where people don’t have smartphones. Magnetic secure transmission (MST) payments are a third way to pay with a mobile phone and involves the phone emitting a magnetic signal imitating the magnetic strip on the payer’s credit card.
NFC is the backbone of contactless payment processing, using different means to collect the customer’s information.
- Mobile apps. Apple Pay, Google Pay, Samsung Pay, PayPal, Zelle, and merchant-specific apps use NFC technology to transfer payment data from a smart device to an NFC reader. Depending on the app, additional security features, like passwords or biometric readers, require the user to enter additional information to process the purchase.
- EMV Chip Cards. Some physical cards include a chip that encrypts personal payment data, making it more difficult to hack. Merchants must still use NFC readers to collect information. These cards often limit the number of small purchases that can be made within a short period of time, limiting fraud abuse.
QR code payment standards are under development
QR codes are similar to a bar scan code but contain more detailed information. When scanned, systems can retrieve information about individual products or payment methods.
The Walmart Scan-and-Go app, first offered in 2016, allows shoppers to use their app to scan products, pay at the register with their mobile device, and receive an exit pass to leave the store. Starbucks, Home Depot, Dunkin Donuts, and other merchants are rapidly expanding their use of QR codes. However, many of these apps are proprietary, linking products bought with a QR code to their internal payment processing systems.
Fraudsters can create fake QR codes that buyers may inadvertently scan, leading consumers to a fraudulent payment app for processing. This approach can lead the user to mistakenly download malware that collects personal information or processes a fraudulent payment.
There has been no universal standard for QR code payments, leaving chargeback resolution and other issues up to the individual merchant to define. In December 2020, Mastercard announced that it is working with industry partners to develop a global standard for processing QR code payments. These standards will make it easier to connect merchants and credit card processors while reducing fraud.
Fraud spikes as contactless payments increase
The pandemic created a perfect storm for contactless payment fraud. An increase in online purchasing, contactless payments, and fraud make it more difficult for merchants to track and contest chargeback losses.
- Mastercard reported an increase of 40% in contactless payments for the first quarter of 2020.
- Attempted fraudulent transactions increased 35% in April 2020.
- “Friendly fraud”, where the consumer requests a refund without returning purchased merchandise, has been on the rise.
- Only 5% of merchants have successfully challenged Apple Pay or Google Pay chargebacks compared to a 48% success rate with physical credit card chargeback disputes.
With an increase in mobile payments, the lack of protection puts merchants in the precarious position of incurring more chargebacks but having a limited dispute success rate. Without a clear means of chargeback resolution, merchants have been left to foot the bill, losing revenue and often the inventory that generated the sale. Small businesses are most frequently at risk, operating with already slim margins and competing with larger merchants.
Fraudsters are overcoming mobile payment challenges. Once they have obtained personal data or credit card information, fraudsters are most likely to open a new credit card account. According to the FTC, 88% of credit card fraud came from fraudsters opening new accounts. They can then use this data for card-not-present purchases, including mobile payment apps.
In this situation, the mobile app belongs to the fraudster, but the payment information belongs to someone else, leaving the merchant to pay the price.
What’s in your wallet?
Technology is one of the few ways that loss prevention professionals can keep on top of fraudulent trends. Transactions happen fast, and fraudster schemes are rising in complexity and value. If mobile payments, chargebacks, and friendly fraud are on the rise, it is up to LP to identify and monitor it.
Faced with the daunting task to do more with fewer resources, it’s never been more important for loss prevention professionals to work smarter, not harder to combat enterprise loss like internal theft like cash skimming. Learn more about Loss Prevention best practices in our new whitepaper, “5 of the Biggest Mistakes you can make as a Loss Prevention Leader.”