Contactless Commerce: How Consumers Can Avoid Fraud in the Age of the Digital Wallet
States moved into lockdown mode when COVID-19 made its appearance in the U.S. back in March. And with that, business moved digital. However, many didn’t realize some of the ramifications of moving digitally so quickly, particularly with regards to online fraud.
Now, as the country has begun its reopening, how physical businesses and stores approach consumers will be paramount. The digital wallet was an alternative payment instrument in 2019, used by tech-savvy, mobile-first individuals that wanted an alternate checkout experience. Today, the digital wallet will become a focal point of consumer purchasing habits.
So how can consumers avoid fraud in the age of the digital wallet? Here are a few things to consider:
Going Digital Opens Up the Attack Surface Playing Field
Card-not-present (CNP) fraud is complicated given that there's an increasing number of digital banking channels available for attack. Even before the pandemic, banks’ efforts to craft seamless cross-channel experiences were moving in a positive direction. However, the swift move to a virtual (and contactless) reality has made this shift even more pronounced.
The ability to offer a service where consumers merely have to use biometrics to complete a transaction is the marker of a true seamless service offering. However, fraudsters, quick and sometimes steps ahead of customers, have begun to develop new types of attacks that take advantage of the reduced friction that's typical of enhanced customer experiences.
Some of these types of attacks include:
- Man-in-the-middle attacks: These schemes involve real-time interception of sensitive communications, often after someone has clicked a link to a fake website. Believing they're logging into their banking portal, they enter their credentials, which the fraudster captures and uses on the actual bank website. When a one-time password is sent to the victim, the same process is followed to gain full access.
- SMS injection: This is another type of identity theft that take places when fraudsters use malware, usually delivered via SMS, to copy a device’s certificates.
- SIM-swap fraud: A kind of spear phishing attack, this method involves the cloning of a physical SIM card or, much more often, the porting of a victim’s mobile number from their SIM to another through social engineering or collusion at the mobile carrier. It’s a remarkably effective means of intercepting one-time passwords.
Utilizing Authentication Methods Can Be a Strong First Step
Financial institutions have the ability to help their customers stay ahead of fraudulent attacks by introducing strong customer authentication methods. Whether the consumer is shopping online or in-store, by deploying authentication at relevant points, financial institutions are able to help secure the transition between digital channels and can reduce opportunities for attack.
It's critical that a bank is able to provide robust authentication measures for any sort of account activities, such as password changes, updating contact details and mobile telephone numbers, or changing authorized users. However, the customer also has to keep up their end of the bargain. By only using trusted endpoints (e.g., secure browsers and mobile apps) for the most sensitive account changes, a bank can help their customers mitigate any significant fraud exposure.
Don’t Give Away Any Sensitive Details
In today’s world, the call center has become top of mind for many — making it easier for consumers to communicate with representatives across different businesses that impact their daily lives. However, the call center has become a target for fraudsters, with traditional identity and verification checks relying on credit bureau data and other data sets.
That said, it’s imperative that credit card numbers and other personal information is kept personal. Because the call center is a high-friction, low-assurance field, it becomes nearly impossible for financial institutions to verify the caller when making a purchase without subjecting them to numerous time-consuming checks — something that's not conducive for an A+ in timely customer service.
However, by establishing multiple trusted endpoints linked to the customer, a bank can quickly establish when the caller’s identity is legitimate or not. Resources that customers can look out for to ensure they're making legitimate connections are “Talk to an agent” links or sending an authentication message to a trusted endpoint if a landline is in play. Customers that have this ability when making online purchases are key to distinguishing one digital offering from others.
Whether shopping online or chatting with a representative from your favorite store, a consumer's digital footprint needs to align with their real-world identity. By putting down strong trust anchors across multiple devices, consumers have the ability to initiate transactions in one channel and seamlessly complete them in another — a testament that staying safe in the age of the digital wallet is possible.
Praveksha Maharaj is the digital banking product manager at Entersekt, focused on mobile authentication and the omnichannel customer experience.