NFC mobile payments: behave yourself – we’re watching you

By in banking, management, mobile, products, security, strategy, uncategorized on Wednesday, 23 February 2011

Paying for the things you want in the blink of an eye. Sounds amazing, doesn’t it?
You don’t sign, or PIN, or even touch. But who’s to say its you buying?
How NFC back-end fraud detection must get smart!

You see, this speed carries one big penalty. Security. Not for the device, for you. The transaction is now so fast, it can’t be fraud-checked conventionally.

“Contactless” means just that. No contact from either side – counter or customer. There’ll be no alerts, no chance to stop a fraudster. Or is there?

The transaction trap

With existing technology, a number of “gates” will check the transaction validity. Moving to the next transaction stage is determined by the previous gate’s status.

These security checks are providing both technical and psychological security. Just like passing through the “nothing to declare” gate at the airport.

The card’s chip or stripe is checked against the IHCF hot card file, the stolen card report, before the PIN request. The transaction level is checked against both the card and the store’s own threshold, called the Floor Limit.

Finally, the card processor may apply a behavioural algorithm to the transaction.

The gates are vital. If a fraudster fails any stage they risk being apprehended, which is a powerful deterrent. For NFC, we need something totally different.

NFC drive-by fraud

NFC doesn’t have gate checks. NFC device holders will just “appear” fleetingly. No user authentication is attempted, Just presenting the device is enough.

NFC experts suggest that transactions may be subject to random PIN challenges, but fraudsters could simply cancel the attempted fraud.

The only real chance for avoiding NFC fraud is to try to work out if the transaction is predictable – if its likely to occur – and that requires a lot smarter system…

Social engineering

Social engineering is all about managing and sometimes – manipulating – the relationships we have with technology.

Interface design, usability and behavioural measurement are design elements, hackers and espionage agents use social techniques to gain access to secure environments. But its the behavioural aspect that is used in fraud prevention.

Do you come here often?

So, you think you’re different, you tread your own path in life, do things your way? Well, think again. We’re all believe it or not, creatures of habit. Social animals.

In reality, its true to say we’re all predictable. But that’s not actually a bad thing. Not when it comes to payment security, anyway.

By analysing social footprints – where we shop, level and frequency of purchases, interests and age its possible to score the authenticity of a purchase.

Purchase interruptus

But the matter of purchase intercept remains. How can a transaction be queried?

The best and most efficient method is to determine the possibility of a purchase. The holder would register their interest in buying in the store by a pre-buy pass.

The device itself would certify the proposed purchase by an authentication check. Once the goods were selected, contactless payment could occur as normal.

Without advanced anti-fraud methods like this, The banks will keep overcharging. And that’s one behaviour we need to change.

Comments are closed.