You know there’s a major problem with mobile security when the United States Secret Service starts talking about it.
Last week, the Secret Service issued a warning about a recent wave of identity theft incidents involving mobile payment systems. According to the Secret Service’s advisory, a growing number of criminals are exploiting vulnerabilities in near-field communication (NFC)-based mobile payment systems in order to steal consumers’ identities. (To learn more about NFC-based technology and its vulnerabilities, see my post about Apple Pay on the Apple Watch.) They’re stealing information like credit reports, tax records, healthcare records, etc. to create fake accounts on NFC devices, which they then use to make illicit transactions – both online and in-store. “Over the last several months,” the advisory states, “perpetrators have conducted numerous fraudulent transactions using this particular method of exploitation affecting many high-end retailers and banking institutions across the Northeastern portions of the United States.”
Cybersecurity advisories are not common from the Secret Service, but this advisory was published in partnership with the Payment Card Industry Security Standards Council (PCISSC), whose goal is to prevent payment fraud by establishing more rigorous standards for payment verification. Common security tools that are currently used – including knowledge-based authentication, like typing in your mother’s maiden name or your childhood pet – have been proven completely lacking, as we saw with the IRS’s Get Transcript snafu earlier this year. The advisory warns that the NFC payment processes are “particularly vulnerable” because when fraud concerns arise, the only verification tools in place are often the user calling from a recognized number or answering standard security questions. “These common security controls are often circumvented by criminals to compromise payment card data.”
As we’ve seen over the past few years with high-profile retail data breaches like Target’s and Home Depot’s, stolen PII (personal identifiable information) does a great deal of damage not only to the consumer whose identity is stolen, but also to the consumer’s bank or credit union as they often have to foot the bill for fraudulent charges and for reissuing cards in the case of a massive breach. While retailers and banking institutions wrestle over who should take financial responsibility for a data breach, the real question for consumers is how to protect information and prevent a breach of personal data from occurring. While it’s certain that hackers are always going to be out there finding backdoors to data, payment system vulnerabilities have proven time and again that there’s more to be done to make it more difficult for hackers to find their way in. With this warning, the Secret Service is stepping in to sound the alarm and get people thinking twice about the security of the technology they’re using when they pay on-the-go.
The advisory isn’t just for consumers, though; it urges banks and retailers to step up their game when it comes to vetting mobile payments with strategies like biometrics, geolocation, and tracking usage patterns. Another suggestion they offer is having more open communication across financial institutions to better identify duplicated registration attempts on the NFC devices. Above all, the Secret Service and PCISCC advocate for vigilance and education on the part of consumers and financial institutions in order to mitigate this growing threat.