How secure are Digital Wallets? This is a question that naturally comes to mind as DWs are all about money. Since DWs usually have mobile apps, what happens if the mobile device is lost or stolen? DW may have an amount balance in its pre-paid account, it may have links to digital forms of credit / debit cards, it may have access to one or more of the bank accounts of the account holder, or a combination of all of these. In short, it has access to all the liquid funds the account holder possesses. Hence, the security of DWs needs to be top-notch.

Sign-up

It all starts when a user opens a DW. It is easy to download a DW app in a mobile device. For registration, it typically asks for a user-id (which is usually your email), a strong password, and a phone number. Codes are sent via SMS to the mobile number and email, and one needs to enter them to validate the contact credentials. Following this, funding sources such as bank accounts and credit cards are registered, and a penny-drop mechanism is used to validate the account and card validity. These steps comply with the best practices of Strong Customer Authentication (SCA).

At this point, the account details and the card details are moved out of the system and replaced with “tokens”. The mapping of the token to the account/card details is maintained in token vaults so that should the device or account get compromised, the actual details of the fund sources will remain obfuscated. Token vaults can be maintained by third-party providers or by the DW themselves. This reduces the scope of PCI certification as no original payment credentials reside in the application system.

Access Control

To access the DW from the mobile device or browser, one will need to use the user-id, password, and another authentication factor. For smart phones, this could be a fingerprint biometric driven device lock, and for browsers, it is usually a One Time Password (OTP).

While doing the transactions, based on the adjudged risk of the transaction, there could be an additional factor of authentication such as requesting answers to profile questions and in some cases requesting for transaction password that is different from the login password.

Token Refresh

As we mentioned earlier, payment credentials are mapped to tokens. To further increase the security of the system, these tokens change after a certain time or number of usages. Mobile payments like Apple Pay, Google Pay, Samsung Pay, Discover Pay, etc. use a certain mechanism to persist tokens in the phone and update it every so often. In one mechanism a set of tokens are persisted in a Secured Element – a secured hardware component – in the phone so that offline payments are possible from the DW. Another mechanism is to have the tokens in the cloud and make them available in the event of purchase – this is called Hosted Card Emulation (HCE). Each has its advantage and disadvantages; however, both exist.  

Behavioural Analytics

DW is a hyper-personal payment facility where each transaction can be tagged with a customer credential even though the source of funds could be different accounts or cards or wallet balances. This provides an opportunity for DW to build fine-grained profiles of the customer and use it to assess outliers.

This view of the customer helps to arrest possible fraud; however, the customer needs to provide consent to share the aggregated information with the DW platform. This is needed as DW uses this aggregated view across wallet users to build predictive models using AI and then utilize this to raise specific alerts.

Vulnerabilities

It is predicted§ that by 2023, around 50% of global ecommerce transactions will use mobile and digital wallets. In the next 3 years, there will be about 1.3 billion daily active users. Hence, DW becomes a major target for fraudsters.

Stolen Card: 25% of the merchants in the U.S. say that mobile and digital wallets are the main vehicles for using stolen cards. Blocking a compromised wallet does not block stolen cards and as tokens are used instead of clear card identifiers, it is very difficult to block the cards. The fraudsters open a new wallet and migrate the stolen card from the closed wallet. Ideally, Strong Customer Authentication processes should prevent such exploits, however, many financial institutes lack the disciple.

Friendly Fraud: Sometimes customers make purchases using wallets and then they themselves raise disputes on authentic transactions. Merchants fight back against such chargeback, but they find it extremely difficult to win against such friendly fraud. Reportedly, merchants are ten times less likely to succeed on chargeback for cards in DW.

Account Takeover: Bad bots and data breaches expose password-protected DW to a high degree of vulnerability. Today, a large number of credentials are floating around in the dark web. The only way to contain the risk is to follow the best practices of password hygiene, token updates, using behavioural analytics to raise alerts, maintaining device fingerprinting, and constant user education.

§ Source: https://www.ravelin.com/blog/what-does-fraud-look-like-on-digital-wallets

Conclusion

Security is an important aspect of DW. As technology evolves, payment players are adding newer ways to attract and engage users who can now also choose to pay using non-cash currency like loyalty points and gamification that are continually being personalized using AI-driven analysis of user behaviours. As SoftPOS becomes mainstream with the PCI recently announcing the Mobile Payments on COTS (MPoC on Commercial Off The Shelf devices) standard, payments made through DWs are promising to be not just ubiquitous but also more secure.

Before we conclude the series, we would like to leave you with a thought. Is it safe to use public Wi-Fi to make payments through digital wallets, if the wallet and the user adhere to all other available methods of ascertaining security?