Blog article
See all stories »

Beyond Two-Factor Authentication: Minimizing Mobile Payments Fraud


The more things change, the more they stay the same.  This seems the case with security and mobile payments, where security has, is, and will be a significant consumer concern.  This post discusses mobile payments security and focuses on/introduces an authentication continuum for different payment methods, which can contribute to further minimizing mobile payments fraud in the future.


Security is paramount for mobile payments

U.S. Federal Reserve consumer research shows that consumers still are hesitant to make mobile payments for a variety of reasons, but security concerns are always near the top of the list.  In fact, 59% of U.S. consumers said they were “concerned about the security of mobile payments” and 41% said they “don’t trust the technology.”

Ponemon research has found the fast pace of mobile payment technology advances are outpacing the security to prevent data breaches.  Clearly, security considerations must be an integral part of solution design.

Recognizing that mobile payments solution providers today are utilizing multiple technologies—tokenization, authentication, and risk engines—to avoid some of the past fraud problems associated with payment cards, this post will now look at a new authentication continuum framework.


Authentication continuum for different payment methods

Going back to the advent of credit cards several decades ago, authentication (i.e., correctly identifying the user) has always been a key element in order to provide security and integrity of the transaction.  Credit cards had single-factor authentication which was improved upon with Debit cards and their two-factor authentication.

More recently, Apple Pay has utilized smart phone-based technology (i.e., fingerprint) to advance the level of security.  Beyond two-factor authentication, innovators are developing even more security controls—which consumers will be able to set/control from the immediacy and convenience of their mobile phone.

This authentication continuum can be represented as follows:


Level of security  Payment method  Authentication  Description

Least secure         Credit cards          One-factor          What you own (card)

More secure         Debit cards           Two-factor          What you own (card) &

                                                                                     What you know (PIN)

More secure         Apple Pay             Two-factor          What you own (iPhone 6) &

                                                                                     Who you are (fingerprint)

Most secure         Beyond                 Two-factor *       What you own (phone) &

                                                                                     What you know (PIN) OR

                                                                                     Who you are (fingerprint)

                                                                                     * Plus Freeze, Lock,

                                                                                     etc. from phone


Apple Pay has received considerable media coverage regarding their security advances; this “Mashable” article describes why one author believes Apple Pay is “the most secure mobile payment system on the planet.”

That said, even Apple Pay… or the banks—depending upon how you think about this issue—has had fraud challenges.  This Apple Pay fraud has been described by the New York Times and other media outlets.

Finger-pointing aside, the NY Times states:  Some of the nation’s banks are privately complaining that Apple Pay may not be so great after all.  But the banks may largely have themselves to blame…. Apple has now begun providing additional information to the banks that should help deter some of the fraud. The banks, which are responsible for the costs of the frauds, have toughened standards to review customer sign-ups on Apple Pay.” 


Innovative approach to further minimize mobile payment fraud

Beyond Apple Pay’s tokenization and two-factor authentication (utilizing “who are you” vs. “what you know”), we believe solution providers can provide additional security through innovative technologies which enable a consumer to easily freeze, lock or keep locked (i.e., auto-lock) their mobile payment accounts—from their mobile phones.  These new mobile capabilities can overlay existing mobile payments fraud technologies. 

In closing, one thing is for sure.  Security is dynamic and about a continual effort to stay ahead of the “bad guys.”  Banks and consumers also need innovate tools in order to do so.  And for solution providers, it is a critically important journey without an end.  The more things change, the more this effort will remain the same.  Let us know what you think.



a member-uploaded image

Comments: (4)

A Finextra member
A Finextra member 17 June, 2015, 06:15Be the first to give this comment the thumbs up 0 likes Security concerns seems to be a major concern for consumers. I believe that banks give them a reason to think in that direction. How many banks for example in the UK enable customers to add a new beneficiary in their mobile banking app? As far as I know, none. What the banks keep on telling by treating the mobile channel differently is that 'mobile is less secure'. By adding authentication as you describe and proper mobile app hardening it should be no reason to let user friendliness suffer anymore.
Graham Seel
Graham Seel - BankTech Consulting - Concord 17 June, 2015, 16:01Be the first to give this comment the thumbs up 0 likes

Mobile phone security needs to be addressed for financial inclusion as well, with the added constraint that we can't assume smart phones. Still possession of the phone (or SIM) and a PIN still constitute 2-factor authentication, albeit pretty basic. However, as smart phones become ubiquitous, facial recognition is likely to become more significant for KYC identity purposes (particularly for countries with national ids) - this should be considered for mobile security as well.

A Finextra member
A Finextra member 18 June, 2015, 18:33Be the first to give this comment the thumbs up 0 likes


Thanks for your comment.  Yes--mobile needs to be viewed as just another channel (although a strategically important one) for banks, and all channels need to be secure.

A Finextra member
A Finextra member 18 June, 2015, 18:34Be the first to give this comment the thumbs up 0 likes


Agree completely that feature phones (i.e., non-smart phones) needs to be incorporated into mobile security solution for financial inclusion.  My company has architected our offering to be agnostic to type of mobile phone--which is critically important to achieve financial inclusion objectives.  Thanks and cheers.