Will the ‘F-Word’ Damage Mobile Money?: The industry deals with a spate of high-profile fraud cases
As discussed earlier this month in Mondato Insight, trust is one of the key factors that will ultimately determine the success or failure of mobile payments. In Kenya, where mobile money has laid the deepest roots, the relative trustworthiness of M-PESA in comparison to the alternatives was critical in catalyzing registration and usage (see here for a recent discussion on this and related matters). Apple is betting that trust in card payments in the United States has broken down sufficiently that people are willing to look to alternatives, and of course Apple Pay in particular.
Fraud in the Frame
It has to be with horror, then, that executives from MNOs, handset manufacturers, or indeed any mobile wallet operator, greet headlines that include “mobile” and “fraud” in the same sentence. Of course, in any instance, the devil is in the detail, but in terms of branding and trust, guilt by association can be extremely damaging, particularly when customers often are not inclined to get into, or are unable to understand, the nuances of the detail. In the words of American political guru Karl Rove, “If you are explaining, you are losing.”
A point in case is the recent spate of negative headlines that surrounded Apple Pay: “Spike in Fraud Has Experts Doubting Apple Pay”; “Apple Shirks Responsibility for Fraud Happening on Apple Pay”; “Fraud Comes to Apple Pay”; “Turns Out Apple Pay Can’t Solve Credit Card Fraud,” and so forth. These sorts of unwelcome headlines hack at the heart of the Apple Pay pitch (“easy; secure; private”) and as such, are likely to have damaged confidence in mobile payments in general and Apple Pay in particular.
Mondato Insight looked at the security underpinning Apple Pay in a previous post on the week of the service’s launch. We observed that “You can be sure that hackers are right at this moment attempting to exploit vulnerabilities in the Apple Pay system, most likely at the point in the process where new cards are added.” That has indeed proven to be the point that fraudsters have attempted to exploit. Some argue, however, that the flaw that has been exploited is in reality not a flaw in Apple Pay itself, but another example of the very same flaws in traditional credit cards that Apple’s CEO Tim Cook highlighted at Apple Pay’s launch.
The Drop Labs blog described the arrival of fraud to Apple Pay a month or so after its launch as a “surprise,” but in reality it should not have been. Moreover, the fraud being carried out was nothing more than old-fashioned credit card fraud, whereby fraudsters were buying stolen identities (presumably from credit card breaches of the kind that Apple Pay has the potential to fix), and uploading the details onto Apple Pay. Crucially, banks’ security processes for validating the card upload appear to have been found wanting in some cases. While undesirable and regrettable, the more pertinent question is: Was the fraud less likely to have been detected than if the fraudster had used the stolen information in a traditional credit card fraud? The answer would appear to be no.
Certain commentators have even gone on to question whether Apple should have mandated particular verification processes, given the fact that they had the muscle to extract 15 bps from the banks. However, as Mondato Insight noted earlier this month, since banks ultimately bear the cost of the fraud, is it up to Apple to dictate to them what level of fraud they should tolerate and where they should invest resources to prevent it? Indeed, the sharpest irony of all is that the best way to prevent this type of “Apple Pay fraud” occurring in the future is to have more Apple Pay, or more specifically, more tokenization. With fewer card numbers in circulation, the opportunities for them to be cloned and exploited are similarly reduced.
A Fraudster’s Playground
Around the same time that “fraud” and “Apple Pay” were appearing in headlines, so too was the “f-word” popping up alongside “mobile money.” An audit of MTN Money in Uganda revealed that fraudsters had walked away with an eye-watering USh 21 billion (around US $7.5 million at today’s exchange rate). In this instance, however, the fraud was more akin to a sophisticated “inside job” at a bank, than anything to do with the security of consumers’ funds: MTN staff faked a mobile money deposit and then fraudsters withdrew the money from the MTN Money escrow account held at Stanbic.
Once again, however, some of the reporting of the fraudulent incident may have served to damage trust, as before, in both brand and technology. MTN was no more able to “create fake money” than a bank is able to “create fake money” via a fraudulent wire transfer or a bounced check: the fraudster fools the system into believing that money that doesn’t exist is there. And in this particular instance, that money has to be replaced or recovered, in this case by MTN.
This was only the most egregious example of an ongoing incidence of mobile money fraud in Uganda (and elsewhere), which has been well documented by Microsave. From the passing off of fake currency, to fake “erroneous transactions,” to stealing customers’ account and PIN information, Uganda has been described as a “playground for fraudsters,” with the fundamental problem being weak KYC norms and lack of national I.D. However, what is notable is that most of these forms of fraud, as with the others previously described, are really just mobile-based adaptations of scams that go back years, decades or even centuries.
Death, Taxes and Fraud
At the end of the day, fraud is a bit like death and taxes: it is unavoidable. Like all good detectives, fraudsters follow the money, and when certain barriers are placed in their way, or new soft targets open up, that is to where they turn their attention. Using credit card numbers and PINs in mobile money is using 20th century technology for 21st century transactions, and they carry over with them 20th century types of fraud. So long as the bank or MNO standing behind the wallet honors its obligations, then consumers can and should continue to trust in mobile technologies to hasten the advent of 21st century security and authentication solutions. Until that time, customers need to remain vigilant, in mobile money and payments, as in everything else. Caveat emptor!
Editor’s note: This post was originally published on Mondato’s blog. It is cross-posted with permission. You can read Mondato’s follow-up coverage of the fraud issue here, and register for its upcoming Mondato Summit Africa here.
Chris Connolly leads Mondato’s media efforts and provides research and analysis, as well as assisting Mondato’s work in the field of MFS regulation.