FAQs around Mobile Payments: Mitigating Risks and Reducing Fraud

November 14, 2017 - UL recently hosted a webinar about this topic and collected the most frequently asked questions. Read the answers below!

1. In mobile payment which key will be used to encrypt the TC, ARQC ? Is it the same private key for the original contactless card?

Cloud Based Mobile payments are online transactions only, the symmetric key used for encrypting the requests is a tokenized key and valid for one transaction only.

2. What is current state of mobile wallet integration for MasterCard? TSE scenarios for CTLS ATM do not permit to generate such set of test, but VpTT does include them already. Also, can we "assume" that if Visa mobile wallet works, is MasterCard expected to have similar implementation that will not require additional major development at (for instance) kernel level?

Both MasterCard and VISA currently have their own cloud based mobile payment specification with their own functional testing requirements and therefor kernels are not interchangeable.

3. Does the Mobile payment consider the location of the transaction as authentication factor?

Not as part of the APDU exchange between mobile handset and payment terminal. However risk assessment based on the location of the merchant and the location of the phone may still be performed. Conceivably it is possible to verify the location of a handset through interacting with the cloud server before performing a transaction, but this would increase the time it takes to perform the authentication step.

4. Does mobile payment still vulnerable to relay attack?

A relay attack that relays APDUs from one location to another is possible with mobile payment solutions and the risk is similar to contactless cards in that respect. A key difference with mobile handsets is that often either the phone must be unlocked before a transaction can even be initiated, and/or the user must be authenticated on the phone itself.

5. Who is doing Tokenization? Does the Payment Card generates these tokens?

Some payment schemes provide their own tokenization infrastructure to provide tokenization services. Tokenization always occurs within a secure computing environment, and never on a payment card directly.

6. How prevalent are attacks on phone payment apps today. In other words what percentage of the fraud?

Fraud levels are tracked by payment schemes and made available to their respective customers. That said the most prevalent forms of fraud focus on enrollment of payment cards on mobile payment platforms rather than attacks that aim to bypass the security measures present in mobile payment solutions themselves.

7. In the EMV contactless payment, what factors are determined to wither the transaction is going to be online or offline contactless transaction?

For mobile payment solutions offline transactions are not supported.

8. What is the issue with KRACK and mobile payments? And what is the solution to this issue? Especially when it comes to rogue APs?

UL advocates layered security and recommends networked solutions make use of SSL secured connections, certificate pinning and additionally application level encryption and integrity checks. With such mechanisms in place the impact of unsecured wireless links is greatly reduced.

9. Does the ADPU commands and responses are the same in both mobile payment and contactless card ?

The APDU command and responses for mobile payments have their own specifications and separate certification requirements.

10. Are there different risks patterns between NFC mobile payment and QR code mobile payment?

NFC based payments involve the end user and allow end to end validation of transactions, something which with printed QR codes is not always possible.