Banks want tech giants to sign mobile security code

Banks and payment companies are nutting out a new security protocol for digital wallets in Australia to avoid a repeat of the spike in identity theft when Apple Pay was introduced in the US.

Members of the Australian Payments Clearing Association – which includes banks, credit card companies and payments networks – are worried tech companies, including Google, Apple and Samsung, do not have to adhere to the same security and privacy requirements for customer information as they do.

Demonstration of Apple Pay being used on an iPhone at its launch in late 2014. Its popularity waned in 2015 as it ...
Demonstration of Apple Pay being used on an iPhone at its launch in late 2014. Its popularity waned in 2015 as it suffered high fraud rates. Photo: Supplied

Its 100 members, as well as regulators ASIC, the Reserve Bank, APRA and the ACCC, are due to respond to a private consultation draft of a Third Party Digital Wallet Security Code by the end of January.

"Australian financial institutions are subject to prudential regulation and ongoing supervision in relation to their privacy compliance. Mobile wallet providers are not subject to the same level of ongoing supervision," the consultation paper says

Google, Apple and Samsung are not members of APCA and would be required to sign the voluntary code for it to be enforceable, even though the underlying payment systems they are using are APCA members.

Apple Pay launched with American Express in Australia in November and Android Pay should be available here by April.

Advertisement

Several banks – including Commonwealth Bank and Westpac in 2015 and NAB on Monday – have released their own digital wallets. But the software and phone makers wallets are expected to be more popular as any card can be used on them.

The APCA consultation paper says Apple Pay was adopted quickly when it was first released in the US in October 2014, with 25 per cent of respondents to a survey in April 2015 by Clearing House saying they had Apple's mobile wallet app on their phones. A follow up survey in July found this had dropped to 13 per cent. The biggest reason cited for the drop was poor security.

Stolen credit card numbers

The decline followed reports of people using stolen credit card numbers and US social security numbers – which can be bought on the "dark market" online for as little as $US1 each – as proof of identity when loading their iPhones with card details.

Fraud rates were reportedly up to 6 per cent on Apple Pay, compared with around 0.1 per cent for in-person transactions on cards.

As well as lax practices at banks, the banks complained Apple didn't provide enough data on the phone owner to check identity.

Some say mobile devices connected to the internet are more vulnerable to fraud. Online fraud is much higher than "card present fraud" because numbers can be stolen and quickly used to buy things online. Without strict ID checks, a stolen card number can be added to a mobile device as easily as a website.

APCA's 2015 financial year statistics show online transactions account for 80 per cent of all card fraud and this rose by more than 25 per cent in the year to June from $256.5 million to $322.7 million.

Ryan Yuzon, a director of bank consultant RFi, said US banks initially were slack about checking the identity of the user. Most now check that the phone number is registered to the same person as the card, as well as making other checks. As a result, fraud rates have declined, but he agreed this could change as mobile devices replaced plastic.

"[Contactless] on the phone seems to offer a bridge for fraud perpetrated at the physical point of sale using stolen card numbers, rather than being limited to card-not-present payments."

The digital wallet code, however, endorses existing methods of identification. Banks here require several documents, including passport or drivers licence numbers as well as salary and bank statements and employment details. Instead, it says the device and software makers should have identification and verification methods as strong as the banks.

It would also make it compulsory to use a new security measure called tokenisation of card numbers if the device providers are not using security chips embedded in the phone or SIM card, which is considered as safe as present chip cards.

Several new tokenisation methods store the tokens in software, which are considered more vulnerable to hacking.