Payment systems have adapted to fit the needs of consumers over time. In today’s omnichannel retail world, there’s more ways to pay for purchases than ever before. Contactless payment technology is growing in popularity and adoption, with mobile wallets on phones becoming a primary payment source for many people. The next big step forward for contactless payments is using wearable devices like smartwatches, activity trackers and other consumer electronic devices a person can wear on their body.
Like other contactless payment systems, wearables users face issues with security, data vulnerability and other blind spots that can lead to losses from fraud. Consumers want to connect their mobile wallet to their Apple Watches or scan their Fitbits to pay for groceries, so merchants need to be prepared — not just to accept these new payment methods, but also to protect everyone involved in the transaction from fraud. Here are some key things to know about wearables, contactless payments and financial security.
Watching the wearables market
Wearable devices are just now starting to catch on in the U.S. The rest of the world was driving the trend for years before the Apple Watch made it onto the scene. According to a PaymentsSource article, consumer attitudes, banks’ willingness to support wearables and retailer accessibility have all improved in the last few years. As the wearables market expands, mobile payments technology has increased in accessibility and improved user experience.
PaymentsSource reports that the wearables market is primed for even more growth, doubling annual unit sales over the next five years to reach 260 million in 2023. Per a CCS Insight report, Apple sold an estimated 26 million Apple Watches in 2018, growing 63 percent over 2017 and accounting for 65 percent of the total value of the smartwatch market in 2018.
Wearables users have more options today than just Apple and Fitbit. Though Android-based smartwatch sales lag behind Apple Watch sales, CCS Insight says brands like Fossil, Garmin, Huawei and Samsung all are gaining ground in the smartwatch market.
One of the selling points for wearables is their mobile wallet features. Near-field communication (NFC) terminals are required for contactless payments to work. And as with any rapidly growing technology, near-field communication (NFC) enabled terminals are still a work in progress. But the work is progressing quickly.
According to Berg Insight’s NFC Report, the number of globally installed NFC-enabled terminals hit 54.5 million in 2017 and will reach 112.3 million units by 2022 — accounting for over 78 percent of the world’s point-of-sale terminals.
There are signs that wearables are going mainstream. Apple Pay and Fitbit both provide an overview on how to use mobile wallets and contactless payments through their devices. VISA has an article about paying with wearables and how contactless payments and wearable devices fit into the future of the Internet of Things (IoT). Apple’s product page explains some need-to-know facts about security when using mobile payments on wearables, but there’s still a big knowledge gap for consumers. Wearables have a long way to go to match the widespread adoption of traditional payment systems like EMV chip card readers.
Past issues with wearables are still present
Wearables users must understand how to protect their financial and personal data when using their devices. One of the biggest issues with security in wearable technology is the very limited history of the industry. There’s little precedent for how to handle important issues in safety and privacy, and some problems that existed a few years ago aren’t yet completely solved.
Back in 2015, two articles took wearables and contactless payments to task. Cult of Mac reported on a blind spot in Apple Pay’s two-factor authentication from banks that resulted in fraud jumping from 1 percent to 6 percent in some cases. According to the article, it was an easy fix for banks to drop the typical call-in authentication feature. This proves that wearable technology adopters charged into the market without a full understanding of how fraud could impact the emerging tech.
In a Tech Republic story that same year, tech marketing manager Ian Chen spoke about the importance of privacy safeguards for wearables and the need for everyone to know where their data goes and how it’s used.
“Companies give you a discount on health insurance if you wear a device,” said Chen, then working as Freescale Semiconductor’s sensor solution division marketing manager. “Then you look at the data the wearable is giving you. Is it fair if they say if you don’t go to the doctor in the next three months your insurance will go up?”
Although he spoke specifically on opt-in data shared for health tracking purposes, Chen’s warning can be applied to any data set that comes from wearable devices. We’re facing the same issues with privacy and data transparency four years after the Tech Republic article was published.
In an April 2019 article, Android Authority lays out the limitations of Fitbit Pay. The article doesn’t touch on fraud or security issues, but it does bring up an important factor for making purchases with a wearable device: spending limits. The current maximum amount a user can pay using contactless payments in the UK is £30, and some United States banks set a contactless transaction limit at $50. Australia hasn’t set a maximum limit, but if the amount is more than AU$100, users must enter the card PIN on the payment terminal — eliminating most of the convenience of wearable payment technology.
Fraud flourishes when security standards are an afterthought
Naturally, known, outstanding issues don’t come up in an Apple Store sales pitch for the latest Apple Watch, so consumers must be keen on investigating these issues on their own. New problems and new iterations of old problems impact safety and security for users every day.
Researchers recently found a way to bypass the mobile payment limit on Visa cards, which would allow fraudsters to drain accounts with a single tap — even without needing to steal the credit card, according to Forbes. Another Forbes report detailed a scam that involved a group of fraudsters loading stolen Capital One credit cards onto their iPhones and spending more than $1.5 million on fraudulent purchases via Apple Pay between 2015 and 2016. Another group loaded Apple Pay accounts and other digital wallets with stolen JPMorgan credit cards purchased from dark web trading sites to make $600,000 in fraudulent purchases on extravagant items like Rolex watches, MacBook Pros and iPhones.
The same problem Cult of Mac reported on in 2015 is at the heart of these current schemes. Banks attempt to authenticate purchases from scammers, but rely on superficial checks like calling customers to ask for more identifying information or sending single-use codes to be entered upon upload without additional verification.
“Apple Pay security is only as strong as its weakest link, i.e., the consumer credit card issuer which owns the relationship with the credit card holder and is — in most cases — ultimately responsible for detecting credit card fraud,” said Gartner analyst Avivah Litan, who’s long warned of the possible fraud threat around the Cupertino company’s software. “The credit card issuer has access to the details of all card transactions initiated by the consumer and is thus able to observe patterns of suspect and fraudulent behavior.”
FICO takes the warnings one step further to ask consumers to be aware of security concerns with IoT and their connected devices. As we become more interconnected to each other and our devices, our connections become more vulnerable to tampering. The problem is that the companies selling the next great thing in interconnectivity have product innovation at the forefront. Security is often an afterthought.
Doug Clare of FICO says, “No matter how sophisticated its software developers and IT people are, many of these wearables companies are too new to have developed the security infrastructure and battle-hardened experienced of the financial services and payments industries.”
He warns that wearables data is especially attractive to hackers because of the wearables market boom and associated proliferation of data that isn’t always subject to strict privacy requirements.
How to use wearables wisely
The security threats when using mobile payments wearable devices might be a deterrent for users, but there are ways consumers can protect themselves and still enjoy the convenience of shopping with contactless payments. In a 2018 Experian article, attorney Joe Jerome said, “The onus should be on companies, organizations and governments to do better in evaluating privacy concerns and safeguarding data.”
Jerome, an attorney on the privacy and data team at digital civil rights advocacy organization Center for Democracy & Technology, also knows that the industry is slow to keep up with consumer rights. So until stronger privacy protections come into effect, Jerome has advice for the rest of us. “There is an obligation on users to see what type of information is out there on themselves,” he says. “You have to be proactive. It’s unfair to users, but it’s the world we live in.”
Jerome shares a few basic things on the Experian website that consumers can do to protect their data and privacy when using wearable devices:
Check the default settings on an app or device
“You should assume that the default settings on an app or device are not there to protect you — they’re there to maximize data collection for the company,” says Jerome.
Look for privacy settings in multiple locations
“It’s not enough to check the settings on an app or device. You need to pay attention to the service’s entire ecosystem,” says Jerome.
“Most of these companies reserve broad rights to do whatever they want with info they consider to be anonymized, aggregated and de-identified. Part of the challenge here is that there’s a lot of confusion around those three words, which are often thrown around identically. But they can mean different things. And even if data is anonymized, it can still be used in predatory ways.” says Jerome.
Travelers has other options for wearables users to enhance their device security:
- Set up custom security level settings for your devices
- Use bluetooth encryption
- Encrypt critical data elements such as your user ID, passwords and PIN
Merchants also face major losses in contactless payments scams. Signifyd’s Guaranteed Fraud Protection shifts the liability for fraud away from ecommerce merchants, allowing merchants to increase sales and open new markets while reducing risk.
Our newest product, Seamless SCA, ensures all transactions are PSD2-compliant and adds an extra layer of security to your transactions — meaning merchants aren’t liable for fraudulent transactions.
What’s next for wearable technology
Wearables, despite their inherent issues, are here to stay. The technology is helping redefine user experience as our devices become more integrated into our everyday lives. CCS Insight’s 2019 Wearables Forecast predicts that greater adoption of smartwatches, smart hearables and smart shoes will dramatically expand the market creating an annual value of almost $30 billion in 2023.
A PYMNTS article from 2017 focused on Token’s launch of a biometric-based wearable electronic ring that can allow its users to make wearable payments, power up a computer and open doors with the wave of a finger. Token’s wearable ring technology pairs with credit cards, electronic locks, car ignition systems and transit cards.
Token uses biometric authentication, which requires the user to verify their identity through criteria like a fingerprint or facial scans. GoEmerchant’s March 2019 report presents the idea that users will make more than 18 billion biometric transactions every year by the year 2021. That figure will continue to rise as more devices incorporate biometric technology for authenticating passwords for all functions, not just payments. Multi-factor authentication that incorporates biometrics is the next big trend to watch in 2019 and beyond.
Biometrics could be the answer to the security gaps in wearable technology and contactless payments. As the technology advances to incorporate services like contactless payments into a wider range of devices, security and privacy protections are no longer optional. The industry must embrace stronger authentication methods to convince more consumers to adopt the wearables trend.
Keeping up with innovations — and security requirements
It’s important to offer different payment options for your customers. It’s just as important to keep their safety and privacy in mind, so they can trust you and shop with you again. Currently, mobile payments through wearables require more care and consideration than other payment services. With this primer on how to better manage security with wearables, consumers and merchants alike should be better prepared to use and accept payments from wearable devices.
Photo courtesy of iStockPhoto