Mobile fraud has been growing 15% year over year since 2020 according to the Equifax Digital Fraud Trends Report. Tokens and digital wallets have added incredible security and efficiency to the payment’s ecosystem. When effectively implemented, they have also been shown to reduce fraud rates; however, fraud is shifting faster than ever and scammers have found a way to game the system through provisioning fraud. Fortunately, credit unions can take proactive steps and work with members to defend against this kind of fraud using some best practices.
What is tokenization?
Tokenization is a service that replaces sensitive card-related data with a unique identifier. The “token” is a random number with no relationship to the data itself so it prevents hackers from gaining access to the cardholder’s private card information.
What is provisioning fraud?
Provisioning fraud involves creating tokens with stolen cardholder information. Fraudsters add these card numbers to their own digital wallets and request tokens. To get around step-up authentication, they use social engineering (fake alerts or urgent messages via text, email, or phone calls) to trick members into providing validation information such as one-time passwords (OTP). It’s the number one fraud we have seen with tokenization.
Six best practices to prevent provisioning fraud
- Hinder fraudsters from taking advantage of a compromised account by limiting the number of credentials provisioned to a mobile wallet, or the number of mobile wallets associated with a single card number.
- Review and validate rules used during the provisioning process to make sure they are up to date.
- If you’re not already doing so, use multi-factor authentication when provisioning credentials to new digital wallets, especially when the request is deemed to be higher risk. It creates another obstacle for fraudsters to overcome.
- Multi-factor authentication via mobile banking apps is a secure method for authenticating a cardholder’s device during provisioning. It’s less susceptible to social engineering. Be sure to avoid using a mobile-banking app as both a form of authentication and the credential’s source.
- Consider refusing to provision, or at least adding additional validation requirements, for manually entered cards versus cards entered with the tap feature. The latter ensures the card is in the hands of the cardholder and the fraudster cannot add the card.
- Educate your members and staff. When sending OTPs include a message informing members against sharing the code with anyone else. Offer videos and training in e-newsletters or on your website that reviews best practices for recognizing phishing and social engineering schemes. Some example tips to share are below:
- Do not click on hyperlinks found in emails or text messages from unknown or suspicious sources.
- Do not click on unsolicited links and remain vigilant of URLs visited. When paying online, check the URL to ensure it begins with "https://". The "s" at the end indicates a secure connection.
- Additionally, check that the name of the web page does not contain spelling errors or strange characters.
- Use the 10-2 rule: Take ten minutes to think about doing a purchase or money transfer and talk to two trusted people before acting if there are any concerns about a request for money or personal information.
By implementing these best practices, credit unions can help protect their members from increasingly advanced scammer tactics and enhance the security of their tokenized cards. Strong authentication practices combined with thoughtful provisioning rules and ongoing education creates a layered defense, making it harder for fraudsters to succeed. These best practices are an essential part of maintaining member trust and safeguarding the integrity of digital payments.
Envisant is a CUSO that works strategically with credit unions nationwide to help them achieve their vision for member service. To learn how your credit union can partner with Envisant to offer a debit and credit program with strong fraud protection, contact us at 1-800-942-7124.
