Digital wallets make an inviting target for fraudsters and hackers. The virtual pocketbooks now contain everything from a driver’s license to an insurance card in addition to credit and debit cards.
While digital wallets are generally seen as secure, a bad actor who does manage to break into one potentially gains access to both personal and payment information.
In an interview last month, Sunny Thakkar, head of fraud and disputes at the payments processor Worldpay, talked about how criminals are targeting digital wallets and what his company is doing to counteract them.
In July 2023, the private equity firm GTCR agreed to buy a 55% stake in WorldPay from Fidelity National Information Services in a deal that valued the business at $18.5 billion at that time. The deal was completed in February of this year, with FIS continuing to own 45% of Worldpay, which is based in Cincinnati.
Worldpay uses transaction monitoring and vast troves of data to spot potentially fraudulent transactions, including those generated by artificial intelligence tools, Thakkar explained in the interview.
PAYMENTS DIVE: Why are criminals looking to access digital wallets?
SUNNY THAKKAR: With our Global Payments Report that we put out, we're seeing that digital wallets are projected to be at $25 trillion in global transactions, about 50% of all sales, by 2027. With digital wallets, not only can [a criminal] get access to cards, they could potentially get access to bank account information as well.
How do you look out for and prevent fraud?
When a transaction is sent to our fraud solutions [division] for review, they see the actual card number and they will then create links across that card number to other card numbers they've seen in the network, and are able to identify trends for that card.
What is the fraud solutions division looking for?
Is this the same person making the same types of purchases, or are they actually different individuals making different purchases? In our fraud models, we try to look at this large purchase from one card over and over again. There might be some risky behavior there that definitely is more difficult as these digital wallets are coming into the ecosystem. We have to rely on other data elements to create that linking and make sure we have access to those data elements.
Tell me about what bad actors are targeting today.
The threats that we've seen today are evolving and more advanced than we've seen in the past, and a lot of that is driven by fraudsters who are constantly pivoting to where they see the most value in terms of their return on investment. Since the pandemic, we've seen a large increase in credit card activity, and online e-commerce activity. As a result, you're seeing a lot more activity from fraudsters moving through different types of e-commerce spaces.
That means they’ve moved online?
Every business has moved all or most of their data or other documentation to the cloud. They moved it online. That's created a lot more efficiency overall when you think about how people do business today. But it has created vulnerabilities, and one of the things that we see is that as fraudsters get more sophisticated, they're using things like AI to generate more competent types of scripts, sending [phishing] emails. You can use generative AI to type up a perfectly formatted email and add even social components to it. So there's a lot of social engineering going on. Fraudsters are specifically targeting individuals.
I’ve heard a lot of this before. What threats are specific to digital wallets?
Digital wallets might be uniquely vulnerable to this kind of thing. You need to get a device, and you take that information about that card that you have and store that on the device. Card numbers being more and more tokenized, there is more security around the raw card numbers themselves. What people actually want access to is the information that allows them to access other people's already created digital wallets and be able to actually take over an account. ‘Account takeover’ is this term that's big right now in the fraud space, and we see this trend increasing. If you get enough information around a login detail for someone, you can usually go in and repurpose that same username and password again, because people use the same password and the same email for multiple accounts.
How are bad actors getting that information?
The information they're able to purchase on the dark web is allowing them to create an account or create a log in to folks’ accounts that are already created, and then take over those wallets and be able to then use the stored information on that wallet to then make purchases and reuse that information to create fraudulent purchases
