WhatsApp Payments canceled in Brazil [Was it security?]

WhatsApp is estimated to be used by 1.5 billion people worldwide and one of the most important markets for the app is Brazil, where the app is used by 99% of the population. The recent news that the app would offer a peer-to-peer money transfer feature in Brazil was unquestionably, groundbreaking. Especially since Brazil is a country with 45 million economically active people, with one-third of the population, without a bank account. The news was however short-lived since recently, the Central Bank of Brazil suspended WhatsApp as a payment method.

While users could certainly benefit from paying with WhatsApp, it’s important they feel secure, and the app has previously been the target of fraud scams, varying from social engineering to sim swaps.

Through a recent announcement, the Central Bank of Brazil communicated that Visa and Mastercard should suspend any payment and money transfer activities with WhatsApp. The grounds for the decision are that the Central Bank wants any new P2P money transfer to be “interoperable, fast, secure, transparent, open and cheap”. Possibly one of the main risks and concern with WhatsApp is its security. Is it secure enough to process payments?

Previously WhatsApp has been the target of many account takeover and social engineering scams. However, these attacks up until now have mainly resulted in risks on the social level with the main threat being that a fraudster could talk to a user’s contacts and access their conversations. Threats to a user’s finances were previously only indirect, with fraudsters looking to find ways to profit, for example by making use of user information to create a synthetic identity.

One of the most widespread scams targeted at WhatsApp users is account takeover, where fraudsters make use of phone numbers found on classified ads. With possession of the name, contact phone number and object for sale, they call or text victims, presenting themselves as the ad company, and saying that the ad presents problems. To release the ad, unaware victims must enter a code received by text message. This code, however, is not for the classifieds site, but for installing WhatsApp on another phone.

Another common scam is phishing, where mass messages are blasted with varied themes, and users are led to think the sender is the phone company, their bank, or a company offering product discounts or special offers. Pre-approved credit offers and fake news with clickable links are also other common forms of clickbait. When users click, their information is stolen. SIM Swap is also a frequent scam, where fraudsters take over not only the WhatsApp account but also the phone number of the victim.

With peoples' finances involved, the threat of fraud increases tremendously. While users are encouraged by Facebook to activate two-factor authentication, in practice fraud is still happening because a lot of people have not activated the 2FA feature. One of the main reasons for people not to choose to leverage this security feature is they don't want added friction while using the app.

Ideally, to protect people, mobile applications should adopt a form of authentication that keeps people safe, but does not add friction for the user. A 2019 IDology survey showed that more than a third of people abandoned the digital account opening process because the process was too difficult or took too long. Reducing friction also helps the increase app adoption rate. The use of SMS or email as 2FA, although commonly used, not only adds friction but is also not fail-proof.

For the mobile user, legacy web-centric models for identification and authentication, including passwords, One Time Password (OTP), and challenge questions are high friction and also vulnerable. 

The use of biometric techniques such as facial recognition technology has been growing steadily, but it still adds a layer of friction as well as introduces strong privacy and bias issues that we are already seeing companies like IBM and Microsoft grapple with addressing.

Behavioral biometrics, on the other hand, is a zero-friction technology, which makes use of users’ behavior for authentication and identification and requires no additional action by the user.

Use of behavioral biometrics is an example of zero friction secure authentication.

The way people move around the world forms a type of digital identity or location fingerprint. No one behaves exactly the same as someone else, so the “uniqueness” of the data as the basis for a new digital identity makes it nearly impossible for fraudsters to mimic. This is done without the need for any additional personally identifiable information (PII) or action by the user, ensuring security and privacy, and zero friction for the user. 

Given COVID-19, innovations in payments are welcome, especially in times where contactless payments are becoming the new normal and help to keep people healthier. But security solutions for mobile apps also need to evolve, with new techniques such as behavioral biometrics to protect the user, that are dynamic and adaptive and very difficult to fake or forge.  Security and a good user experience need to work in tandem in order to move the mobile experience forward and protect against fraud. 

For more information on how location-based behavioral biometrics is creating a new form of private identity to combat mobile fraud - Read Here>>