With merchant adoption of contactless payment solutions accelerating due to the Covid-19 pandemic, Incognia, a provider of fraud-detection applications, announced an app Tuesday to detect Quick Response code fraud.
The application uses location behavioral biometrics to create a digital fingerprint for the consumer’s identity. It uses the buyer’s real-time and historical location behavior to protect against the scanning of fake QR codes for payment. The app follows a consumer’s movement on a daily basis, such as between home and the gas station and the local school to validate the user’s location.
“These are movements that are difficult for a criminal to mimic,” says André Ferraz, chief executive and founder of Incognia
The digital fingerprint also protects consumers who unwittingly scan a fake QR code intended to launch malware onto their mobile device to take over a payment account or steal personal identifiable information.
Since the Covid-19 pandemic hit, merchants, especially restaurants and grocery chains, have been adopting QR code payment applications to reduce the handling of credit and debit cards at the point-of-sale, says Ferraz.
In one scenario, for example, consumers need only scan the code to enable a payment on their smart phone. Once scanned, the code opens a window asking the consumer for payment information and an email address to send the receipt.
“QR codes are very accessible to merchants, because all they need to do is print it out and post it at checkout or print it on a bill to enable payment,” Ferraz says.
Criminals, however, are beginning to exploit the technology by printing fake QR codes that facilitate payments directly to them. Ferraz cites the example of a criminal enterprise in Amsterdam that placed fake QR codes on parking meters along with a note saying that the device was no longer able to accept cards and to initiate payment by scanning the QR code. After scanning the code, payments were sent directly to the criminal.
Ferraz adds that it would not be hard for criminals to place a fake QR code over a real one at a checkout in high-traffic or remote merchant locations.
In addition to validating the accountholder device and account, Incognia’s app also validates the QR code scanned. “If the code is unidentifiable to us, then we would not validate the transaction,” Ferraz says.
Incognia’s location technology—which uses network signals from GPS, Wi-Fi, and Bluetooth, along with on-device signals, to identify precise locations without capturing personal identifiable information—is used in more than 90 million devices in the Americas. The application analyzes more than 20 terabytes of anonymized location signals daily.
Although QR codes are beginning to gain traction for payments, they remain a nascent technology for payments in the United States, says David Mattei, a senior analyst with Aite Group.
“The QR code is not as prevalent as NFC technology in the U.S., even though some large merchants like Starbucks have adopted QR codes for mobile apps,” Mattei says. “Mobile-phone carriers are more vested in NFC technology in their devices.”
Nevertheless, Mattei says technology that can validate a mobile device used to initiate a payment, whether remotely or at the point-of-sale, has value for merchants.