How to combat mobile commerce fraud

It's vital to consider the security of payments
It's vital to consider the security of payments

Note: Our combating mobile commerce fraud article has been fully updated. This feature was first published in November 2013.

It is estimated that Britons will spend nearly £15 billion (around $23 billion, AU$31 billion) on mobile devices in 2015 alone. This huge amount of money has of course begun to attract the attention of fraudsters. With the introduction of Chip & PIN and the expansion of stronger security systems in retail outlets, fraudsters have begun to switch their attention to the m-commerce market.

Says CyberSource: "The ability to understand how consumer behaviour differs when using mobile devices; to capture data that is relevant to the mobile channel and implement appropriate fraud management tools and rules; to track and analyse m-commerce chargeback, rejection and review rates and fine-tune your strategy in response – all have clear implications for the experience that both customers and fraudsters will have when they interact with you through the mobile channel."

For retailers the growth in their mobile channels poses a challenge to ensure levels of fraud are kept to a minimum. Being vigilant and also evolving the tools your business uses to track and prevent fraud are critical.

Increase in mobile transactions

What is clear for all businesses is that firstly the number of transactions their customers complete on mobile devices will massively increase, and secondly that they will need to overhaul their payment systems to cope with this demand and to also prevent fraud.

Getting more information about the mobile devices being used to make purchases from your business is a practical step that will give you data about the purchaser that fraud prevention applications can use to assess an order and decide whether to accept or reject it.

Narayan Sivaram, VP and regional head of cards and payments at Infosys, commented: "The acceptance of emerging payment acceptance form factors (the Internet of Things, smartphones, wearables), wallets (Apple Pay, Android Pay, Samsung Pay, Merchant Customer Exchange [MCX]) and the need to secure payments from fraud are forcing merchants to move to a more flexible and modern payment architecture."

Samsung Pay

Various payment services like Samsung Pay are gathering momentum

EMV impact

Additionally, the imminent move to EMV (Europay, MasterCard and Visa) that is rolling out in the US could have a major impact on Card Not Present transactions and therefore potential card frauds. In its True Cost of Fraud report, LexisNexis advises: "Do not rely on EMV to eliminate fraud – tokenization must be used in conjunction with 3-D Secure because multi-channel merchants are attractive data breach and fraud targets."

The report further noted: "While EMV is highly effective at preventing POS fraud, when used for e-commerce purchases card data is still vulnerable to compromise and subsequent misuse – including static CVC2 data.

"3-D Secure provides for improved authentication of the cardholder during e-commerce and m-commerce transactions, reducing the efficacy of fraudsters' attempts to misuse card data compromised from a breach. And merchants can safely store and transmit tokens as proxies for primary account numbers (PANs) card data and are also more easily replaced."

Fraud goes mobile

So what are the actual threats that mobile retailing has to face? Just as desktop and notebook computers face malware and virus attack, mobile devices are not immune. In addition, because many transactions are now done wirelessly over a retailer's Wi-Fi network, these networks are also vulnerable to attack.

According to Alcatel-Lucent's Motive Security Labs, malware infections are on the increase. The Motive Security Labs Malware Report 2014 estimates that worldwide about 16 million mobile devices are infected by malware. "Mobile malware is increasing in sophistication with more robust command and control protocols," the company states in its report.

Not surprisingly the vast majority of infections are on Windows and Android devices, and Apple – with its walled garden approach to hardware and software development – sees the lowest level of attack and infections.

The Mobile Payments Security 101 report from Networld Media Group also states: "The rise in app-related fraud is due largely to the fact that mobile apps seldom have the infrastructure necessary to enable adequate mobile device identification and profiling, ThreatMetrix says."

The report further notes that ThreatMetrix – in its paper, Fraud Protection for Mobile Applications – adds: "Additionally, implementing these features requires skills far beyond those of most mobile app developers. As a result, mobile apps frequently lack a number of security features, and it's difficult for fraud-prevention systems to determine if the device in question is being used legitimately – creating a prime opportunity for fraudsters."

The huge popularity of apps has of course attracted the attention of the fraudsters. Here in-app purchases are often the target, where games developers for instance need to differentiate between a genuine in-app purchase and one that has used stolen currency.

Services such as Adjust.com can offer a level of protection, but users with phones that have been jailbroken are difficult to protect.