Keeping Mobile Fraudsters at Bay

This story was originally published on Sept. 3, 2011, and is brought to you today as part of our Best of ECT News series.

The mobile age has arrived.

In 2011, global shipments of smartphones and tablet devices surpassed shipments of laptops and desktop PCs, laying the groundwork for an era in which consumers are increasingly using mobile technology for everything from airline reservations to vehicle purchases.

The mobile age snuck up on many of us. But one group of mobile-savvy users has been hard at work, waiting for mobile to rise in the hierarchy of commerce: fraudsters.

The frightening reality is that most retailers and consumers aren’t prepared for the tidal wave of fraud that is already being unleashed in the mobile arena. To inoculate themselves, retailers and consumers need to understand which mobile behaviors put them most at risk.

More importantly, they need to know how to navigate those behaviors to create an effective mobile fraud prevention strategy.

Fraud Prevention in Pre-Mobile Times

In the “old days,” fraud prevention took on many different forms. One of the simplest forms of fraud prevention in e-commerce was to verify the customer’s credit card number, CVV code, billing location and shipping address.

From there, online fraud prevention progressed to include device identification via IP addresses and tagging devices like Flash and cookies. Although these tactics were initially effective, fraudsters adapted their strategies to incorporate the use of proxy servers to hide their true IP address, among other techniques.

Today’s most sophisticated fraud-prevention providers employ cookieless device identification, real-time proxy piercing for true IP address detection, intelligent packet inspection for subversion detection and other strategies to stay one step ahead of cybercriminals.

Yet the transition to mobile is creating new challenges in fraud prevention, many of which demand a more proactive approach on the part of retailers and consumers alike.

What Makes Mobile Different

Malware is a major threat for mobile consumers and retailers. More than 73,000 new malware threats are released every day, driven by consumers’ willingness to download unproven apps that haven’t been properly vetted by platform providers. While open platforms like Android have been proven to be more susceptible to attacks, Apple’s iOS is by no means vulnerability-free.

Most mobile users don’t install antivirus or antispyware software on their devices. That makes mobile technology an easy target for criminals eager to obtain personal data and online account credentials, accomplished by introducing malicious code through apps, social media sites and other entry points.

Mobile fraud detection is complicated in that it is difficult for online retailers to pin down the source of fraudulent transactions. While IP addresses for PCs are roughly fixed to a single location, mobile users routinely connect through WiFi networks and 3G gateways scattered across a broad area. This makes it problematic for retailers to effectively monitor threats using IP addresses.

Another worrisome feature is that mobile devices have limited digital fingerprints. Today’s consumers remove cookies and gravitate toward mobile devices that eliminate the use of Flash technology (e.g. iPhones) — crippling the ability of many online retailers and financial institutions to differentiate between returning customers and fraudsters.

One of the most challenging aspects of mobile fraud prevention may lie in the expectations of consumers themselves. More than ever, consumers expect mobile technology to deliver immediate gratification. To meet the needs of their customers, retailers provide opportunities for the instant authorization of goods.

Consequently, transaction speed eliminates the possibility of manual reviews, allowing mobile crooks to exploit automated purchasing capabilities and quickly offload stolen merchandise around the world.

Mobile Transaction Balancing Act

2011 was the first year that mobile transactions became a material percentage of revenue for companies. The potential for serious mobile fraud is challenging retailers to identify solutions that improve security without significantly impacting the mobile customer experience.

Although walking a tightrope between consumer convenience and fraud prevention is tricky, there are several ways consumers and retailers can protect themselves, while at the same time maintaining real-time response and analysis in mobile commerce.

  1. Current transaction mix reviewFor retailers, mobile fraud prevention begins with a thorough review of the current makeup of fraud transactions and prevention tactics to determine the impact of mobile on existing device identity and behavior-based fraud filters. In many instances, retailers may discover that their current approach allows free access for mobile fraudsters while limiting access to legitimate customers. For example, a common attack vector is to change browser settings to make a PC looks like a mobile device in order to target lax mobile-specific rules.
  2. Reliance on mobile Web for application authentication and authorizations A mobile application can provide a superior user experience in terms of responsiveness and interactivity. When it comes to moving money or authenticating a high-risk transaction, however, companies should fall back to using tested and proven Web technologies. Using HTML5, companies can have a multifunctioning Web and mobile site that is trivial to integrate into a mobile app. Trying to re-invent the wheel and putting too much trust in the mobile device is a recipe for trouble.
  3. Centralization of fraud intelligenceWhile many companies have different teams and technologies supporting their mobile versus Web strategy, it is important that fraud intelligence is consolidated across the same risk engine. In addition to improving fraud detection rates, centralization allows retailers to better manage the cost of fraud prevention.
  4. Behavior and location profilingWith mobile location quickly becoming a reliable user signature, security-based apps can leverage mobile GPS technology to create profiles based on daily patterns. The catch is that consumers must sacrifice a certain amount of privacy — plus valid use of location data is context-specific. For example, you may be willing to let your bank use your GPS location on a one-off basis, perhaps to verify a fund transfer from your account. You would not, on the other hand, find it acceptable for them to continually track all of your movements.
  5. Layered fraud preventionNo security measure is foolproof. Eventually, cybercriminals will find a way to breach any authentication method, no matter how sophisticated. Layered fraud prevention offers greater security because it presents multiple security barriers, increasing the level of difficulty for fraudsters. For example, many iPhone app developers rely on the iPhone UDID, a unique hardware identifier, to recognize returning customers. However, jailbroken iPhone apps are able to easily spoof this.

For consumers, mobile fraud prevention boils down to a handful of common sense behaviors and practices. Since many app stores lack advanced malware detection systems, consumers should be cautious about downloading apps from unknown providers. Likewise, links contained within text messages should be treated with a healthy dose of skepticism.

Most importantly, consumers should direct their mobile purchases toward trusted retailers. Going forward, the mobile marketplace will reward retailers that take meaningful measures to improve mobile security and equip their customers with convenient fraud-prevention tools.

Alisdair Faulkner is chief products officer at ThreatMetrix. An expert on issues relating to online fraud, device identification, cybercrime, identity theft, information security and networking technology, Faulkner frequently speaks at industry events such as the Anti-Phishing Working Group, CyberSource Payment Summit and Experian Vision Conference. He has appeared on BBC online news commenting on cybercrime and is a past winner of the DEMOgod award for technology innovation. He co-authors the ThreatMetrix blog, Frauds & Ends.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories

E-Commerce Times Channels