The Grim Upward Trajectory of Mobile Fraud Risks

Brick-and-mortar retail’s downward spiral appears to be accelerating. More than 8,600 retail locations will shut down this year, following the 5,077 that closed last year, based on data from Credit Suisse. Moreover, 2017 could surpass 2008 — the worst year for retail closures on record — when 6,163 stores shut down operations.

However, unlike 2008, when overall consumer spending declined with the onset of a global recession — the worst economic downturn since the end of World War II — today’s shop killer is online commerce, notably sales made on mobile devices.

By 2019, more than 60 percent of online retail sales will be made via mobile devices, which offer great convenience for buyers, according to Riskified, an e-commerce fraud-prevention company. Yet with the potential rewards come potential risks.

Mobile Fraud

Mobile orders for digital goods, such as plane tickets and online gift cards, are four times as likely to be fraudulent as orders for physical goods, the Riskified report suggests. Further, mobile transactions in amounts greater than US$1,000 are three times more likely to be fraudulent than those worth less than $200.

By contrast, 96 percent of mobile orders in the lower price bracket are likely to be valid, the study found, compared to 91 percent carried out on traditional desktops or laptops.

“Sellers should recognize that mobile purchases are very different from traditional e-commerce purchases,” warned Emilie Grunzweig, senior fraud analyst at Riskified.

“Recognizing that an order was placed from a mobile device is an important data point that should be considered in evaluating the order,” she told the E-Commerce Times.

Merchants that have a high volume of mobile-based sales “should consider the use of the Address Verification System and require the three-digit CVV number when taking payment via debit or credit card,” suggested Lee Munson, security researcher at Comparitech.

Yet it is important to look at the whole picture of a mobile e-commerce transaction and consider the source, noted Riskified’s Grunzweig.

“An AVS mismatch from a desktop may be cause for concern, but on mobile it’s not as much of a red flag,” she explained.

“Fraud rates for AVS mismatches on mobile are almost the exact same as a full AVS match,” Grunzweig continued, “and this makes sense, as AVS mismatches can be for a reason as simple as a typo — big fingers using a small keyboard.”

Time and Volume

What is being bought — and when — can be factors that should help retailers identify potential fraudulent transactions, at least to a point. If a purchase is for an unusual amount of items that should raise a red flag, and purchases made in the wee hours should be scrutinized as well.

“Take quantity of goods ordered: Single-item orders are risky from a desktop but safer on mobile, because while customers ordering from home often make the most of the shipping costs by ordering multiple items, mobile shoppers are likely in a different frame of mind,” noted Grunzweig.

“A mobile shopper is more likely to view a purchase as a spontaneous buy, so they aren’t as concerned with a large order, and buying with one click through a mobile app makes this even easier,” she added.

However, there are some other potential fraud indicators, such as the fact that mobile fraudsters tend to be night owls.

“They like to purchase big-ticket items, and they love digital goods,” warned Grunzweig. “If an order comes through at 2:00 a.m. for an expensive digital gift card, think twice.”

Solid Foundation

Just as brick-and-mortar locations need to have security in place to reduce shrinkage, e-commerce sites need to adopt practices to ensure that their virtual shops have solid security foundations.

“When it comes to making online payments, there is always an element of risk concerned, but thankfully larger and more reputable companies have good security measures in place,” Comparitech’s Munson told the E-Commerce Times.

“Retailers and other sellers need to offer a secure website or marketplace, protected by an SSL certificate,” he added.

More importantly, all user data used or collected should be hashed and salted to ensure the encryption cannot be broken, Munson suggested.

“Adherence to the Payment Card Industry Data Security Standard (PCI DSS), if not required by law, should be followed anyway as a best practice,” he said.

This means that sites should require user passwords that are lengthy and complex, and also utilize two-factor authentication.

Two-Factor Hassles

There are pros and cons with respect to two-factor authentication, however, and in some cases the complexities involved could lead to lost sales.

“While getting mobile device users to voluntarily implement two-factor authentication may be a challenge, getting them to give their mobile number and or email address gives the seller/retailer the option to implement that solution for the user without using the term ‘two-factor authentication,'” said Ronald Nutter, IT consultant and cybersecurity author.

“While texting a code to the user to enter before the transaction can go through might be the easier thing to implement, a pending standard from NIST might make the use of SMS/text message for sending that code no longer an option, leaving email as the only easy choice,” he told the E-Commerce Times.

“It is possible to place an automated call to the user, giving them a code to enter into the Web browser, [but] having the user juggle between taking the call and entering the code might be easier for some than for others, leaving the seller/retailer with some extra customer service issues that they would rather avoid,” he added.

Safe Shopping

Just as retailers need to worry about fraudulent transactions, shoppers who make purchases via their handsets also do due diligence to ensure that they don’t become victims.

“In terms of devices, consumers only need be a little warier when using a mobile device,” said Comparitech’s Munson. “They should check they are on the correct website when making a payment, by typing the URL directly into their browser rather than by following a link found in an email, and should look for the padlock icon in their browser which usually denotes the page is secure.”

How consumers are accessing e-commerce businesses is also a major consideration, and they should ensure that they are doing so on the most up-to-date browser or app.

“If the browser isn’t up to date, it makes it easier to get access to the device or potentially valuable data that may be left in one or more files in the cache on the mobile device,” warned Nutter.

“Since it is possible to test for what browser is being used on a mobile device, getting the user to upgrade to the latest version before allowing a transaction can help avoid problems and some heartburn for both the user and the e-commerce seller/retailer,” he added.

Periodically clearing the browser cache is another step that users can take to secure their phones.

The main responsibility for consumers “lies in ensuring passwords are strong and not simply words plucked out of a dictionary,” suggested Munson.

“Two-factor authentication should always be taken advantage of,” he added. “Beyond that, the only other area to be aware of is the type of connection being made to the payment page. Rogue networks can be an issue, with an attacker intercepting data, so free WiFi connections in coffee shops and the like should be avoided at all costs.”

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and Peter.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels