From 2012 to 2015 mobile commerce grew from $24 billion to $122 billion in the U.S. And with this growth came an increase in fraud and an all new breed of fraud threats. Nearly 40% of merchants surveyed by Kount indicated that mobile fraud had increased, up 17% over the previous year. Criminals have discovered new ways to leverage mobile as a means to commit fraud.
Mobile fraud is negatively impacting merchants’ bottom lines. One study from Javelin Strategy found that 16% of chargeback losses stem from mobile transactions, nearly equal to losses stemming from in-store purchases. The same study pointed out that retailers are overly reliant on username and password to authenticate purchases.Unfortunately, these simple identity factors are not enough to stop sophisticated criminals.
1. Detecting jailbroken and rooted devices
A mobile phone is typically jailbroken or rooted to expand its uses beyond the manufacturer’s intended purpose. In some cases, this purpose is criminal in nature, like completing fraudulent transactions with stolen credit information. Retailers tracking shopper device/platform should also track if the device is jailbroken or rooted.
But you can’t stop there, according to Don Duncan of NuData Security: “Rooting and jailbreaking is commonly used to extend the life of the device, like in China for instance where rooted Android devices are common. Retailers can potentially lose innocent tech-savvy customers who are jailbreaking their phones simply to gain more control over them.” He challenges fraud teams not to merely look at the fact that the device has been jailbroken, but look at how the user is interacting with the device:“Tools like biometrics can provide insight into users’ motivations, differentiating between a good user and a device that could be running malware.”
2. Detecting side loaded applications
Side loading applications from outside reputable application stores (Google Play, Apple App Store, Windows app store, etc.) are also a problem for fraud departments because apps downloaded from unverifiable or unusual sources are much more likely to deliver malware. Google Play and other large app distributors have controls and security measures to try and stop malicious code from being placed into apps, but other sources may not have such stringent anti-malware capabilities. Some types of malware can execute on the operator’s behalf, and do things like complete e-Commerce transactions. Side loaded applications are not the only source of malware either; SMS is growing as a medium to distribute malware.
But NuData’s Duncan reiterated the importance of distinguishing between good and bad actors in the case of side loaded applications, which may or may not be a sign of malware. “If a user is doing things with a device which seem atypical, then this may be more of a warning to fraud teams that this user could be malicious or compromised. User engagement andunderstanding the patterns associated with a compromised device is key for fraud departments hoping to prevent malware from reaching their network.”
3. Linking mobile biometric fraud signals and identity fraud signals
Catching mobile fraudsters by detecting jailbroken devices and signs of malware is a significant first step. But there is a strong chance that a criminal defrauding on mobile will also use someone else’s identity (or create a synthetic identity) to complete a transaction. Pairing mobile fraud risk data with identity data —including both PII (Personally Identifiable Information) data and unregulated identity data (like email addresses used more than 720 days ago and IP addresses located within 10 miles of physical address) —provides even more context about the buyer. By creating one large risk assessment based on multiple fraud signals, you can increase your chances of catching a fraudster before they can do damage.
Retailers will need to do the work to implement these tactics and make the right updates to their fraud practices, as mobile commerce is only expected to increase; by 2020 it’s projected that mobile commerce will make up 45% of total e-Commerce, a three-fold increase from where it stood at the beginning of 2017. Mobile fraud is still in its infancy and retailers are just beginning to figure it out. Chances are in the next two to five years we will see all new threats in the mobile fraud landscape. Make updates to your fraud systems now to keep your fraud team ahead of the game.
Tom Donlea is VP of Global Marketing of Whitepages Pro, the definitive identity verification data provider for risk management in banking and online lending worldwide. With over 10years of online payments and risk experience, Donleapreviously was the founding Executive Director of the Merchant Risk Council.