(Page 3 of 4)
An inconsistency in proximity between the shopper's mobile IP address and billing address raises the question whether the consumer is traveling or the transaction is fraudulent. The retailer must then make a snap decision whether to flag the mobile transaction for manual review, ask the customer to validate her identity in some way—which can be tough since the small screens on smartphones are not conducive for extensive typing—or deny the transaction.
While it's not easy to determine the exact location of a shopper connecting via 3G or 4G networks, there are some telltale signs that can be useful for screening mobile transactions for potential fraud. For instance, as mobile carriers add more local gateways to improve service, a smartphone user connecting to a retailer's web site via a regional mobile gateway, as opposed to gateways that route traffic from anywhere in the country, is likely to have an IP address originating from the same state or metro area as the one provided in their billing address or a nearby state.
"Knowing the kind of information to look for around an IP address associated with a mobile transaction can improve a retailer's ability to differentiate between legitimate and potentially fraudulent transactions," Neustar's Young says. "Ultimately connections through mobile gateways are not as reliable a reference point for the origin of an IP address as those coming from a fixed Wi-Fi network."
Concerns are also popping up about the security of retailer applications downloaded to mobile devices. While mobile apps allow consumers to connect to a retailer at the touch of a finger, they are less secure than connecting to a retailer's site via a web browser because they do not automatically update their protection from malware and viruses. That responsibility falls to the consumer, which may not be diligent about downloading updates. And in some cases, app updates may not include fixes to stop the latest security threats.
"Unlike web browsers, which are secured by code residing on the host server that is constantly updated to prevent security threats, the security features of mobile apps tend to be more static," UniteU Technologies' Das says. "In some cases, app developers don't always write code into the app to secure the data passing through it."
One way to secure mobile applications is to include code that automatically launches the mobile device's web browser when the consumer arrives at the retailer's checkout page. The checkout page is then displayed through the web browser, which secures the data entered by the customer at checkout. "Web browsers provide a more secure environment for entering account data, and it is not hard to create a hybrid mobile app that launches the web browser when needed for this purpose," Das says.
E-retailers should be careful not to put fraud prevention rules into place around mobile transactions that are too stringent, as doing so can deny as many legitimate transactions as illegitimate ones. For example, a retailer may place a ceiling on the amount of a transaction made with a mobile device that when exceeded, triggers an automatic denial.
Such rules can be counterproductive because they are so absolute. "These kinds of rules are along the lines of amputating someone's hand because they have a broken finger," Kount's Bush says. "They just don't consider the variances around the transaction data that can determine whether a transaction is fraudulent or legitimate."
Bush says some retailers are too closely scrutinizing mobile transactions based strictly on the dollar amount, regardless of the type of mobile device used. "A higher level of scrutiny for certain types of mobile transactions is fine but the retailer needs to know what it is they are looking for in the transaction data, rather than just examining the transaction for the sake of doing so," he says.
A gray, but nonetheless costly, area of fraud is so-called friendly fraud or "cybershoplifting," in which consumers keep an item without paying for it by either denying they made the purchase or claiming they never received the item. The latter only works if a signature is not required by the retailer upon delivery. These consumers complain to their card issuer, which reverses the payment made to the merchant, creating what's known as a chargeback.
Disputing chargebacks can be an expensive proposition for e-retailers. So much so that unless the retailer knows for certain it can win the dispute it may decide it is better off eating the cost of the transaction than incurring costs in a losing battle.
However, there are vendors that can help retailers combat friendly fraud. SecureBuy has developed a biometric signature-capture application as part of its SecureBuy 1.0 and 2.0 platforms that is compatible with mobile devices and computers and is essentially device agnostic. Consumers reaching a retailer's checkout page will see a pressure-sensitive signature-capture window that records their signature. Consumers shopping via a desktop or laptop computer can sign their name using a mouse. Mobile shoppers can sign their name by pressing their finger or a writing stylus to the screen on their mobile device. Shoppers do not need any plug-in peripheral devices to sign their name.
Once the consumer's signature is electronically captured, it appears on their receipt along with the retailer's terms and conditions. An electronic copy remains on file with the retailer that can be referenced in the event of a chargeback dispute. "About 20% of all fraud is friendly fraud or cybershoplifting and signature capture can reduce chargebacks by as much as 97%," SecureBuy's Wooten says. "Adding a signature to an online sales draft with terms and conditions creates a legally binding sales transaction that protects the retailer."