Web and mobile technologies join forces to combat mobile fraud.
Like a good detective, Edwin Watts Golf Shops LLC uses fingerprints to find and stop criminals. Not fingerprints in the traditional sense, but device fingerprints, collections of data that identify individual PCs, phones or tablets.
The golf equipment merchant uses fraud prevention technology and services from Visa Inc.-owned CyberSource Corp. CyberSource assigns every new device that accesses Edwin Watts Golf's m-commerce and e-commerce sites a unique identifier. It associates device attributes to that identifier such as whether Flash, Adobe Inc.'s online imaging technology, is enabled—which, like a fingerprint, likely will not change. CyberSource then observes the device and assigns common behaviors to the device, such as a geographic area.
"Even if your IP address or cookies have changed, the system knows your device from the ID it stores," says Robb McCarter, director of e-commerce at Edwin Watts Golf. This helps the system know if it's a recognized device seeking to make a purchase. The CyberSource system evaluates all the information it collects on the device, along with other identification information and order detail data, such as name and e-mail, and searches for links to historical data. The system looks for patterns and anomalies, using CyberSource's database that contains information about the 60 billion transactions Visa and CyberSource process annually.
In addition to device fingerprinting, Edwin Watts Golf screens transactions using rules it created. For example, the e-retailer caps the number of transactions per hour made from a single device; numerous transactions from the same device in a short period suggest fraud. This occurs within a second or two while a transaction is processed.
The device fingerprinting and fraud screening help the retailer limit fraud to a miniscule 0.003% of sales, McCarter says. That compares to a typical online retailer fraud rate of 1%, experts say.
As mobile commerce grows, so too does the threat of mobile fraud. CyberSource's 2013 online fraud report says in 2012 mobile commerce operators showed a 1.4% rate of revenue lost to fraud. That equates to $350 million of the $25 billion in 2012 mobile sales generated by Internet Retailer Mobile 400 merchants and eBay Inc. This number lines up with Forrester Research Inc.'s estimate that retailers annually lose between $300 million and $400 million.
Criminals use tricks like account takeovers, malware and emulating mobile devices to place fraudulent orders. But retailers can fight back with a number of anti-fraud weapons including device identification and reputation, rules-based screening, and two-factor authentication via text message.
To date, mobile transactions have been less prone to fraud than desktop web transactions because mobile commerce does not yet have what criminals consider enough retailers and consumers to target, experts say. But that is changing as mobile commerce grows.
How criminals perpetrate fraud on the mobile web is not that different from fraud on the web, experts say. "A lot of the types of fraud online retailers deal with already are the types of fraud they are seeing on mobile," says Scott Olson, vice president of product at fraud prevention technology provider iovation Inc.
One of the most common types of mobile fraud is account takeover, where a criminal hacks an account with a retailer where a consumer stores her billing, shipping and payment information. Forrester Research says up to 40% is attributable to account takeovers.
Criminals are apt to attempt account takeovers in mobile commerce because retailers encourage consumers to store billing, shipping and payment information in their accounts as that saves them from tedious smartphone typing, experts say.
This is where two-factor authentication can come into play, says Karisse Hendrick, program manager at the Merchant Risk Council, a payment industry trade group. One factor is something a consumer knows, like a password, and the other factor is something a consumer has, like a smartphone, to which a one-time code is texted. The consumer enters the one-time code to authenticate herself and complete a transaction.
Another piece of mobile fraud trickery is device emulation. Here, a criminal sets up his PC in a way that appears to retailers' fraud-screening systems as a mobile device. Experts say criminals emulate mobile devices because they believe fraud screening is not as tight on mobile as it is on the web—and many times, they're right.
"Mobile devices have certain characteristics that make it harder to screen for fraud," says Alisdair Faulkner, chief products officer at ThreatMetrix, a cybercrime technology and services provider. Retailers may not screen for fraud on mobile devices as diligently as they do on the desktop web, he says, because they don't want to block consumers using mobile from making legitimate purchases.
Malware, malicious software used to gain access to mobile devices and the data stored on the devices, is another tool in criminals' toolboxes. When a consumer unknowingly downloads malware, she opens her device to hackers. Once malware is downloaded onto a smartphone, it can scour the device for account and other confidential information and transmit it to the criminals who can use the information for account takeover and other types of fraud.
One in six app downloads contain malware or suspicious URLs, according to a report from web security firm McAfee Inc. And 46% of retailers in 2012 reported their sites were attacked by criminals trying to inject their sites with malware that would be transferred to consumers' web devices—mobile or stationary—when they visited, according to ThreatMetrix.
Mobile devices are vulnerable because consumers often don't take the same precautions they do on a PC, such as using anti-virus programs, says Steve Mott, principal at BetterBuyDesign, a digital and mobile payments and security consulting firm.
Retailers have to educate their customers to be suspicious of web sites with free offers and unexpected text messages with hyperlinks, among other things, experts advise. In mobile fraud, the threat to a retailer generally comes from consumer devices bearing malware, experts say.