Todd Sprinkle led QVC’s foray into mobile commerce.
As consumers shop more on smartphones, retailers must use better security methods for preventing mobile fraud. The CEO of mobile technology firm Zumigo provides some tips.
Mobile devices are quickly becoming the preferred platform for getting things done, including consumer e-commerce and retail shopping. With the shift from PCs to mobiles, however, come new challenges in ensuring that smartphones do not become new channels for perpetrating fraud. Transactions have to be secured no matter where they occur, and logins need to be validated to a customer’s device. Criminals have become adept at acquiring credentials to log into bank accounts and other systems, so companies are now focusing their security measures on preventing the use of those credentials from unknown devices.
Every time a new e-commerce innovation is released, a new security risk is posed for consumers. In e-commerce for example, e-tailers and brick and mortar retailer web sites are the primary target for online criminals because being successful can be quite lucrative.
Attackers depend on swiftly bypassing any security measures in place. If an attack is successful, they become the hard losses that hurt the bottom line. Then there is the combined cost of case investigation, customer phone support, lost customers, and damage to the institution’s reputation.
There are many new, effective approaches to mobile e-commerce fraud mitigation available today, and all help to identify, stop and/or manage an attack. The top three most effective methods are:
Device fingerprintingcollects a comprehensive set of data that approximately identifies a device in real time–whether fixed or mobile. Device fingerprints can fully or partially identify individual devices even when cookies are turned off. Fingerprinting has already proven useful in the detection and prevention of online identity theft and credit card fraud. The key to maintaining a device’s ID, regardless of hardware and software configurations, is the ability to analyze customer behavior associated with the device and collect additional device parameters not typically accessible by other device ID technologies. One major shortcoming to this approach, however, is that the fingerprint is not 100 percent precise. Simple events, such as upgrading the device’s OS, or changing installed software can lead to an alerting score that can cause unnecessary actions and denial of an attempted purchase.
2. Device reputation
New in the fight against fraud is device reputation, a new layer of defense that typically builds upon device identification using device fingerprinting. Device reputation reports if the internet-enabled device accessing a web site or mobile app has a known history of credit card fraud, identity theft, account takeover or other abusive behavior. In addition, it can determine if a device is associated with any other devices containing accounts with fraud history. From the analysis conducted, a device “score” is then reported. While there are several shortcomings to this approach, the weakest point is that the first time a device is registered to an account, it is not known who actually owns the device, and if it matches the owner of the account.
3. Utilizing mobile networks to identify a mobile device and the device’s owner. Identifying a particular mobile device on a network provides valuable information about the owner of a mobile device. When a device seeks to log onto a network, the identity can be verified to ensure ownership of the device. Existing account data can be compared to the contractual data for the mobile device and scored, assuring that the phone belongs to the right customer.
The process of comparing data from the mobile phone network and the enterprise being accessed, create a type of lie detector for the mobile phone. If a customer has registered their mobile number as part of their personal profile, then that is the smartphone that should be connecting during logon. Through viruses, bots and other compromising methods, criminals are able to obtain log-on credentials. They might even know your phone number and device type, which they can program into a similar mobile phone. This simple process can fool the device reputation methodology discussed earlier, as the score may change, but not enough to prevent an initial log-on. However, by using network-based authentication, the network knows not to send any data to a fake device, but only to the real one. Meanwhile, the location process through triangulation of the mobile network further validates the device. If the phone reports its true location and the network verifies it, you can be assured that the location for the customer is near where the transaction is being attempted.
With the explosion of smartphones, more and more mobile business–shopping, paying bills, and buying tickets–is becoming mainstream. E-commerce merchants must take necessary steps to provide customers with a safe and secure buying experience. Staying on top of the latest security measures is a constant challenge, and security and technology providers are working around the clock to develop and deliver the best protection methods to move with the ever changing landscape.
Establishing good security practices to maintain compliance and regulations indicates to customers that their safety and privacy is being taken seriously. Consumer confidence is vital to e-commerce business success.
Together, multi-factor network-based device authentication and mobile account ownership data can mean the difference between allowing a customer’s real mobile phone to log into an account and a criminal’s phone. Perhaps the most effective part of this security strategy is that there is no change required in customer behavior. Once they provide consent to have the authentication performed on their phone, the network does the rest. Devices can now be authenticated for banking, or any other secure transactions.
There are many factors that contribute to a successful e-commerce company, and security is absolutely essential for maintaining the business, reputation and repeat customers. Failing to provide the most up-to-date security measures leaves everyone vulnerable to hackers.
Zumigo provides technology that uses location and context to enhance mobile marketing and security. Founded in 2008, the company is based in San Jose, CA.