Securing m-commerce

Web and mobile technologies join forces to combat mobile fraud.

Bill Siwicki

Like a good detective, Edwin Watts Golf Shops LLC uses fingerprints to find and stop criminals. Not fingerprints in the traditional sense, but device fingerprints, collections of data that identify individual PCs, phones or tablets.

The golf equipment merchant uses fraud prevention technology and services from Visa Inc.-owned CyberSource Corp. CyberSource assigns every new device that accesses Edwin Watts Golf's m-commerce and e-commerce sites a unique identifier. It associates device attributes to that identifier such as whether Flash, Adobe Inc.'s online imaging technology, is enabled—which, like a fingerprint, likely will not change. CyberSource then observes the device and assigns common behaviors to the device, such as a geographic area.

"Even if your IP address or cookies have changed, the system knows your device from the ID it stores," says Robb McCarter, director of e-commerce at Edwin Watts Golf. This helps the system know if it's a recognized device seeking to make a purchase. The CyberSource system evaluates all the information it collects on the device, along with other identification information and order detail data, such as name and e-mail, and searches for links to historical data. The system looks for patterns and anomalies, using CyberSource's database that contains information about the 60 billion transactions Visa and CyberSource process annually.

In addition to device fingerprinting, Edwin Watts Golf screens transactions using rules it created. For example, the e-retailer caps the number of transactions per hour made from a single device; numerous transactions from the same device in a short period suggest fraud. This occurs within a second or two while a transaction is processed.

The device fingerprinting and fraud screening help the retailer limit fraud to a miniscule 0.003% of sales, McCarter says. That compares to a typical online retailer fraud rate of 1%, experts say.

As mobile commerce grows, so too does the threat of mobile fraud. CyberSource's 2013 online fraud report says in 2012 mobile commerce operators showed a 1.4% rate of revenue lost to fraud. That equates to $350 million of the $25 billion in 2012 mobile sales generated by Internet Retailer Mobile 400 merchants and eBay Inc. This number lines up with Forrester Research Inc.'s estimate that retailers annually lose between $300 million and $400 million.

Criminals use tricks like account takeovers, malware and emulating mobile devices to place fraudulent orders. But retailers can fight back with a number of anti-fraud weapons including device identification and reputation, rules-based screening, and two-factor authentication via text message.

To date, mobile transactions have been less prone to fraud than desktop web transactions because mobile commerce does not yet have what criminals consider enough retailers and consumers to target, experts say. But that is changing as mobile commerce grows.

How criminals perpetrate fraud on the mobile web is not that different from fraud on the web, experts say. "A lot of the types of fraud online retailers deal with already are the types of fraud they are seeing on mobile," says Scott Olson, vice president of product at fraud prevention technology provider iovation Inc.

One of the most common types of mobile fraud is account takeover, where a criminal hacks an account with a retailer where a consumer stores her billing, shipping and payment information. Forrester Research says up to 40% is attributable to account takeovers.

Criminals are apt to attempt account takeovers in mobile commerce because retailers encourage consumers to store billing, shipping and payment information in their accounts as that saves them from tedious smartphone typing, experts say.

This is where two-factor authentication can come into play, says Karisse Hendrick, program manager at the Merchant Risk Council, a payment industry trade group. One factor is something a consumer knows, like a password, and the other factor is something a consumer has, like a smartphone, to which a one-time code is texted. The consumer enters the one-time code to authenticate herself and complete a transaction.

Another piece of mobile fraud trickery is device emulation. Here, a criminal sets up his PC in a way that appears to retailers' fraud-screening systems as a mobile device. Experts say criminals emulate mobile devices because they believe fraud screening is not as tight on mobile as it is on the web—and many times, they're right.

"Mobile devices have certain characteristics that make it harder to screen for fraud," says Alisdair Faulkner, chief products officer at ThreatMetrix, a cybercrime technology and services provider. Retailers may not screen for fraud on mobile devices as diligently as they do on the desktop web, he says, because they don't want to block consumers using mobile from making legitimate purchases.

Malware, malicious software used to gain access to mobile devices and the data stored on the devices, is another tool in criminals' toolboxes. When a consumer unknowingly downloads malware, she opens her device to hackers. Once malware is downloaded onto a smartphone, it can scour the device for account and other confidential information and transmit it to the criminals who can use the information for account takeover and other types of fraud.

One in six app downloads contain malware or suspicious URLs, according to a report from web security firm McAfee Inc. And 46% of retailers in 2012 reported their sites were attacked by criminals trying to inject their sites with malware that would be transferred to consumers' web devices—mobile or stationary—when they visited, according to ThreatMetrix.

Mobile devices are vulnerable because consumers often don't take the same precautions they do on a PC, such as using anti-virus programs, says Steve Mott, principal at BetterBuyDesign, a digital and mobile payments and security consulting firm.

Retailers have to educate their customers to be suspicious of web sites with free offers and unexpected text messages with hyperlinks, among other things, experts advise. In mobile fraud, the threat to a retailer generally comes from consumer devices bearing malware, experts say.

"Our biggest challenge is educating customers about mobile safety just like they've been educated about online safety," says Brandon McGee, director, global mobile, at Dell Inc.

Dell includes on its m-commerce site and in its mobile apps icons with security themes such as locks and brief text notes explaining security measures. Dell also assures customers that they won't have to pay for anything they did not purchase. That's important because nearly 75% of U.S. smartphone owners are concerned about security threats to their devices, according to a survey by the National Cyber Security Alliance and mobile security technology vendor NQ Mobile.

While consumers make mobile purchases, retailers are carefully scrutinizing them using fraud prevention technologies. For instance, ThreatMetrix looks at both the device and the shopper and correlates that across the behavior of all his web transactions and across its global network of more than 10,000 sites, Faulkner says.

If ThreatMetrix detects an unknown device, it studies the way in which the consumer (or criminal) uses the device, the sites he visits and the actions he takes, looking for suspicious patterns.

Iovation uses cookies and device fingerprints to track a device's interactions with online businesses that have contracted with it for fraud prevention services and shares that data among its clients, flagging devices that have a history of fraud or abuse. The vendor processes up to 10 million web and mobile transactions per day, Olson says. Mobile devices made up 23% of the computers iovation recognized in March.

Olsen says iovation charges on a per-transaction basis, starting at pennies per-transaction. He, and other vendors and retailers contacted for this story, declined to be more specific about pricing. Mott of BetterBuyDesign says some vendors charge smaller merchants 8 to 10 cents per transaction for fraud-mitigation services, and larger merchants a bit less because of higher transaction volume.

It is important to keep fraud monitoring of web and mobile transactions closely tied together, fraud experts and retailers say.

"If you have tight integration across the board you have a far better picture of a customer," says McCarter of Edwin Watts Golf. With consumers using a variety of devices to shop online, tying together the fraud-monitoring process prevents potential hiccups. "If systems are separate and a customer hits a high fraud score on a smartphone and we flagged the transaction, we would be annoying that good customer who we should know based on their history on all their devices."

Device identification along with logging which devices use the same account tie together a customer's behavior across devices, giving retailers a better idea of who exactly is making a purchase regardless of the device.

While criminals have begun devoting more energy to committing fraud in mobile commerce, anti-fraud technology vendors offer retailers tools to stop fraudulent mobile transactions. Anti-fraud technology may simply be part of the cost of doing business today, but it's an investment that can protect retailers in the new mobile arena.




BetterBuyDesign, CyberSource, Edwin Watts Golf, fraud, fraud prevention, fraud prevention technology, Iovation, McAfee, mobile commerce, mobile fraud, mobile security, Robb McCarter, smartphones, Steve Mott, tablets, ThreatMetrix, Visa