Mobile payments have been gaining popularity, especially among younger consumers, with a 41% jump in volume from 2018 to 2019. Now there are urgent reasons for more consumers to pay with their phones. As the covid-19 pandemic spreads, mobile checkout and online banking apps are helping millions of people take care of business while they’re stuck at home.
However, this shift toward mobile payments means there’s a new group of people using new-to-them technology to move their money. That presents an opportunity for fraudsters to strike. Already, the mobile channel represents more than half of all online fraud. Industry analysts expect more mobile fraud attempts as people shop, move money and receive their government stimulus payments through digital channels.
Here’s how businesses can protect themselves as mobile sales activity increases.
Account takeover is a persistent threat to mobile commerce
Fraudsters are persistent and creative, which means they’ve found multiple ways to exploit mobile payment and banking tools. Account takeover (ATO) fraud is a fast-growing type of crime that occurs when criminals get access to an accountholder’s login credentials. Aite Group reported in 2018 that ATOs were one of the top two causes of fraud losses for financial institutions.
Thieves may get the credentials they need for ATO from a data breach, a SIM swap attack, a phishing attack, a fake mobile app or by impersonating a retailer or bank brand. However, the criminals obtain the login information, once they have it, they can make purchases using the victim’s customer accounts with online merchants—usually without triggering suspicion of fraud. If they’re able to take over the victim’s financial accounts, they can do even more damage, like requesting higher credit limits and applying for loans.
With so many paths to take over accounts, how can merchants protect themselves? Let’s look at each of the ATO vectors.
Data breaches are a huge problem that grows by the day. The exposure of a customer’s login credentials for one account would be problematic enough, but the problem is made worse by the common habit of reusing passwords for more than one account. So, if thieves get someone’s Facebook login information, they may also be able to get into their email, Amazon or checking account.
Although merchants can’t require that customers use a unique password for their store accounts, they can require strong passwords. That can make it harder for fraudsters to crack the password if they only have the customer’s email address.
SIM swap attacks are particularly hard to combat, because fraudsters don’t have to be anywhere near the victim’s phone in order to take it over. All they need is the victim’s phone number and the ability to persuade the carrier’s customer service department to assign that number to a new SIM card—or the money to bribe a corrupt carrier employee to make the change. Once that happens, even SMS-based two-factor authentication is under the control of the criminal.
For this reason, it’s best if merchants find ways besides SMS to authenticate customers’ logins, devices and orders. A combination of behavioral biometrics, geolocation data, device fingerprinting and other indicators may spot anomalies that indicate ATO.
Phishing, fake apps and brand impersonation are all ways that criminals exploit the trust that businesses work hard to build with their customers and the public. Fighting these types of attacks requires vigilance and ongoing customer communication.
For example, merchants should monitor social media and app outlets for mentions of their brand, to spot and report brand impersonations as they appear. Merchants’ customer service teams should raise internal alerts when customers report they’ve been phished via email, text or the web. And merchant communications departments should proactively and regularly counter misinformation with clear statements about how the company contacts customers, the kinds of information they’ll never ask for, and where to find legitimate apps and information.
CNP fraud detection in the mobile channel is different
Even without taking over someone’s accounts, fraudsters armed with stolen credit card data can wreak havoc through mobile payment channels. That’s because many merchants use the same fraud controls for mobile orders and desktop orders, even though the processes require different approaches.
Mobile checkout is often streamlined to reduce the amount of data shoppers have to key in. So, indicators like the ones mentioned earlier—geolocation, device fingerprint and behavioral biometrics—are needed to help spot mobile fraud without increasing false declines.
Merchants should also monitor fraud by channel, to see how much each channel contributes to total fraud losses. That can help with decisions about where to allocate their fraud-prevention budget.
App security is an ongoing responsibility
Finally, merchants must ensure that their apps and websites don’t allow hackers in. Regular site scans for malware and unauthorized scripts can help detect “formjacking” attacks that silently steal customers’ payment data as they enter it. Mobile shopping apps should be developed with security best practices in mind. They should also be tested regularly for security vulnerabilities and updated as needed to keep customer data safe.
What’s next for mobile payment security?
As fraud prevention companies, merchants and banks gather and leverage more data, it’s becoming possible to use analytics to spot large-scale, sophisticated attacks that can get past typical fraud filters. For example, group analysis moves beyond analyzing individual orders for fraud flags and instead looks at batches. With group analysis, what looks like a series of good orders might be revealed to be a batch of fraudulent purchases using separate hijacked payment accounts from the same bank.
By implementing multiple layers of fraud-prevention tactics, prioritizing data security and adopting new fraud-detection methods as they emerge, merchants can protect themselves in two ways. First, by reducing the incidence of ATO, CNP fraud and data theft, they reduce their fraud losses. Second, by making it difficult for fraudsters to succeed against them, they protect their customers’ data and encourage criminals to move on in search of other targets. That’s a security posture that benefits everyone now and will continue to deliver benefits once our current crisis is past.