Mobile wallets: The new fraud frontier
Mobile wallets are enjoying increasing adoption. Payments made via mobile devices in the United States are expected to total $90 billion by 2017, a big jump from the $12.8 billion spent in 2012, according to Forrester Research.
There are two different types of mobile payments. The first type works through contactless technologies such as Near Field Communication (NFC) built into mobile phones. In the case of contactless technologies, the payment traverses the merchant’s POS system and the relevant payment-processing environment, not relying on the mobile carrier’s network, says Ryan Wilk, director, NuData Security.
The second type of mobile payment is a mobile application (mobile wallet) that allows payment to be processed through the mobile carrier’s network, as is the case with banks. A mobile wallet has several key components, including the ability to provision account information, payment origination and payment processing.
With the near-ubiquity of mobile devices, banks are under pressure to come out with their own mobile banking apps, but security fears abound.
Mobile apps currently hold many and varied credit card details, raising concerns about security. These valid concerns include loss of privacy, loss of security around financial transactions, data loss and the perception of insecurity. Legitimate applications passing user data to other applications or third parties in an unauthorised manner is gaining more attention in the public arena – as it should. In addition, a possible drawback to the mobile wallet and secure element solution is that a single pin unlocks all of the accounts stored in the wallet, resulting in much greater exposure.
Financial institutions that can ease security fears, offer money-saving incentives and promote widespread acceptance of mobile wallets may see more customers embrace them.
Behavioural Analytics: Putting Fraud in Context
But where to begin? With a company’s bottom line, brand reputation and customer loyalty on the line, how can institutions secure payments via mobile wallets? They need to really trust the user behind the device by verifying the user based on behavior. Deploying advanced user behavioral analytics will allow the organisation to detect genuine good users more accurately and improve the customer experience. Tracking behavioural patterns lets you learn who the real user is behind the wallet, from the kind of device they use to even detecting behavioural anomalies over time. When it comes to fraud attempts, banks can leverage that same information to quickly spot bad actors attempting to cycle stolen card details.
How does behavioural analytics work? Behavioural analytics focuses on observed characteristics of who the user is, not just who they tell you they are. It continuously profiles users and accounts through their entire lifecycle across multiple channels, including: desktop and mobile Web and native apps. Continuously profiling users’ behaviour empowers two key capabilities. First, it enables risk managers to detect and respond to risk sooner, reducing the chance of financial loss. Second, when the user does reach a transaction point, fraud managers have full context of all their previous actions and behaviour to make a better decision on the transaction.
To collect all these observed characteristics, non-PII networks analyse billions of transactions, including user behaviours, to create a store of anonymous identities that are categorised as good users and riskier users. These identities remain completely anonymous and adhere to stringent privacy laws. With this collection of identities, a bank is provided an early warning system that is able to alert them when a user is behaving behaving “badly,” even if it is the first time the user is approaching one of their sites.
User behaviour analytics can help answer bigger questions, such as:
- How did the user behave previously when they logged in? Are they behaving the same now? In other words, is this the real user accessing this account?
- When the user is inputting data, is it similar to how they’ve interacted on the same mobile device before, or is it completely different?
- Is this “user” creating a fraudulent mobile wallet with stolen account information?
- Is their behaviour repeated? Repeated behaviour yields important information. If the behaviour is the same every time they visit, perhaps we can say it’s a good user, acting the same as always. But if it’s the same behaviour that 1,000 users are all repeating, it could indicate that this behaviour is part of a crime ring that is creating bogus accounts with stolen credit card data. This could be a distributed, low velocity attack – the kind of attack that exposes you to massive amounts of loss.
Observing user behaviour in detail enables the best chance of beating fraud.
Fighting Fraud with Behavioural Insight
There are at least 20 mobile wallet systems currently in use, according to a study from the Carlisle & Gallagher Group. This expands the threat landscape significantly. The fact that The Which? team was able to purchase goods online with card details stolen from an NFC transaction suggests that contactless cards are not a solution to risk in and of themselves. Of course, preventing data lost in the first place would be the ideal, but we have to be realistic. Having more accurate detection at the point of sale or at the login would protect consumers, merchants and banks from fraud no matter how the credentials were attained.
Relying on a single layer of defence at a single point in the transaction chain is always going to end badly. Profiling across multiple channels, using analysis from billions of transactions, provides the insight needed to more accurately detect mobile wallet fraud. Behavioural analytics offer banks the insight they need in order to protect themselves and their customers from fraudulent activity.
The author of this blog is Ryan Wilk, director, NuData Security.
Comment on this article below or via Twitter: @ VanillaPlusMag OR @jcvplus