How can merchants tackle mobile payments fraud?

The mobile channel is growing ever more central to merchants’ strategies as an essential pathway for commerce. However, the growing prominence of mobile begs one important question: how can merchants tackle fraudsters in this new environment?

Kount’s latest whitepaper, Mobile Payments and Fraud: 2018 Report, explores the challenges facing merchants in the mobile channel and the best solutions available.

I spoke to Donald Bush, VP of Marketing, Kount, about the new whitepaper, and the dangers of fraud in a mobile world.

How central is the mobile channel to a merchant’s overall strategy?

That’s a bit of a loaded question because it depends on the kind of merchant you are – if you’re a dating site, it’s absolutely central, whereas if you’re selling cars, it’s important but in a different way. People buying cars will do a lot of browsing via the mobile channel but they’re unlikely to make purchases.

For financial institutions, it’s critical – or for things like digital ticketing, for example. It’s also essential for any business where people might do more browsing or research before they buy – for higher ticket items, such as jewelry – the mobile channel is critical for many things. Our survey shows that more businesses are beginning to realise just how impactful the mobile channel can be.

What channels do merchants believe are at the greatest risk of fraud?

Unfortunately, because the mobile channel’s been around for several years now, most people think that fraud is more likely to come through legacy channels – laptops, desktops, and so on. What they’re missing is that fraudsters are very smart, they’re very sophisticated, and they have a lot of very good tools and fraudsters are very well networked.

Even though we think of our phones as being somewhat secure, with thumb scanners and so on, it’s pretty easy to get through those security systems. If applications aren’t designed with fraud mitigation in mind, it can leave holes wide open for fraudsters to go through, oftentimes fraud an afterthought. We actually see in some industries that the mobile channel is at higher risk than legacy channels.

How does fraud strategy differ for the mobile channel?

You’ve got to look at it in terms of what kind of data is available to determine whether you’re dealing with a legitimate customer or a fraudster. In a legacy system I’ll be using a static IP address, looking for a proxy IP, their geolocation, device information, things that are somewhat static. On the mobile side, I’ve got an IP address that might float with the cell tower, I could be online or on a cellular network. The signals I get are different and so I have to interpret them differently. If my billing address is in London, and I’m making a purchase from Manchester, that might not be illegitimate. Whereas if I make another purchase from Birmingham ten minutes later, there’s probably something fishy going on.

When we think of mobile we also have to consider wearables, smart televisions, mini devices connected through the internet of things, anything that allows you to make purchases or access an account. It’s also important to consider whether legitimate purchases are being made in a normal way via a particular device. I could, for example, schedule an entire holiday via my Xbox, but it’s unlikely. That would be a red flag that we could check out to ensure that the purchase is legitimate.

What are the key technologies and tools used in the mobile channel?

There are some great tools out there, but I wouldn’t necessarily look at tools in this instance. There are merchants that are big enough to consider building their own fraud protection systems – they’ll have their data scientists put together a platform into which they integrate a bunch of tools. One might be a device ID tool, another might be a behaviour analytics tool, or a geolocation or IP proxy detection tool. They might even integrate some machine learning. They put this all together themselves, and there are some great tools out there to utilise. Most merchants don’t do this because they don’t want to make that investment, and once you build it, you own it. Fraud evolves so quickly that keeping up takes their investment and focus away from whatever their primary business is. If I’m to sell shoes, why would I create an entire fraud platform to protect myself when I can rent that at a fraction of a cost, while staying ahead of the game in the process. We typically recommend a platform because it integrates several different technologies, such as those I’ve just mentioned.

The foremost tools used today are CVV and AVS. The problem with both of these is that the information is static, so it’s very easy for fraudsters to steal that information. When they steal credit card data, they steal all of it. The year before last we carried out a test, where we looked at 100,000,000 fraudulent transactions and 98.5% of them had an accurate CVV code. So, to think that a CVV code is going to be a fraud deterrent is simply not the case. These tools give us a sense of security, but in reality, they do almost nothing.

What are the key takeaways merchants should get from reading the report?

Most merchants are not fraud experts, they’re typically novices, at best. They get hit by fraud more than others, too. They need to take a look at their systems on an annual basis – just like you do your financial audit every year, we would recommend doing an audit of your fraud system. The techniques and tools that fraudsters use change too quickly for merchants to use the same fraud technology and policies they used the year before.

Merchants often don’t know where to start. I’d make two recommendations. Talk to your payment processor first. They may have tools and services that you’re not taking advantage of, so it’s a good idea to speak to them first of all. Or, alternatively, you can talk to somebody like us. Let us see what you’re doing and how you’re doing it. We’re not out there to con the merchant – we’ll let you know if we have something that will be helpful to you, you can weigh the costs and the opportunities and come to your own conclusion. Let the experts deal with fraud while you get back to building your business.

On a mobile device you’ve got a very small screen. Payment methods are changing regularly, and you have to understand which payment methods are best for you, your product, your region and your customer. From a merchant standpoint, it’s kind of a guessing game. Your payment processor should be able help you determine which payment types you need in order to operate in certain countries. Studies have shown that not only does customer experience and satisfaction increase, but also sales are affected by having the proper payment method on your application, and with mobile the screen is far too small to have fifty different payment types on there.

To find out more, download Kount’s Mobile Payments and Fraud: 2018 Report.

Related reading