How do we mitigate fraud risks when it comes to mobile payments?

23 Jan 2018

Michael Lynch, chief strategy officer at InAuth. Image: InAuth

Mobile payments are convenient, but they present a new set of risks.

With many of us making more and more payments via mobile devices, seamless authentication is becoming increasingly important in the fight against fraud. InAuth is a digital device intelligence company that helps organisations to reduce fraud, mitigate risks and make this process as frictionless as possible.

Michael Lynch is the chief strategy officer at InAuth, and he spoke to Siliconrepublic.com about the risks an insecure mobile payments system can present, as well as the growing importance of authentication in a mobile-first world.

“With the exponential increase in customers using their mobile device for more transactions than ever before, from ordering coffee to transferring money digitally to a friend, to getting cash from an ATM with their smartphone, it’s not surprising that fraudsters continue to seek ways to exploit the mobile channel, making it imperative to protect against malware and crimeware attacks,” Lynch said.

Legacy technology is no longer enough

Many legacy authentication methods just won’t cut it in this sophisticated digital age with increasingly clever cyber-criminals. Lynch said that exposure points and methods of being attacked continue to grow. “We know that the password security methods are antiquated and broken.”

He noted that many organisations still use text message as an authentication method “even though this method is also known to be vulnerable to social engineering and ‘man-in-the-middle’ attacks, in addition to malware and other means of compromise”.

New mobile payment innovations such as digital wallets, cardless ATMs and P2P payments are convenient, but also open up a wide range of opportunities for fraudsters.

There are numerous mobile risks, Lynch added, including ‘velocity attacks’ where fraudsters try to use the same device to load many different credit cards or payment types, in order to avoid having to continually purchase new devices for committing fraud.

Device spoofing is carried out to impersonate a true customer’s device or to defeat negative lists, and fraudsters can also download malicious apps directly from an app store or a third-party site, or attempt account takeovers through phishing/smishing schemes using social engineering techniques to trick unsuspecting end users into clicking on malicious links.

The phenomenon of ‘side loading’ in malvertising is another major issue. This is a technique used by fraudsters to trick end users into thinking they have done their due diligence and that the app they are installing is safe.

All organisations need fraud-prevention strategies

Retail firms need to prevent fraudulent transactions – the travel industry, for example, falls victim to mobile fraud on a regular basis.

It’s not just major financial or commerce firms that should be aware of mobile fraud, Lynch maintained. “Any organisation that conducts all, or even a portion of, its transactions via mobile or web browser, and is transmitting sensitive information, can benefit from implementing device intelligence and authentication technology like InAuth’s.”

Healthcare professionals are delivering more information relating to private patient matters through digital channels than ever before, with safety and device integrity being of paramount importance.

It’s not all doom and gloom, Lynch assured, and mobile devices have also offered many new opportunities to combat fraud: “Mobile devices have thousands of attributes, such as device operating system, product information and display information.”

By using a data-driven approach and conducting deep device interrogation, a unique and permanent ID can be created for every device, which “can be correlated with legitimate users to know that the device they are using is their typical, and therefore trusted, device”.

This is known as the ‘something you have’ factor in authentication. The biometric or ID/password are the ‘something you are’ or ‘something you know’ factors in multi-factor authentication.

A trusted device identifier allows businesses to recognise known devices with confidence, “allowing good customers to transact faster and with less friction, while blocking potentially fraudulent transactions”.

Potential fraud attempts can also be mitigated using mobile data elements, helping organisations to uncover high-risk factors and detect fraud attacks from the same device en masse, as seen in the aforementioned velocity attacks.

Markers of authenticity for mobile payments

What factors can we use from our devices to determine their authenticity? The list is long. From geolocation and OS details as well as abilities to detect malware, to GPS spoofers, malicious apps and emulators, we have a mine of information.

Until recently, fraud-prevention tactics have been cumbersome and have created more friction, Lynch said. This in turn tends to have a negative effect across the entire transaction cycle, resulting in everything from “abandoned shopping carts in the retail space to poor customer service experiences at financial institutions”.

In a world where immediacy and ease of transactions are prized, a new bar has been set and mobile transactions have to meet these new standards.

InAuth’s real-time device interrogation aims to allow businesses to make more confident transaction decisions in a way that is not detectable to the customer, while fighting fraud and the potential for transaction abandonment.

Lynch explained: “We can interrogate the device for suspicious behaviour. For example, InMobile can determine if the device has been rooted or jailbroken – perhaps without the customer’s knowledge – or whether the customer mistakenly loaded a malicious app, or if the location of the transaction is unusual.”

In the end, building and retaining user trust while providing strong defences against the multitude of risks out there in the world of payments should be a priority for any business.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects

editorial@siliconrepublic.com