Detecting and preventing mobile wallet fraud
This is a guest post by Ryan Wilk, director of customer success at NuData Security.
Forrester Research predicts that mobile payments will total $90 billion in the U.S. by 2017, a huge increase over the $12.8 billion consumers spent in 2012. This significant growth speaks to the increasing adoption of this payment method. There are two types to choose from. One type works through contactless technologies such as Near Field Communication (NFC) built into mobile phones. The payment goes through the merchant’s POS system and the relevant payment-processing environment, not relying on the mobile carrier’s network.
The other type is an app (mobile wallet) that allows payment to be processed through the mobile carrier’s network, as is the case with banks. A mobile wallet has several key components, including the ability to provision account information, payment origination and payment processing.
Comscore reports that the number of mobile-only Internet users now exceeds desktop-only in the U.S. As mobile devices continue to dominate, banks and payment providers are coming under pressure to come out with their own mobile banking apps, but security fears abound.
The reason for these security fears is that mobile apps currently store many and varied credit card details. These real concerns include loss of privacy, loss of security around financial transactions, data loss and the perception of insecurity. Legitimate applications passing user data to other applications or third parties in an unauthorized manner is becoming well known in the public arena – as it should. Also, a possible drawback to the mobile wallet and secure element solution is that a single pin unlocks all of the accounts stored in the wallet, resulting in much greater exposure.
Scary stuff, right? But if you can address security issues, consumers who have been holding back out of fear will be more likely to embrace mobile wallets – and you will be enjoying a new revenue stream.
It’s All About Behavior
That seems like a pretty big “if,” doesn’t it? Security issues are big, but they are not impossible to overcome. Securing payments via mobile wallets begins with being able to trust the user behind the device by verifying the user based on behavior. Using advanced behavioral biometrics will allow you to detect genuine good users more accurately and improve the customer experience. Tracking behavioral patterns lets you learn who the real user is behind the wallet, from the kind of device they use to even detecting behavioral anomalies over time. When it comes to fraud attempts, banks can leverage that same information to quickly spot bad actors attempting to cycle stolen card details.
What’s so effective about behavioral biometrics is that it focuses on observed characteristics of who the user is, not just who they tell you they are. It continuously profiles users and accounts through their entire lifecycle across multiple channels, including desktop and mobile Web and native apps. Continuously profiling users’ behavior empowers two key capabilities. First, it enables risk managers to detect and respond to risk sooner, reducing the chance of financial loss. Second, when the user does reach a transaction point, fraud managers have full context of all their previous actions and behavior to make a better decision on the transaction.
How do all these observed characteristics get aggregated? Non-PII networks analyze billions of transactions, including user behaviors, to create a store of anonymous identities that are categorized as good users and riskier users. These identities remain completely anonymous and adhere to stringent privacy laws. With this collection of identities, a bank is provided an early warning system that is able to alert them when a user is behaving “badly,” even if it is the first time the user is approaching one of their sites.
By having user behavior biometrics available to study, you can answer important question like, “How did the user behave previously when they logged in? Are they behaving the same now?” In other words, is this the real user accessing this account? Also, when the user is inputting data, is it similar to how they’ve interacted on the same mobile device before, or is it completely different? Is this “user” creating a fraudulent mobile wallet with stolen account information?
Another important question to ask is, “Is this user’s behavior repeated?” Repeated behavior yields important information. If the behavior is the same every time they visit, perhaps we can say it’s a good user, acting the same as always. But if it’s the same behavior that 1,000 users are all repeating, it could indicate that this behavior is part of a crime ring that is creating bogus accounts with stolen credit card data. This could be a distributed, low velocity attack – the kind of attack that exposes you to massive amounts of loss. Observing user behavior in detail enables the best chance of beating fraud.
Behavioral Biometrics for Fraud Detection
Mobile wallet adoption is on the rise, giving greater ease and convenience to consumers on the go. However, this technology expands the fraud landscape significantly. A consumer group was able to purchase goods online with card details stolen from an NFC transaction, suggesting that contactless cards are not a solution to risk in and of themselves. Of course, preventing data lost in the first place would be the ideal, but we have to be realistic. Having more accurate detection at the point of sale or at the login would protect consumers, merchants and banks from fraud no matter how the credentials were attained.
It’s not enough anymore to focus merely on one moment in the transaction timeline, or on one layer of defense. Behavioral biometrics leverages insights gathered from billions of transactions to give payment providers much greater accuracy in detecting and preventing mobile wallet fraud. This method adds an addition layer of protection for both payment providers and their customers, increasing consumer confidence in this still-emerging technology.
DISCLAIMER: BiometricUpdate.com blogs are submitted content. The views expressed in this blog are that of the author, and don’t necessarily reflect the views of BiometricUpdate.com.