Smartphone fraudsters: a battle of wits

Smartphone fraudsters: a battle of wits

Paying for goods by mobile phone is meant to make life simpler. But it can cause security headaches, and the crooks have been cashing in.

As companies rush to embrace omnichannel retail, it’s important to remember there are risks as well as rewards. The surge in numbers worldwide using their smartphones for payments has given the serially unscrupulous new ways of fleecing suppliers of good and services.

Omnichannel has changed the landscape. Its appeal for marketers is clear: it’s paved the way for more effective and highly-targeted promotions that can help improve sales. The technology can, as we all know, improve marketers’ ability to harvest customer data and measure results. These are crucial factors in determining return on investment (ROI) and strengthening the retailer’s bottom line.

According to a recent IBM survey, customers are keen to be seen as individuals – 59% of shoppers want retailers to show they ‘understand’ them, while 64% expect them to know their favourite products. But here’s the rub: the potential financial loss from fraud can be huge – on all fronts. It damages reputations, hikes costs, erodes revenue and can be irreversibly off-putting for customers.

Keeping cybercrooks at bay requires the best risk management systems and using sophisticated software to filter out potential fraud.  But the human element is crucial too. Take your eye off the ball – especially with regard to data protection - and you’re in big trouble, as US on-line retailer Target found to its cost.

Hackers installed malware that captured the shopper’s credit card number and stored this on a Target server that they’d commandeered. Worst of all was Target’s slowness to react – credit and debit card information for millions of customers was compromised. “It’s the best example of the need to protect data,” says litigation and regulatory law specialist Stewart Plant from DLA Piper.

“Retailers have significant obligations regarding security – that’s the case with mobile or debit payment,” Plant adds. “They need to be fully aware of this – and clear as to their potential liability in case data is compromised.”

A recent survey by global payments technology company Adyen claims iPhones now account for 10.2% of all online transactions, up from 8.6% at the turn of the year. So the need for vigilance is paramount. But many global firms see it as a burden too far. According to market researchers Ovum, more than half of retailers worldwide are shunning new payment technologies because of security fears.

Yet, according to software producer Cybersource, businesses in the US are managing fraud in both eCommerce and mCommerce more effectively. The company claims that the rate of fraud for online transactions hasn’t changed (from 0.9%) since 2010 – yet volumes increased between 12 and 16% annually.

Cybersource reported that just under half the companies surveyed have taken the plunge into mCommerce. “Those who give mobile fraud management the attention it requires are achieving good results,” it says.

So how is it done? In various ways: through customer order history; card verification number; address verification; IP geolocation information. Device fingerprinting – collecting information about a remote device for identification purposes – is one of the most effective anti-fraud tools, says Cybersource.

According to Adyen, almost 45% of the UK’s online payments were made using a mobile device during the second quarter of 2015 – up almost 2% from the beginning of the year, and more than in any other European country.

But the arrival of a new payment method via Apple Pay has thrown the industry into something of a spin. Yes, it offers new opportunities. But some bankers and analysts were quick to claim that Apple Pay fraud was ‘rampant’- though that view is far from universal.

Apple does provide customer data to help banks with identity proofing, including information on a customer’s device; and, if they’re iTunes customers, whether or they have a solid history of transactions. A credit or debit card can only be added to Apple Pay when its issuing bank sends an encrypted version of card details to store on the phone. However, addressing identity theft fraud is a challenge still to be overcome.

Security provider Neustar says fraudsters are increasingly stealing and using phone numbers to have passwords reset. That’s why real-time, solid data directly linked to the owner of the information is so imperative, Neustar says.

Moreover, mobile carrier data could greatly help identity proofing – for example, banks could compare the mobile service’s billing address with the card account holder’s billing address. There’s much that can be done, but a joined-up approach is needed. Until then, the rogues around the world who load iPhones with stolen card-not-present card information will always be a challenge for technologists and marketers.

Andrew Mourant Freelance Journalist CPL
Back to all