Mobile Fraud: Basic Data Still in Short Supply
Recent report confirms some concerns, highlights opportunities
By CardNotPresent.com Staff
While users of mobile devices routinely express concern over the security of mobile payments, the data that might confirm or alleviate their fears is tough to come by.
Security experts and even the Federal Trade Commission (FTC) have issued warnings and offered up various likely fraud scenarios, from intercepted Web traffic to stolen phones. And, although experts are trying to get a handle on the level of payments fraud committed using mobile devices, right now that’s difficult if not impossible.
“The truth is that most merchants don’t have the ability to determine whether a given transaction originates on a mobile device,” says David Montague, president and lead consultant with The Fraud Practice, based in Sarasota, Fla. “That makes it very difficult to identify what, if any, trends might be surfacing with regard to mobile payments fraud.”
Montague’s firm, along with antifraud technology provider Kount and CardNotPresent.com, sponsored the 2013 Mobile Survey, which found that while a large majority of merchants (more than 79 percent) think it is important to detect when a transaction is conducted by mobile device, fewer than half could actually accomplish the feat. Not surprisingly, larger merchants are more likely to be able to detect purchases on mobile devices, but even in that segment, the detection rate is only about 50-50.
Overall, fraud in the mobile channel is not too much of a concern right now, but it will become one, Montague says. The fact that merchants can’t even tell if a transaction is originating on a mobile device is a sign they will not be prepared when fraud inevitably migrates to mobile devices.
“Mobile device fraud probably is not widespread now because consumers aren’t using smart phones and tablets for payments on a large scale, but it is going to grow, in part because the consumer wants convenience first, security second,” he says. “Beyond a certain point, security features that make transactions less convenient aren’t likely to be adopted.”
Don Bush, vice president of Marketing at Boise, ID-based Kount, agrees. “Retailers are focused on the growth of mobile transactions,” he points out. “The Mobile Survey results indicate many are unprepared for the fraud that will inevitably follow.”
Concern over mobile-device fraud and card-not-present fraud in general is likely to increase, however. FICO, a provider of predictive analytics and decision management technology, released data in 2012 from the FICO Falcon Fraud Manager Consortium that shows a continuing shift towards online, mail-order and telephone-order fraud. FICO found that card-not-present fraud losses increased at twice the rate of counterfeit-card losses. Card-not-present fraud accounted for the highest level of both total fraud loss and fraud volume. That may get worse as EMV implementation in the U.S. makes card counterfeiting more difficult.
Stemming the tide of card-not-present fraud, and especially mobile device-based fraud, may start with consumer education, but that has limits—especially if the primary goal is to increase CNP sales. In fact, it’s possible that too much emphasis on security may reinforce the idea that mobile payments, in particular, are riskier for both merchant and consumer.
“The onus is on us, as an industry,” says Montague. “Merchants, app developers and payments companies have to deploy the strategies and tools to prevent, detect and minimize fraud.”
At this point, the jury is still out for merchants regarding the need for specialized mobile fraud tools. The 2013 Mobile Survey found that even though the mobile channel currently accounts for a fairly small portion of current sales, especially in larger firms, more than 17 percent of survey respondents believe mobile transactions require specialized tools for managing fraud risk. That percentage is generally higher in the revenue categories and retail segments where mobile transactions make up a larger share of sales. Another 45.7 percent believe that existing fraud management tools can’t adequately support mobile payments.
In its March 2013 report on mobile payments, the Federal Trade Commission focused on fraud prevention rather than risk management. And it, too, put the onus on the mobile payments industry, suggesting that end-to-end encryption, using secure elements to isolate and protect sensitive card data, and other built-in security measures, should be the norm for mobile-payment transactions. These suggestions point to the most obvious difference between mobile devices and the kinds of fraud most CNP merchants are accustomed to dealing with: the amount of data stored on mobile devices and the connected nature of those devices make them somewhat easier to secure, but when they’re hacked, they can be much more effective in facilitating fraud.
“Mobile payment providers should increase data security as sensitive financial information moves through the payment channel, and encourage adoption of strong security measures by all companies in the mobile payments chain.” The FTC report concluded. “Consumers may be harmed when less responsible companies use insecure methods to collect and store payment information. Further, the reputation of the industry as a whole may suffer if consumers believe lax security practices are the norm.”
David Montague has made several presentations in recent weeks detailing findings of The 2013 Mobile Survey. He delivered a keynote address at the CNP Expo (pictured above) in May and conducted an hour-long Webinar on the topic. A rebroadcast of the Webinar is available here . To download the full 2013 Mobile Survey for free—including a detailed breakdown of how companies in different verticals view mobile payments and how they are addressing fraud— click here .