Mobile Payment Fraud Rises as Mobile Payments Grow

Mobile payments will triple in 2016 according to eMarketer, experiencing a 210 percent growth rate this year. In the US, the value of mobile payment transactions will be $27.05 billion, they predict. Mobile Payments Today reported that half of Black Friday’s online purchases were made with mobile devices.

Along with this growth in legitimate transactions come more fraudulent transactions, as well. In a LexisNexis study, mobile payments generated 21 percent of fraudulent transactions, though they were only 14 percent of the total number of transactions. This number is expected to grow, with credit cards with EMV chips pushing criminals to card not present transactions. The costs of the fraud are significant, at $3.34 for each fraudulent mobile payment dollar.

Many Kinds of Mobile Payment, Many Kinds of Mobile Payment Fraud

Mobile devices can be used to make payments, mobile devices can be used as point of sale terminals to receive payments, and there are multiple methods of mobile payments, including credit cards, debit cards, gift cards, and various kinds of digital wallets. This provides criminals multiple ways to commit fraudulent transactions in the mobile world, including:

• identity theft
• fraudulent purchases
• subscription fraud
• dealer fraud
• money laundering

Preventing Fraud

Despite the risks, mobile payments usage will only continue to rise. They’re simply too convenient for customers. New technology, such as Samsung Pay, enables merchants to accept mobile payments without installing new equipment. Increasing the security of these transactions requires the participation of everyone involved, from the device manufacturer to the customer, the merchant, and the payment processor.

Customers

Customers need to take steps to protect themselves. This can require giving up a little bit of that mobile payment convenience for increased security. Many users don’t lock their devices and many use easily broken, four-digit passcodes. Many also choose the “Keep Me Logged In” option on apps and sites, which makes them vulnerable if their device is lost or stolen. Mobile device management software allows employers to enforce security policies on devices used for business. Users also need to avoid phishing scams, which include texts sent to phones, and downloading apps from unknown sites.

Merchants

Merchants need to implement mobile-specific security measures. To begin with, they need to be able to distinguish mobile transactions from other online payments and use device identification and geolocation. ID authentication is also key. Merchants can use address verification, only ship to verified addresses for new customers, and require logging in to complete a transaction in order to reduce the risk of fraud.

Merchants also need to develop and test their own apps and websites carefully. Good testing practices, along with rules limiting how rapidly transactions can be charged, might have allowed Starbucks to avoid a hack of its gift card app.

All transaction processing should be secure. Encryption and tokenization should be used to protect sensitive information both in storage and in transit. When available, merchants should use 3D Secure methods; in these methods, users register a card with their bank and enter an id and password, rather than the card information, to get authorization for a charge.

Mobile Device Makers

Mobile device manufacturers need to build enhanced security features into their devices. Many are incorporating biometrics, such as fingerprint readers. As these features become more common, authentication methods based on these features will provide additional security for mobile payment transactions.

Mobile Payment Processors

Mobile payment processors need to assist merchants in identifying and rejecting mobile transactions. Like the merchants themselves, many don’t separate mobile transactions from other online transactions. As a result, the fraud prevention algorithms they use lack data specific to mobile behavior. Payments often pass through intermediate services that don’t transmit all transaction details, also limiting the ability of algorithms to recognize fraud. Cooperation between all parties will be necessary before truly effective fraud detection methods are developed.