5 Security Concerns with Mobile Payments

Shopping on smartphones and tablets is convenient for consumers and provides merchants with increased revenue streams. It also changes the payment fraud landscape.

As merchants race to accept mobile transactions, fraudsters will move to exploit the vulnerabilities of those who have not mastered the techniques and technologies to fight mobile payment fraud.

Here are five security concerns with mobile payments.

Multiple Hardware and Software

As opposed to desktop and laptop computers, the mobile device landscape is more varied both in hardware and operating systems. Some consumers still use lower-end devices running older versions of Android and iOS. This is especially true in South America and Asia, where smartphones and mobile payments are gaining traction, but users can’t afford cutting-edge technology and aren’t well versed in the fundamentals of mobile security.

This makes these devices vulnerable to known attacks and exploits and makes them easy targets for fraudsters and hackers. Therefore, even if a mobile app is secure per se, a user’s device might not be.

This can be addressed by including some of the new smartphone technologies in your payment apps, such as fingerprint scanners, face and voice recognition, and geofencing — all of which tie functionality to a user’s biometric or geographical data, which prevents fraudsters from logging into a user’s account from a remote location or unknown device and making payments or draining funds.

…even if a mobile app is secure per se, a user’s device might not be.

However, many devices don’t support these features. You’ll need a fallback method at the service level to make up for potential lack of protection at the consumer level. For example, if your app detects no biometric authentication features on the user’s phone, the app can require the user to verify his identity through a code sent to a backup email.

Malicious App Clones

Apple and Google both have stringent requirements on their app stores to prevent the upload of malicious apps. However, fraudsters still find ways to install virus-infected clones of payment apps into user devices. For Android devices, these apps are published on alternate, less regulated app stores or distributed as standalone .apk packages — i.e., application files sent as email attachments.

In case of iOS devices, fraudsters target users with so-called jail-broken devices, which enable users of those devices to circumvent Apple’s stringent app rules and install applications that aren’t published on Apple’s App Store.

Unfortunately, not all smartphone users install anti-malware tools. Those users won’t be able to detect malicious apps installed on their devices. Malware that targets payment and banking apps have been seen on several occasions, and will likely continue to be an issue as mobile payments become more popular.

Researchers are developing technologies and solutions that will help identify malicious clones. But the most effective method to protect your customers against malicious apps is to make it clear in your website and your terms and conditions that you will only distribute your applications through mainstream app stores and discourage users from accepting or installing mobile apps coming from other sources.

Bad User Habits

Even if you have a dedicated mobile app, some customers may still use your website’s mobile version to place orders and make purchases. A study by payment security startup Riskified shows that the vast majority of shoppers use the Safari and Chrome browsers to make browser-based payments.

However, a small percentage continues to use the Android stock browser, which is the default browser on many Android devices. Riskified found that of all mobile browsers, the Android stock browser is the most abused by fraudsters. In fact, 3 percent of travel tickets purchased via mobile devices with an Android browser are clear-cut fraud, the company discovered. Safari and Chrome mobile orders are significantly safer, with fraud rates of 0.9 percent and 1.2 percent, respectively.

By using browser detection, you can prevent users from using your website through unsafe mobile browsers and urge them to use the mobile app or a safe and updated version of the browser.

Also, some users fail to protect their devices through lock screen PIN codes or fail to install phone recovery or remote wipe apps, which can protect them in case their devices are stolen or lost. Posting general tips and guideline notifications can remind users of good mobile habits.

By using browser detection, you can prevent users from using your website through unsafe mobile browsers and urge them to use the mobile app or a safe and updated version of the browser.

Mobile Fraud Tactics and Habits

Fraudsters are always looking for techniques to hide their traces and identities. In the mobile payment world, fraud has its own specific traits. One of the preferred tactics by fraudsters is the use of “burner phones,” which are cheap, prepaid mobile phones that can be purchased for as little as $20 in cash and disposed after use. These devices can sometimes be tracked through reverse number checking, but it’s a difficult process.

Professional fraudsters will also use proxy IPs to hide their real location. Amateur crooks, however, are more likely to use devices that are linked to previous fraudulent transactions. Thus if you have a database of devices used for previous fraud activity, you can trace and block them.

Also worth mentioning is that mobile fraud happens more at card-not-present portals than card-present mobile point-of-sale systems, such as Square and Intuit GoPayment.

Data Analysis Is Key

The key to preventing mobile payment fraud is to gather, analyze, and corroborate data. In this regard, mobile apps and devices provide a wealth of information, and combined with historical, regional and technical trends, merchants can make sure they detect and block fraudulent transactions without creating false declines and turning down real and loyal customers.

An example is Riskified’s ecommerce fraud prevention service. It plugs into most ecommerce platforms and seamlessly analyzes transactions, without causing friction. The solution uses multiple real-time analytics and artificial intelligence technologies to detect fraudulent activity patterns and indicates whether transactions should be declined as fraud or accepted as legit.

With false declines accounting for bigger losses than fraud itself, having a solution that can detect fraud in a frictionless manner can help increase your bottom line while improving a customer’s experience.

Ralph Tkatchuk
Ralph Tkatchuk
Bio   •   RSS Feed