The merchant’s role in mobile fraud
As more merchants launch apps and mobile-friendly websites, payments industry observers believe retailers could be inadvertently exposing themselves and their customers to fraud as the mobile channel becomes more integral to the overall shopping experience.
In early 2015, LexisNexis Risk Solutions released a report that found the revenue mobile commerce merchants lost to fraud spiked 70 percent in 2014 to 1.36 percent compared with 0.80 percent in 2013.
The study results also showed m-commerce merchants accept an average of 4.5 payment channels, significantly more than the 2.6 channels accepted by all merchants. Those companies have more fraud exposure than other types of retailers.
One contributing factor to fraud exposure is that merchants unintentionally sacrifice security when they rush to market with a strategy to take advantage of current consumer shopping trends, which now are more focused on the mobile experience than ever before.
“The mobile channel is new for a lot of merchants and creates a different level of complexity and a different set of fraud signals than what you get from traditional e-commerce transactions,” Aaron Press, LexisNexis Risk Solutions director for ecommerce and payments, told Mobile Payments Today in an interview.
“As the merchant community begins to recognize different signs in the fraud exposure from the mobile channel and begins to account for that in their fraud models, I believe that it can be brought into line,” he said.
The most eye-popping stat from LexisNexis’ report was that more than one-fifth (21 percent) of all fraudulent transactions are attributed to the mobile channel, which is disturbing due to the fact that the number of transactions occurring through m-commerce channels is still low for the average m-commerce merchant.
In 2014, 14 percent of all transactions were accepted via m-commerce channels.
The merchant issue
While the card brands continue to launch and push new e-commerce security initiatives, Press believes the current mobile fraud dilemma starts and ends with merchants.
“For the most part, the more sophisticated merchants have made a higher level of investment and understand the basics and implemented some kind of a tool or in-house process [for detecting mobile fraud],” Press said. “Even at that basic level, merchants need to understand the difference in mobile transactions. It’s not like the tools don’t exist.”
Mobile-fraud exposure can be more prevalent with small merchants, but Press said there are still many large merchants who are not prepared for the vulnerabilities that come with the mobile channel.
“You often get some large merchants who put an app out there, or build a mobile-optimized site, and then they haven’t figured out all the exposures that come with that, and that’s even the case with some multichannel merchants,” he said. “They put out a mobile app and they expect people to shop from it and it turns out that their mobile app becomes a fraud magnet.
“Every time there’s a new app out there, a fraudster sees a new angle to try and expose it.”
The payments industry saw some of this recently with Apple Pay, though the fraud issue had nothing to do with the actual payment system.
Cherian Abraham, a payments analyst who works with Experian, sent the industry into a tizzy two months ago when he said 6 percent of Apple Pay transactions were being completed with stolen credit cards.
In a rush to make sure their cards were compatible with Apple’s new toy, many issuers did not set up proper on-boarding protocols to confirm an Apple Pay user’s identity. While some industry pundits downplayed Abraham’s claims, his findings did show how a system touted as the most secure mobile payment method in the market could have a security flaw somewhere in the process.
That said, Apple’s combination of the secure element, biometrics and tokenization for Apple Pay is sure to be something others mimic.
Even before Apple Pay was a thing, the card networks were in the process of developing their own ways to combat online and mobile fraud.
Since then, MasterCard and Visa each have pushed their respective digital wallets as a way for consumers to shop online and in apps without the need for entering card details.
American Express late last year announced the launch of its token service that eliminates the need for merchants and digital wallet providers to store consumers’ sensitive account information in their systems.
“The good news is that the brands are taking this quite seriously and they’re not particularly happy with the level of fraud they see, and they’re taking measures to change this,” Andrew McLennan, president of Inside Secure, told Mobile Payments Today in an interview.
“Obviously, there’s tokenization. What’s coming very shortly is tokenization backed by robust controls on the device for theft. You’ll also see personalization happening, so when you enter your credit card information onto the device, the token will be personalized to you.”
Another aspect of the card brands’ push for increased mobile and online security that is sometimes overlooked is EMV.
While chip cards make it more difficult for fraudsters to clone cards for use at the physical point of sale, EMV does not protect against online fraud. Every country that migrated to chip cards saw increased online fraud.
The U.S. will be no exception as it faces its own EMV transition.
“The brands are very invested in trying to get ahead of the curve,” McLennan said about the U.S. EMV migration. “They’re expending lots of time and lots of effort in doing so, and we’ve been very privileged to have conversations with them and see some of the thinking.
“The whole idea is that all of online commerce moves to some form of tokenization, basically reducing the idea of the large breach where the personal information is compromised, and that’s a large part of what Visa and MasterCard are trying to do.”
While the onus of mobile security will continue to be on merchants, they can breathe a little easier knowing the cards brands will be with them every step of the way.