In rush to mobile market, merchants vulnerable to fraud

In rush to mobile market, merchants vulnerable to fraud

As the mobile marketplace soars in popularity, merchants are being bombarded with the message that, if they don't build mobile sites, their customers will leave them behind.

Yet in their eagerness to adapt, many merchants aren't being as cautious as they should be - and their mobile sites have become a target for hackers.

With rapid growth, fraud detection is compromised
In 2010, marketing intelligence company ABIresearch called the popularity of mobile shopping "nothing short of phenomenal." Between 2008 and 2009, the value of mobile purchases roughly tripled. E-commerce (on mobile and traditional websites) is currently growing at a 20 percent yearly clip, according to a March 2012 PaymentsSource article -- and, each day, more of those transactions are moving to mobile devices.

With growth this rapid, there are going to be hiccups. Merchants are putting up mobile versions of their sites as quickly as possible to remain competitive. And that means many aren't taking the time to ensure their mobile sites are fortified against attempts to make fraudulent transactions and steal customer credit card data, according to PaymentsSource. Testing a mobile site for immunity to fraud takes time - time merchants worry might cost them business.

How hackers are getting in
Hackers are identifying merchants' mobile sites as easy targets, according to Internet Retailer Magazine. Merchants have had the better part of a decade to perfect their desktop websites and learn how cyber criminals can compromise them. Mobile sites, which are only a few years old, have proven to be a game-changer.

For one thing, mobile transactions are vastly different from desktop transactions. A desktop computer is stationary. Therefore, merchants can use internet protocol (IP) geolocation to know where that computer is. If a transaction is coming from a location that is notorious for fraud, the transaction can be flagged for further review. According to Internet Retailer, geolocation is one of the top tools merchantss have relied on to detect fraud.

Mobile transactions, however, defy geolocation. Mobile users are on the move -- and a mobile device's "location" is therefore constantly changing. Because the merchant's fraud detection software can't get a read on where the device is, it doesn't know whether the purchase should be flagged as suspicious.

Another threat is what's called "emulation." Online merchants have long since developed formulas that let them measure the patterns of those shopping on desktop computers. These formulas flag purchases that are out of the norm, and these transactions are investigated to see whether they are legitimate -- or if they are being performed by a thief using someone else's stolen card data. Yet merchants haven't yet been able to measure the patterns of mobile shoppers -- so mobile transactions are less likely to be labeled as "suspicious."

Thieves know this and have found ways to make desktop computers emulate mobile devices -- so that the merchant's anti-fraud software thinks the transaction is originating from a smartphone. Because the merchant's anti-fraud software does not have the refined ability to detect suspicious mobile transactions, the thief can fly under the radar -- even though that same transaction would have raised red flags if the merchant knew it was coming from a desktop.

Yet another problem, according to PaymentsSource, is that mobile shopping apps are so new that merchants may not fully understand how they work. For example, merchants may not understand how the app is storing consumer data and cardholder information. They therefore might not know how to protect it -- and might not even know if a thief has gotten ahold of this valuable information.

How merchants can protect themselves - and customers
The speed of mobile development is outstripping current industry data-protection standards. It's  no longer acceptable for a merchant to assume that being PCI-compliant is enough.

Beyond spending more money and dedicating more resources to detection and prevention of fraud, an industry expert interviewed by PaymentsSource recommends getting information technology experts more involved in fraud screening. Instead of relying on customer service to track and verify transactions, and relying on IT to strengthen the defenses, merchants should consider letting IT take the reins on both fronts. That way, it can use what it turns up in fraud screening to improve the mobile site's fraud prevention tools.

Upping their defenses will cost merchants time and money. Yet merchants have good reason to invest in getting mobile fraud under control - because reducing fraud and the costs associated with it will only add to the bottom line.

See related: Mobile payments: 5 apps to watch, Online shoppers find mobile payments safer than credit cards

Published: April 9,2023