First Published on 12th July, 2017
Ai Editorial: A variety of tools and techniques are being used to combat fraud in the mobile channel, but is it enough? Ai’s Ritesh Gupta explores
Mobile commerce demands planning on several counts and one of them is dealing with the malice of fraud.
As much as mobile apps and now even chatbots are ready to facilitate transactions without any hiccup, the risk of fraud can’t be taken lightly or handled just as the way web-based transactions are being managed. And it is imperative for airlines, OTAs etc. to ensure mobile users’ need for speed or overall experience isn’t perturbed while hitting the breaks on fraud.
Mobile fraud is challenging to merchants as transactions that are made through mobiles collect less information than web transactions. Merchants need to explore various areas - Is low use of 3D Secure still a major issue? How much malicious apps are of a concern? If existing fraud rules aren’t fully suited to the mobile channel, how does it impact the risk associated with a transaction? Is the risk of blocking genuine customers higher in case of mobile? Is it true that relatively higher costs are incurred in case of mobile such as greater chargeback rates, lengthier time for manual reviews etc.? All issues need to be dealt with without optimizing the user experience.
According to Kount’s Mobile Payments & Fraud: 2017 Report, merchants “earning more than $500 million annually were much more likely to say being able to detect mobile devices was “Very Important” relative to merchants with annual revenue of less than $5 million, at 61 versus 35%”. This year, the fraud prevention tools, techniques and services used most by merchants to prevent fraud in the mobile channel were card security codes or checking the CVV (58%), AVS (46%), fraud scoring (48%), device ID (38%), velocity checks (35%) and a complete fraud platform (47%).
Dealing with risk
Here we assess what’s being recommended to lower the risk of mcommerce fraud:
1. Be informed about mobile behavior: It is vital to recognize or spot anomalous behavior in order to combat fraud. Also, declining of genuine orders, too, can be an issue if behaviour related to mobile usage isn’t considered. For instance, it is important to consider logging onto multiple devices and also mobility of the device. Since mobile users can transact on the move, then how to plan for rules based on IP geo-location criteria. Another aspect about usage is related to the time of the use. According to CyberSource, rules generally identify specific times of the day as more risky than others. So a rule may indicate that an order placed from a local IP address comes at a certain time slot. But what if an order comes via a mobile device at a completely different time. So such dissimilar patterns of use need to be scrutinized.
Travel companies also need to take into consideration hardware and operating systems. For instance, some shoppers still use lower-end devices.
2. Count on data: Data analysis is integral to any fraud detection initiative. When it comes to new technologies, there are supplementary fields or information required to complete a pertinent analysis. Otherwise, fraud exposure may go up. User data garnered during various interactions can improve fraud prevention, for instance, fraudsters rely on older versions of an app to make the most of gaps in security. More specifically, behaviour is also an indicator - swiping or typing? Filling information steadily or erratically?
Another aspect is customising and acting on e-commerce data specifically related to the digital assets of airlines. For instance, considering that each airline’s ecommerce website is unique, the data strategy deployed must be different and customised. It is important to work with airlines and help them utilise all the data that is available on their website. What is being done for airlines’ mobile sites or apps?
Overall, with more options to pay such as mobile or NFC, expect new ways of fraud to appear. It is crucial for the industry to move closer to active monitoring by featuring big data user and entity analytics to evaluate the shopper behaviour behind each payment that comes through. As a majority of fraud acts result from a synchronized attempt from one script, automated to optimize the number of hits in the least amount of time possible, they will leave behind a pattern that can only be detected by understanding user behaviour. Even as new forms of payments become popular and mainstream, active surveillance will be more relevant (rather than static defence) and effective in dealing with fraudsters.
As for machine learning, it has to be ensured that an airline doesn’t only look at predictive analytics. It enables one to predict future fraud based on historical data. There is a need to incorporate pattern recognition, so even without any prior historical data, the machine is able to detect patterns across different transactions and diagnose if the transaction exhibited bot behaviour or human behaviour. Combined with pattern recognition, the system draws patterns (for both positive and negative behaviour) to map the DNA profile of the user.
As for efficacy of machine learning, it is highlighted that the data must be accurate and the rules must be set properly for it to work.
3. Verification method: It is vital to assess what sort of consumer verification method, say what is being supported by the card networks, when assessing transactions originating from mobile devices. A mechanism is needed to authenticate the user. With which methods users wouldn’t have to worry about typing-in all of their cardholder information for each purchase? If the authentication method is too stringent, it can result in abandonment. But with poor security comes the threat that unauthorized users might make purchases. So in case of iOS, how safe are Touch ID or the device passcode as a device authentication option? What is the role of more conventional means such as PIN, signature for transactions in stores, or 3D Secure for transactions within apps? What is the liability for the fraud? For instance, in case of biometric fingerprint technology being used to authorize a transaction, is the fingerprint attached a compelling evidence in the merchant’s favour in the event of friendly fraud? There needs to be balance between streamlining the process and encouraging customers to buy without first thinking through a purchase. As a result, this could lead to buyer’s remorse, which could mean returns or even chargebacks at a later date.
Also, going by my personal experience, the two-factor authentication (2FA) can be time consuming. Yes, it is a security feature that gives additional security by adding a second-level authentication to access a particular account. But if one gets stuck, it results in disappointment. For instance, as I updated by account details for a subscription-based anti-virus service, the request for a code via SMS didn’t work as it called for another mobile number, whereas the option of downloading an app is always cumbersome as I can never remember by iOS app store password!
Also, as highlighted by Chargebacks911, biometric authorization isn’t a solution on its own for anti-fraud initiative, and there are few pieces of evidence more compelling than a fingerprint or facial scan to suggest that a cardholder did authorize a transaction.
It is recommended that e-commerce organizations need to rely on dynamic threat data to evaluate device health, location of the consumer and irregularities that may indicate fraud—in real time.
With dynamic, digital identity based authentication, airlines can better shield their shoppers’ logins and transactions.
As for the traditional approach of 3D Secure, a major issue has been transactions via mobile. Among the latest developments, 3D Secure 2.0 is being termed as a potential boost for digital commerce with quick, secure authentication, propelled by robust fraud-related intelligence. It strengthens the quality of real-time predictive risk scoring for both merchants and issuers. The new specification that would support app-based authentication and there would be integration with digital wallets, too. Early adoption of the new specification is scheduled to begin in the second half of this year.
4. Rules: Importantly, specialists point out that uniqueness of the mobile channel be it for the way shoppers use their devices or data associated results in differences in fraud rules – especially with the goal of curtailing automatic review or declining of real payments via mobile.
Rules worked out for mobile must rely on the data that can be collected, the behavioral patterns and fraud trends that are deemed to be relevant. Organizations are recommended to collect information about the device type and operating system, as well as mobile chargeback, rejection and review rates.
Airlines have been relying on testing the efficacy of rules on specific transaction types without having to wait for those transaction types or periods to occur in future.
Discuss and learn about emerging developments at the upcoming 6th Airline & Travel Payments Summit Asia-Pacific, to be held in Bali this year.
Dates: 29 – 31 August, 2017.
Follow Ai on Twitter: @Ai_Connects_Us