Adapting Your Defenses for mCommerce Fraud
We’re a long way from the days when home computers had their own dedicated spaces and furniture, when it wasn’t uncommon to convert an unused office or spare bedroom into a “computer room.” Nowadays, many people no longer own their own desktop computers at all, and get all their personal computing and internet needs met by their smartphones and other mobile devices.
Where consumers go, fraudsters follow, and mobile shopping fraud, or mCommerce fraud, has emerged as a distinct and widespread threat to online retailers. What sets mCommerce fraud apart from regular eCommerce fraud, and how can merchants protect themselves from mobile-savvy fraudsters?
Mobile shopping makes up nearly 45% of the domestic eCommerce market, driven by younger shoppers who have grown up with smartphones and supported by advances in mobile shopping and marketing technology that can allow shoppers to make a purchase with a single tap.
Many merchants have been eager to embrace mCommerce, as it provides yet another channel for sales revenue and increases their reach to digital shoppers who prefer handheld devices to desktop computers.
The downside of this is that fraud always follows the money, and fraudsters have their sights set on mCommerce. The technology and behaviors around mCommerce are newer and less developed than they are in the world of desktop-oriented eCommerce, which gives fraudsters different vulnerabilities to exploit.
The best practices for eCommerce fraud prevention don’t always map perfectly to a mobile context, which means that merchants need separate optimized anti-fraud strategies for both channels.
What is mCommerce Fraud?
mCommerce fraud is simply what eCommerce fraud is called when it takes place on mobile sites and apps. It can refer to any sort of scheme where a fraudster uses theft or deception to make purchases using some unsuspecting victim’s money. This is often accomplished through the use of stolen credit card numbers or website accounts. Online fraud not only victimizes the cardholder whose account was compromised, but also the merchant with whom the fraudster spends their money.
When a cardholder’s payment card is used without their authorization, they have chargeback rights—they can dispute the unauthorized transaction and get their money back. This leaves the merchant liable for the fraudulent charge, the cost of the goods they provided to the fraudster, and all the fees—including chargeback fees—incurred during the transaction.
Fraud is a very expensive problem for merchants, made worse by the fact that excessive fraud and chargebacks can get merchants penalized or dropped by their payment processors.
Out of necessity, many merchants have implemented multilayered anti-fraud defenses on their eCommerce sites. It’s often the case that when they expand their presence into mobile-friendly environments, they find that their defenses don’t function as effectively.
What Types of Fraud are Common in Mobile Environments?
The same schemes seen in eCommerce fraud are common in mCommerce as well, but the difference between the two environments means they aren’t always identical when it comes to detecting and preventing them.
Account takeover fraud is frequently seen in mCommerce, especially when merchants don’t implement strong login security for their mobile sites and apps. If a site allows users to make weak, easily-guessed passwords, a certain percentage will do so, making themselves easy prey for fraudsters. Even strong passwords can be compromised by data breaches when customers use the same one across multiple sites.
A unique vulnerability of mCommerce is the fact that device theft often leads to account theft. If a device is left unlocked, a fraudster can steal it and immediately access any mobile site accounts that the victim is still logged into.
True fraud, where a fraudster attempts to make a payment with a stolen credit card, is also very common. Some fraudsters, if blocked from purchasing at a desktop site, may try the merchant’s mobile site instead in case it uses different fraud filters.
Merchants also see a lot of friendly fraud resulting from mCommerce. Some of the unique features of mobile shopping, such as “one-click” purchasing and in-app purchases, are frequently cited by friendly fraudsters claiming that they placed an order by mistake.
How is mCommerce Fraud Different from Other eCommerce Fraud?
Mobile shoppers have different purchasing habits than shoppers on desktop sites. If they’re more likely to buy impulsively, that also means that their purchases are likely to be on the smaller side. Many merchants find that their customers still prefer desktop sites for major, expensive purchases.
Catering to the behaviors of your mobile customers often means enabling quick, seamless, impulse-friendly transactions—the kind that demand minimal input from the customer and can be processed quickly. In other words, you can’t subject transactions to rigorous anti-fraud screening and still give mobile customers as fast and frictionless a shopping experience as they might want.
On the other hand, legitimate mobile shoppers frequently show a lot of the fraud indicators that screening tools look for in desktop environments.
IP addresses are a big one—many anti-fraud tools find it suspicious when a customer visits from different unrelated IP addresses, but that’s exactly what mobile users are doing when they move from one Wi Fi hotspot to the next. Even AVS can get thrown off by mobile users, as they tend to be younger and more likely to move around frequently, and they don’t always update their billing address information on time.
How Can Merchants Prevent mCommerce Fraud?
For merchants, the challenge with mCommerce fraud is to tighten security in the necessary places without creating such a cumbersome mobile experience that customers go elsewhere. Filters should be adjusted with respect to IP addresses, with device fingerprinting being a more reliable way of tracking customer identity. Other defenses, such as velocity checking tools, should be just as effective in mobile environments.
Merchants have a lot of options when it comes to preventing account takeover, especially when it comes to things like enabling two-factor authentication, requiring strong passwords, and forcing timed logouts. You can also ask customers to opt in for push notifications to alert them to orders and account changes.
By analyzing data from fraud and chargebacks that originated with mobile transactions, you may be able to identify the specific vulnerabilities that cause the most problems for your business. Analyzing friendly fraud chargebacks can tell you what transaction data you need to capture to present as evidence when fighting similar chargebacks in the future.
mCommerce fraud may just be the same old tricks with a slight twist in the delivery, but merchants who don’t adapt their defenses to the small differences may find themselves blocking legitimate customers while allowing fraudsters to waltz on in. Your mobile fraud prevention plan can’t just be a cut-and-paste job; it needs separate analytics to determine the threats it faces and defenses specifically tailored to meet those threats.