Adapting Your Defenses for m-commerce Fraud
Table of Contents
- What Is M-commerce?
- What Is M-commerce Fraud?
- What Are the Most Common Types of Mobile Fraud?
- What Are the Important Differences Between M-commerce and E-commerce?
- How Can Merchants Prevent M-commerce Fraud?
We’re a long way from the days when home computers had their own dedicated spaces and furniture, when it wasn’t uncommon to convert an unused office or spare bedroom into a “computer room.” Nowadays, many people no longer own their own desktop computers at all, instead having all their personal computing and internet needs met by smartphones and other mobile devices.
Of course, wherever customers go, fraudsters will follow. Mobile shopping fraud, or m-commerce fraud, has emerged as a distinct and widespread threat to online retailers. What sets m-commerce fraud apart from regular e-commerce fraud, and how can merchants protect themselves from mobile-savvy fraudsters?
What Is M-commerce?
Mobile shopping is estimated to make up roughly 45% of the domestic e-commerce market, driven by younger shoppers who have grown up with smartphones and supported by advances in mobile shopping and marketing technology that can allow shoppers to make a purchase with a single tap. This trend is also self-reinforcing. As more merchants make mobile-friendly websites and apps for customers to shop with, more customers will be drawn to m-commerce.
Many merchants have been eager to embrace m-commerce since it provides yet another channel for sales revenue and increases their reach to digital shoppers who prefer handheld devices to desktop computers.
While ownership of personal computers in the United States has leveled off at around three-quarters of the adult population, more than 90% of US adults born after 1965 own a smartphone. That means that the total possible market for m-commerce is actually greater than that for computer-based e-commerce, even if actual use hasn't quite caught up yet.
E-commerce merchants who don't ensure purchases are just as easy to make on mobile devices as they are on computers may be missing out on a significant segment of the market.
The downside of this growth in m-commerce is that fraud always follows the money, and fraudsters have set their sights on this emerging market. The technologies and behaviors that drive m-commerce are newer and less developed than those are in the world of desktop-oriented e-commerce, which gives fraudsters different vulnerabilities to exploit.
The best practices for e-commerce fraud prevention don’t always map perfectly to a mobile environment, which means that merchants need separately optimized anti-fraud strategies for each channel.
What Is M-commerce Fraud?
This is often accomplished through the use of stolen credit card numbers or login information. Online fraud not only victimizes the cardholder whose account was compromised, but also the merchants with whom the fraudster made their illicit purchases.
When a cardholder’s payment card is used without their authorization, they have the right to request a chargeback. They contact their bank to dispute the charge, and if the bank believes the dispute is likely legitimate, they file a chargeback. The transaction amount is debited from the merchant and the cardholder is issued a temporary credit, which becomes permanent when the matter is resolved.
This leaves the merchant liable for the fraudulent charge, the cost of the goods they provided to the fraudster, and all the fees—including chargeback fees—incurred during the transaction.
Fraud is a very expensive problem for merchants, made worse by the fact that excessive fraud and chargebacks can get merchants penalized or dropped by their payment processors.
Out of necessity, many merchants have implemented multilayered anti-fraud defenses on their eCommerce sites. It’s often the case that when they expand their presence into mobile-friendly environments, they find that their defenses don’t function as effectively.
What Are the Most Common Types of Mobile Fraud?
Account takeover fraud is frequently seen in m-commerce, especially when merchants don’t implement strong login security for their mobile sites and apps.
If a site or app allows users to make weak, easily guessed passwords, a certain percentage will do so, making themselves easy prey for fraudsters. Even strong passwords can be compromised by data breaches when customers use the same one across multiple sites.
A unique vulnerability of m-commerce is the fact that device theft often leads to account theft. If a device is left unlocked, a fraudster can steal it and immediately access any accounts that the victim is still logged into or has saved passwords for. Even if an account uses two-factor authentication, common second factors such as text messages, emails, and authenticator apps can all be accessed using the stolen phone.
True fraud, where a fraudster attempts to make a payment with a stolen credit card, is also very common. If blocked from making a purchase on the desktop site, some fraudsters may try the merchant’s mobile site or app instead. An app might use different fraud filters than a website, and a website might not have access to the same data on a phone that it does on a computer.
Merchants also see a lot of friendly fraud resulting from m-commerce. Some of the unique features of mobile shopping, such as “one-click” purchasing and in-app purchases, are frequently cited by friendly fraudsters claiming that they placed an order by mistake.
What Are the Important Differences Between M-commerce and E-commerce?
Mobile shoppers have different purchasing habits than shoppers on desktop sites. If they’re more likely to buy impulsively, that also means that their purchases are likely to be on the smaller side. Many merchants find that their customers still prefer desktop sites for major, expensive purchases.
Catering to the behaviors of your mobile customers often means enabling quick, seamless, impulse-friendly transactions that demand minimal input from the customer and can be processed quickly. In other words, you can’t subject transactions to rigorous anti-fraud screening and still give mobile customers as fast and frictionless a shopping experience as they might want.
Legitimate mobile shoppers frequently display a lot of the same fraud indicators that screening tools look for in desktop environments.
Velocity checking, for example, might flag multiple consecutive transactions from the same device. That's a common indicator of card testing in a desktop environment, but it's often fairly normal behavior for a mobile customer.
IP addresses are another big one. Many anti-fraud tools find it suspicious when a customer visits from different unrelated IP addresses, but that’s exactly what mobile users are doing when they move from one Wi-Fi network to the next. Even AVS can get thrown off by mobile users, as they tend to be younger and more likely to move around frequently, and they don’t always update their billing address information on time.
How Can Merchants Prevent M-commerce Fraud?
For merchants, the challenge with m-commerce fraud is to tighten security in the necessary places without creating such a cumbersome mobile experience that customers go elsewhere. Filters should be adjusted with respect to IP addresses, with device fingerprinting being a more reliable way of tracking customer identity.
Merchants have a lot of options when it comes to preventing account takeover, especially when it comes to things like enabling two-factor authentication, requiring strong passwords, and forcing timed logouts. You can also ask customers to opt in for push notifications to alert them to orders and account changes.
While SMS-based two-factor authentication isn't effective for stolen devices, biometric authentication such as fingerprint scanning can still prevent unauthorized purchases.
By analyzing data from fraud and chargebacks that originated from mobile transactions, you may be able to identify the specific vulnerabilities that cause the most problems for your business. Analyzing friendly fraud chargebacks can tell you what transaction data you need to capture to present as evidence when fighting similar chargebacks in the future.
M-commerce fraud may just be the same old tricks with a slight twist in the delivery, but merchants who don’t adapt their defenses to the small differences may find themselves blocking legitimate customers while allowing fraudsters to waltz on in. Your mobile fraud prevention plan can’t just be a cut-and-paste job; it needs separate analytics to determine the threats it faces and defenses specifically tailored to meet those threats.