Omnichannel fraud fight requires at least some silos
The ability for consumers to shop and pay from a mobile device is causing organizations to quickly find new opportunities to engage consumers and secure their loyalty.
The financial benefits are obvious. Javelin predicts that the value of mobile retail payments in the U.S. will exceed $220 billion in 2017.
But organizations must also brace for a new wave of fraud, as fraudsters look for new ways to exploit these newer types of transactions as they become more and more mainstream.
A recent research report shows from LexisNexis that mobile fraud is growing at a rate 3 to 4 times faster than for brick and mortar-only merchants. It also confirms that fraud is costing organizations more on the mobile channel than online and brick and mortar fraud.
According to the report, omnichannel merchants—those merchants doing business across both brick and mortar and digital channels—incur fraud more often and more expensively than brick and mortar-only merchants.
If you’re an omnichannel merchant, it’s critical to analyze fraud separately across your brick and mortar, online and mobile channels, in order to focus your information security resources where they are most needed.
Yet, with such a varied range of transaction channels and ways to pay available, the need for information security teams to slice and dice information for analysis can be overwhelming. As a result, many organizations end up spreading their security resources very thin, making the sum of their fraud prevention efforts seem ineffective and more costly.
It is interesting to note that some of the more advanced security technologies available for protecting mobile transactions are among the least deployed. For example, “device ID fingerprinting” is the third least-most-common solution deployed by large m-commerce merchants.
The figure underscores the breadth of solutions that information security teams must consider. While some solutions have a very specific focus depending on payment method, others can be deployed more broadly.
To best leverage precious security dollars while receiving the maximum benefit, info sec teams should carefully consider those solutions which have the greatest impact over the channels and payment methods most vulnerable to attack. With the current and expected continued growth of mobile—and the accompanying fraud risk, merchants of all sizes conducting business over this channel should consider shifting their security resources accordingly.
Taking a focused approach to understanding where and how fraud is occurring can play a key role toward this end.
According to LexisNexis, omnichannel merchants typically track the cost of fraud by either the payment method used or by the channel used. They rarely track both together. Instead, the report suggests they should track fraud costs by payment method and transaction channel jointly. This will enable them to more fully understand where fraud is occurring most frequently, and the payment methods being exploited at each channel, so they can grasp the true scope—and ultimately, the true cost—of fraud for each channel. Armed with this knowledge, they can deploy the appropriate security resources.
As payments—and the technology to facilitate them—become more sophisticated and increasingly mobile, organizations must consider deploying the latest identification and authentication solutions to prevent the types of fraud most likely to occur there, all while providing a frictionless experience for consumers.
The standard username/password security protocols are no longer good enough for securing mobile transactions. Mobile-enabled organizations need to deploy solutions that offer multi-factor authentication (MFA) as well as capabilities to secure the device itself. Here are some best practices:
Biometrics. Many organizations have added biometric identification to their security lineup as a more secure way to establish the identity of their customers. As an increasing number of manufacturers and devices add biometric capabilities, merchants will likely follow suit. According to a study by Juniper Research, fingerprints are currently the most common form of biometric authentication, and consumers like it.
Permanent Device ID. Biometrics identify the authorized user, but a truly comprehensive mobile security strategy must also secure the device on which the transaction is being performed. A permanent device ID is a way to identify a device and establish the first layer of trust. A mobile phone has thousands of unique identifying attributes that are part of the device itself and can be used to uncover and analyze risk factors that could lead to potentially fraudulent activities.
Having this insight provides organizations with the confidence they need to allow good customers to transact with the least amount of friction, while at the same time, understanding devices with high-risk indicators so they can be challenged or denied outright to protect your organization.
A permanent device ID permanent can survive an app uninstall/reinstall, as well as operating system upgrades, as well as mitigates spoofing attempts. This lets merchants use the device itself as a trusted second factor (something you have), which is an important component of multifactor authentication (MFA). With a permanent ID, you can authenticate your trustworthy customers in a few invisible steps and risky devices can be challenged or stopped and blacklisted if they are associated with negative activity or fraud.
Real Time Decisioning. A mobile fraud prevention solution with real-time decisioning provides the ability to detect and mitigate risks such as malware, cloaked root/jailbreak detection, application validation, geolocation analysis, and the use of spoofing tools, to name a few. Determining these risks for a device before it transacts with your organization, and analyzing additional layers of verification if initial tests are not cleared, helps reduce friction at the point of sale for consumers, while still providing superior security.
The bottom line is this: fraud attacks will continue to evolve and threaten emerging technologies. Yesterday’s security measures aren’t good enough against today’s sophisticated threats, and customers will demand less friction and improved engagement. To make this happen, information security teams must constantly assess the latest payment and channel threats and remain nimble so that precious resources can be deployed where they will have the greatest impact.