Eight tips to avoid fraudulent mobile commerce payments
Our insatiable love affair with the mobile device shows no signs of abating, highlighted by recent reports that there will be more mobile devices on earth than people by the end of the year. With one in seven European smartphone users having completed a retail transaction on their mobile phone, many organisations are embracing this lucrative new channel. But engaging with consumers through mobile devices is very different to traditional ecommerce; and as such requires a different approach.
This is especially true when it comes to mobile payments. So, what can organisations do to make sure they get their mobile payment strategy right?
Here, James Hunt provides his top eight tips for organisations wanting to strike the right balance between making it easy for consumers to purchase, while reducing the risk of fraud.
1. Understand new trends in customer behaviour
Historically, ecommerce transactions have been made during core business hours but the widespread use of tablets and smartphones has seen a radical change in consumer buying patterns, with the peak buying time for these types of devices taking place between 8pm and 9pm.
Applying rigid fraud rules outside of normal business hours may impede your mobile strategy and needs to be assessed appropriately. Consumers now use multiple devices at home, and often switch between smartphones, tablets and PCs when purchasing goods. Once you understand your customer, you can then adapt your rules to take into account new personal habits and behaviours.
2. Understand what data isn’t available
Technologies such as IP geolocation have traditionally worked well to track a consumer’s physical location at the time of a purchase but they can become completely redundant when a mobile device is not connected to a Wi-Fi network. In this instance, the device’s location would show as the mobile operator’s which isn’t much help if you are attempting to confirm the owner’s location.
3. Understand the device
Device fingerprinting is an incredibly useful way of identifying the PC or laptop that the purchase is being made from. It collects a range of information that can help to determine whether the customer is legitimate, including installed applications, software updates, the time zone of the device and whether things such as java script are turned on for the device.
But device fingerprinting is not as reliable when it comes to mobile devices. Unlike PCs and laptops, limited information can be collected from smartphones and tablets – which makes it difficult to collect the most valuable data. Ensure that you amend and adapt your fraud rules accordingly to account for this.
4. Understand the location
Given the nomadic nature of mobile devices, it can be difficult to pinpoint exactly where a purchase originates from. Capturing the GPS location will certainly help when it comes to comparing details such as billing and shipping address proximities. Wherever possible try to collect GPS data to enhance your fraud screening rules.
5. Use all data available
If possible, also capture the IMEI and UUID numbers of the mobile device (which is a phone’s unique identity number). These can be another useful tracking element to compare against addresses or credit card numbers. If you have a device that has made multiple purchases with the same card, then this can represent much lower risk. However a device that has attempted to use six different cards to conduct a purchase will need further investigation.
6. Segregate orders, but don’t isolate them
Transactions made through mobile devices provide a goldmine of useful information. However, being able to compare these transactions alongside those from your call centre or website is where the real value lies. It can help you spot fraudsters migrating between different channels more quickly.
Take all the data available – or not available – and create a set of rules specific to mobile transactions. Your mobile fraud screening should then feed into the other orders being placed across the business. This will help you to compare their mobile purchasing information against other known data (such as the website or call centre) to detect further discrepancies.
7. It’s all about the data…
How do you know if you are rejecting too many orders? You can’t manage what you can’t measure. You need to be able to collect and analyse your data to make sure your rules are performing to the best of their ability. For instance, are the majority of your rejected transactions coming from mobile devices or call centre transactions? If they are from mobile devices, then perhaps your current rule set needs to be tweaked. Monitor your screening processes and don’t be afraid to make changes.
8. Be flexible, and accept more orders
Historically, the more changes in the data, the riskier the transaction. For instance, if a consumer makes a transaction on three or four different laptops, then further investigation should be carried out. But with consumers now using on average six devices at home, you will need to accommodate changing consumer habits.
When it comes to mobile devices, you’re adding more complexity to your infrastructure. Be prepared to accommodate the plethora of devices available within your fraud screening plans.
James Hunt is associate principal in CyberSource’s managed risk services team.