Mobile wallets: The new fraud frontier

Mobile wallets are enjoying increasing adoption. Payments made via mobile devices in the United States are expected to total $90 billion by 2017, a big jump from the $12.8 billion spent in 2012, according to Forrester Research.

There are two different types of mobile payments. The first type works through contactless technologies such as Near Field Communication (NFC) built into mobile phones. In this case, the payment traverses the merchant’s POS system and the relevant payment-processing environment, not relying on the mobile carrier’s network.

The second type of mobile payment is a mobile application (mobile wallet) that allows payment to be processed through the mobile carrier’s network, as is the case with banks. A mobile wallet has several key components, including the ability to provision account information, payment origin and payment processing.

With the near-ubiquity of mobile devices, banks are under pressure to release their own mobile banking apps, but security fears abound.

Mobile concerns

Mobile apps currently hold many and varied credit card details, raising concerns about security. These valid concerns include loss of privacy, loss of security around financial transactions, data loss and the perception of insecurity. Legitimate applications passing user data to other applications or third parties in an unauthorised manner is gaining more attention in the public arena – as it should. In addition, a possible drawback to the mobile wallet and secure element solution is that a single pin unlocks all of the accounts stored in the wallet, resulting in much greater exposure.

Financial institutions that can ease security fears, offer money-saving incentives and promote widespread acceptance of mobile wallets, may see more customers embrace them.

Behavioural analytics: Putting fraud in context

But where to begin? With a company’s bottom line, brand reputation and customer loyalty at risk, how can institutions secure payments via mobile wallets? They need to really trust the user behind the device by verifying the user based on behaviour. Deploying advanced user behavioural analytics will allow the organisation to detect genuine good users more accurately and improve the customer experience. Tracking behavioural patterns lets you learn who the real user is behind the wallet, from the kind of device they use and the detection of behavioural anomalies over time. When it comes to fraud attempts, banks can leverage that same information to quickly spot bad actors attempting to cycle stolen card details.

How does behavioural analytics work?

Behavioural analytics focuses on observed characteristics of who the user is, not just who they tell you they are. Until recently, security technology looked solely at what data was entered and what device was connected. But organisations can only build up so much of an understanding of who a person is with only two pieces of information. And what if the user changes or upgrades their device? You would lose half the visibility. There could be a good user that continually logs into an account, and then all of a sudden they change their computer, switching from a Mac to a PC, and now the visibility of ‘this is my customer’ becomes lost.

User behaviour analytics (UBA) adds multiple layers of nuanced information relating to passively observed behaviour, which goes beyond what data they input and what device they use to really understand how the user interacts with the mobile or web portal. When bringing in the idea of biometrics, we are learning something from that user, regardless of whether they switch devices. It allows organisations to not just look at that user as a one-off interaction but go a level deeper and look at that user in the context of their history and their previous behaviour.

Behavioural analytics continuously profiles users and accounts through their entire lifecycle across multiple channels, including desktop, mobile web and native apps. Continuously profiling users’ behaviour empowers two key capabilities. First, it enables risk managers to detect and respond to risk sooner, reducing the chance of financial loss. Second, when the user does reach a transaction point, fraud managers have full context of all their previous actions and behaviour to make a better decision on the transaction. Through this it gives organisations a higher level of understanding of who their customers are, creating an even deeper assurance that it really is their good customer when all of those different data points match.

Billions of transactions are analysed and from them observed characteristics, all non-PII, are used to create anonymised identities that are then categorised as good users and riskier users, all while adhering to strict privacy laws. Taking that behavioural information, and being able to store and aggregate it over time, allows you to have a better understanding of what your good user looks like at a behavioural level. Every time they return to the environment you have an understanding of what they look like historically and will be able to look at multiple layers of analysis and really understand, “Does this really look like it’s still my same user” or, “Has this user now deviated?” By knowing the users true behaviour over time, all the way from the point of login through to the transaction, organisations are able to better determine that a purchase may not be legitimate even if the user logged in properly. And when these robust profiles are anonymously compared across multiple vendors, a bank is provided an early warning system that is able to alert them when a user is behaving “badly” even if it is the first time the user is approaching one of their sites.

User behaviour analytics can help answer bigger questions, such as:

  • How did the user behave previously when they logged in? Are they behaving the same now? In other words, is this the real user accessing this account?
  • When the user is inputting data, is it similar to how they’ve interacted on the same mobile device before, or is it completely different?
  • Is this “user” creating a fraudulent mobile wallet with stolen account information?
  • Is their behaviour repeated? Repeated behaviour yields important information. If the behaviour is the same every time they visit, perhaps we can say it’s a good user, acting the same as always. But if it’s the same behaviour that 1,000 users are all repeating, it could indicate that this behaviour is part of a crime ring that is creating bogus accounts with stolen credit card data. This could be a distributed, low velocity attack – the kind of attack that exposes you to massive amounts of loss.

Fighting fraud with behavioural insight

There are at least 20 mobile wallet systems currently in use, according to a study from the Carlisle & Gallagher Group. This expands the threat landscape significantly. The fact that The Which? team was able to purchase goods online with card details stolen from an NFC transaction suggests that contactless cards are not a solution to risk in and of themselves. Of course, preventing data loss in the first place would be the ideal, but we have to be realistic. Having more accurate detection at the point of sale or at the login stage would protect consumers, merchants and banks from fraud no matter how the credentials were obtained.

Relying on a single layer of defence at a single point in the transaction chain is always going to end badly. Profiling across multiple channels, using analysis from billions of transactions, provides the insight needed to more accurately detect mobile wallet fraud. Behavioural analytics offers banks the insight they need in order to protect themselves and their customers from fraudulent activity.

Ryan Wilk, Director, NuData Security