Gartner said in statement that there are two primary fraud prevention methods available today for mobile applications:
Mobile Device ID. This is enabled through a JavaScript on the server that the user logs in to, which captures whatever information it can get from the user's browser and phone, depending on whether the user is using a browser or native application. If the application is browser-based, then the JavaScript application captures information from the user's browser to identify that particular user's browser and mobile device. If the mobile application is native and residing on the mobile handset, applications can gather the phone's serial number and network card number. This requires opt-in by the user.
Location of Device. This is based on the phone's location information independent of the browser, so the user does not have to have his or her mobile browser application open; the phone only needs to be turned on. Enterprises may want to check and correlate the location of the device relative to other things they already know about the user's location through other systems they may interact with. For mobile phones, there are two architectures that are used to obtain location information: One relies on device information using the GPS-based application programming interface (API) applications that the user must opt into; the other employs APIs provided through mobile network operators that don't require the users to opt in to release this information.
Gartner estimates that by 2013, location information or user profile information from the mobile device will be used to validate 90% of mobile transactions.
Litan admitted that obtaining this type of information could raise users concerns about data privacy. “If the financial institutions and e-commerce providers collect location information, then they need to secure it."
At the same time, Litan noted that banks and e-commerce providers are already collecting information about people who log into sites from PCs for fraud detection purposes, and carriers are already collecting location information about mobile phone users. So what Gartner is recommending is extending that information collection to the mobile e-commerce sphere.
“Consumers are already being tracked by the mobile carriers. That’s how the technology works. Otherwise you can’t make a phone call if they don’t know where you are. So I don’t see that much wrong with using the information for fraud detection. It is when you go beyond the basic detection information, like what are people doing when they are making the calls, then you get into privacy issues,” she said.
In an earlier Gartner research note, Litan said that international regulatory pressure, primarily from the European Union, has lead to software providers enabling PC users to block cookies from being placed on their computers. Banks and other online services providers have been using cookies to validate the identity of users logging onto their sites to prevent fraud.
Most recently, Adobe introduced its Flash Player 10.1 that enables users to block Flash cookies from being saved on their PCs. This change brings Adobe Flash Player into line with major web browsers, such as Internet Explorer, Firefox, and Chrome.
Litan noted that similar privacy concerns could lead to government guidelines or regulations in the mobile area. “There are no federal guidelines now…There probably should be, but there aren’t any,” she said.
“There are no rules preventing the banks or anyone else from collecting this information, as long as its anonymized. But then the question is: Is it really anonymized if you know everything except the name? You can figure out a lot. There are lot of privacy implications but they have not been satisfactorily addressed by the government or policy makers,” she said.
“It’s a minefield. It’s a big issue and the government has not been proactive in helping anyone figure it out”, she added.