M-commerce Fraud Leading to Millions in Lost Revenue

Mobile e-commerce is still a nascent space, but growing fast: More than 200 million devices worldwide are now making regular purchases through mobile browsers and mobile applications. That offers a vast new playground for fraudsters, who will look to take advantage of immature security approaches in the space.

According to a mobile commerce study by J. Gold & Associates, a full one-third of the organizations surveyed indicated they generate revenues from the internet in the 26 to 50% range. And a full quarter (25%) of those surveyed said that 11 to 25% of that revenue came from a mobile app. Half of them (50%) expect mobile revenues to grow between 11% and 50% in the next three years, and an additional third expect it to grow even more dramatically (51% to 100% higher) over the same time.

But there’s a big problem: Organizations are struggling to keep up with the web portal technology, anti-fraud initiatives and security practices needed to secure m-commerce, and many of them are relying on existing e-commerce solutions instead of looking at mobile as a standalone honeypot of fraud.

Already, 15% of those surveyed said that they have lost as much as 25% of revenue due to fraud; and 14% lost as much as 10% of revenue. Another third (34%) indicated that they have lost as much as 5% of revenue. A full 19% say that up to half of those losses are via mobile channels—a figure that J. Gold expects to double in the next two to three years.

The issue in large part boils down to the fact that fraud abhors a vacuum. When new regulations and practices make fraud less effective in one arena, fraudsters simply change tactics. For instance, when Chip and PIN cards came into widespread use in Europe, requiring users to not only present their plastic to a smart card reader but to also enter a memorized PIN, point of sale (POS) fraud sank dramatically. In its place, card not present (CNP) fraud, i.e. e-commerce fraud, became a bigger phenomenon. As online safeguards get better, m-commerce has become the next low-hanging fruit.

“Sir Isaac Newton discovered in his Law of Conservation of Energy that energy cannot be destroyed, merely transformed from one form to another,” said Jeff Carpenter, a researcher at report co-sponsor RSA, in a blog post. “The parallels to fraud in the online world run along similar conventions. When a particularly effective means of shutting down fraud starts to gain traction (through new technology, new regulations that go into effect, or best practices become widespread), the total level of fraud tends—not to go down as popularly believed—but stays steady-state in the aggregate, or worse yet, continues to rise as it morphs and jumps to other unsuspecting hosts.”

And as such, the mobile channel should be set apart from regular mom-and-pop e-commerce, according to Carpenter.

“Mobile e-commerce and mobile transactions are optimized around user convenience, meaning they tend to rely on (gulp!) cached passwords or just single factor username/password,” he explained. “Too easy for the bad guys to steal credentials, impersonate a login and transact business fraudulently online. They also bounce around between various secure and unsecure networks. All this is leading experts to sense a seismic shift in fraud moving to the mobile channel. It’s already happening on a small scale and looks to get writ large in the coming years.”

To curb the fraud trend, advanced mechanisms like biometrics, phone-based authentication and software tokens for two-factor authentication can protect end users. Advanced analytics can further detect fraud and reduce risk to the organization by detecting fraudulent transactions and cutting them off before they reach completion.

The time to act is now, Carpenter warned. “If mobile e-commerce was still in its infancy last year, in 2015 it will be asking for the keys to the car and permission to stay out after curfew,” he said. “College tuition can’t be far behind.”

What’s Hot on Infosecurity Magazine?