Mobile fraud detection imperative for the future of mobile commerce

By year-end 2013, location information or profile information from mobile phones will be used to validate 90 percent of mobile transactions, and the rapid adoption of smartphones is forcing banks, social networks and other e-commerce providers to implement the kinds of fraud detection capabilities that have become mainstream with fixed-line computing, says Gartner.

“Because of the improving browser experiences on smartphones, mobile commerce and transaction execution are set to increase rapidly,” said William Clark, research vice president at Gartner. “We estimate that by the end of 2013, 12.5 percent of all e-commerce transactions will be mobile.”

“Enterprise applications must detect fraud in these mobile environments, but fraud detection tools available today that work in fixed-line computing environments don’t work well or at all in the mobile world,” Mr. Clark said. “There are a number of methods that can be implemented to help enterprises detect fraud in the mobile space, but they are still in their early stages of development, and it will take until at least 2012 for them to transform from embryonic applications to technically mature systems that work easily and transparently across disparate mobile networks.”

Fraud prevention methods available today to mobile applications include:

Mobile device identification — This is enabled through a JavaScript on the server that the user logs in to, which captures whatever information it can get from the user’s browser and phone, depending on whether the user is using a browser or native application. If the application is browser-based, then the JavaScript application captures whatever information it can get from the user’s browser to uniquely identify that particular user’s browser and mobile device. If the mobile application is native and residing on the mobile handset, native applications can additionally gather the phone’s serial number and network card number. This will require opt-in by the user.

Location of device — This is based on the phone’s location information independent of the browser (IP address), so the user does not have to have his or her mobile browser application open for this to work; the phone only needs to be turned on. Enterprises may want to check and correlate the location of the device relative to anything else they know about the user’s location through other systems they may interact with at the enterprise. For mobile phones, there are two architectures that are used to obtain location information: One relies on device information (e.g., using the GPS-API applications that the user must opt into); the other employs APIs provided through mobile network operators that don’t require the users to opt in to releasing this information.

Some online fraud detection vendors are starting to tune their risk scoring and/or rule-based models specifically for mobile applications — For example, some vendors are looking at the mobile device itself, the location of the phone, and the behavior of the user inside the host application while transacting from the phone. This area is very new to the fraud detection vendors, as there is little mobile transaction experience to draw on in order to build effective risk models and scores that significantly improve on risk models that have already been built for fixed-line computing. It tries to combine some of the methods listed above, including mobile device identification and examining the location of the mobile phone in relation to other information known about the user and his/her location.

Gartner estimates that 70 percent of the largest 20 global card issuers will gradually adopt mobile context information to help detect fraud on fixed-line transactions, and that by year-end 2015, more than 15 percent of all payment card transactions will be validated using context-aware profile information.

Don't miss