Making Mobile Wallets Safer
October 13, 2015 No CommentsFeatured article by Ryan Wilk, director of customer success, NuData Security
Consulting firm Chadwick Martin Bailey found in a recent survey that 15 percent of U.S. consumers have used a mobile wallet in the past six months, up from nine percent in the same period in 2013. The numbers may seem small at first glance, but do the math: that’s a 66 percent increase in usage in just two years. In terms of awareness of mobile wallets, the percentage jump is even higher. Their Mobile Wallet in 2015 and Beyond report found that 18 percent of consumers are “very familiar” with mobile wallets, compared to eight percent in 2013.
This growing adoption and awareness creates new revenue opportunities and customer loyalty for organizations willing to throw their hat into the ring. Those who do so have two different types of mobile payments to chose from. The first type works through contactless technologies such as Near Field Communication (NFC) built into mobile phones. In the case of contactless technologies, the payment traverses the merchant’s POS system and the relevant payment-processing environment, not relying on the mobile carrier’s network.
The second type allows payments to be processed through the mobile carrier’s network, as is the case with banks. This is the mobile application (mobile wallet) approach. A mobile wallet has several key components, including the ability to provision account information, payment origination and payment processing.
Mobile payments aren’t a fad, and they aren’t going away. Growing adoption has put banks, financial institutions and large brands under pressure to come out with their own mobile banking apps. However, before any of them go after their share of the market, they have to deal with the security element.
The Linchpin for Mobile Wallet Adoption
Security is often listed as the key reason that consumers have not adopted mobile wallet technology. Mobile apps currently hold many and varied credit card details, which then raises concerns about security. These valid concerns include loss of privacy, loss of security around financial transactions, data loss and the perception of insecurity. Legitimate applications passing user data to other applications or third parties in an unauthorized manner is gaining more attention in the public arena – as it should. In addition, a possible drawback to the mobile wallet and secure element solution is that a single pin unlocks all of the accounts stored in the wallet, resulting in much greater exposure.
As organizations think through the issues and the solutions regarding mobile wallet security, their offerings are far more likely to enjoy widespread adoption.
The Benefits of Analyzing User Behavior
Organizations need to build trust among consumers by, ironically, being able to truly
trust the user behind the device by verifying the user based on behavior. Deploying advanced user behavioral analytics will allow the organization to detect genuine good users more accurately and improve the customer experience. Tracking behavioral patterns lets you learn who the real user is behind the wallet, from the kind of device they use to even detecting behavioral anomalies over time. When it comes to fraud attempts, organizations can leverage that same information to quickly spot bad actors attempting to cycle stolen card details.
Behavioral analytics continuously profiles users and accounts through their entire lifecycle across multiple channels, including: desktop and mobile Web and native apps. Continuously profiling users’ behavior empowers two key capabilities. First, it enables risk managers to detect and respond to risk sooner, reducing the chance of financial loss. Second, when the user does reach a transaction point, fraud managers have full context of all their previous actions and behavior to make a better decision on the transaction.
Billions of transactions, including user behaviors, are analyzed by non-PII networks
in order to create a store of anonymous identities that are categorized as good users and riskier users. These identities remain completely anonymous and adhere to stringent privacy laws. With this collection of identities, an organization has an early warning system that is able to alert them when a user is behaving “badly,” even if it is the first time the user is approaching one of their sites.
This can help answer important fraud-detecting questions:
– What characteristics define how this user behaved previously upon login? Are they behaving the same now? In other words, is this the real user accessing this account?
– Is the user’s behavior repeated? If the behavior is the same every time they visit, perhaps we can say that this is a good user, acting the same as always. But if it’s the same behavior that 1,000 users are all repeating, it could indicate that this behavior is part of a crime ring that is creating bogus accounts with stolen credit card data. This could be a distributed, low velocity attack – the kind of attack that exposes you to massive amounts of loss.
– Is this “user” really a fraudster creating an unauthorized mobile wallet with stolen account information?
– When the user is inputting data, is it similar to how they’ve interacted on the same mobile device before, or is it completely different?
This level of detail separates so-so fraud detection from the kind that is necessary today, particularly as mobile wallets gain traction among consumers.
Exposing Bad Behavior
The ongoing adoption of mobile wallets brings greater ease and convenience to consumers, but it also expands the threat landscape significantly. The fact that The Which? team was able to purchase goods online with card details stolen from an NFC transaction suggests that contactless cards are not a solution to risk in and of themselves. Of course, preventing data lost in the first place would be the ideal, but we have to be realistic. Having more accurate detection at the point of sale or at the login would protect consumers, merchants and banks from fraud no matter how the credentials were attained.
Gone are the good old days when a payment provider had only to make sure that the user’s username and password matched. Payment systems have become much more sophisticated, and so have the malicious actors who prey on them. Fortunately, fraud detection and prevention strategies today have advanced as well. Organizations can employ behavioral analytics, making use of the data gathered and analyzed from billions of transactions, to more accurately detect mobile wallet fraud. These profiles of observed behaviors enable both providers and consumers to feel more confident in mobile wallet technology.