By Ryan Wilk, director, NuData Security
Mobile wallets are enjoying increasing adoption. Payments made via mobile devices in the US are expected to total $90 billion by 2017, a big jump from the $12.8 billion spent in 2012, according to Forrester Research.
There are two different types of mobile payments. The first type works through contactless technologies such as near field communication (NFC) built into mobile phones. In the case of contactless technologies, the payment traverses the merchant’s POS system and the relevant payment-processing environment, not relying on the mobile carrier’s network.
The second type is a mobile application (a mobile wallet,) that allows payment to be processed through the mobile carrier’s network, as is the case with banks. A mobile wallet has several key components, including the ability to provision account information, payment origination and payment processing.
Creating concerns
With the near-ubiquity of mobile devices, banks are under pressure to come out with their own mobile banking apps, but security fears abound.
Mobile apps currently hold many credit card details, raising concerns about security, including loss of privacy, loss of security around financial transactions, data loss and the perception of insecurity. Legitimate applications passing user data to other applications or third parties in an unauthorised manner is gaining more attention in the public arena.
In addition, a possible drawback to the mobile wallet and secure element solution is that a single pin unlocks all of the accounts stored in the wallet, resulting in much greater exposure.
With a company’s bottom line, brand reputation and customer loyalty on the line, how can institutions secure payments via mobile wallets? They need to trust the user behind the device by verifying the user based on behaviour. Deploying advanced user behavioural analytics allows the organisation to detect genuine good users more accurately and improve the customer experience.
Tracking behavioural patterns lets you learn who the real user is, from the kind of device they use to even detecting behavioural anomalies. When it comes to fraud attempts, banks can leverage that same information to quickly spot bad actors attempting to cycle stolen card details.
Behavioural analytics
How does behavioural analytics work? Behavioural analytics focuses on observed characteristics of who the user is. It continuously profiles users and accounts through their entire lifecycle across multiple channels, including desktop and mobile web and native apps, empowering two key capabilities.
First, it enables risk managers to detect and respond to risk sooner, reducing the chance of financial loss. Secondly, when the user does reach a transaction point, fraud managers have full context of all their previous actions and behaviour to make a better decision on the transaction.
To collect all these observed characteristics, non-PII networks analyse billions of transactions, to create a store of anonymous identities that are categorised as either good or risky users. These identities remain completely anonymous and adhere to privacy laws. With this collection of identities, a bank is provided an early warning system that alerts them when a user is behaving behaving ‘badly’, even if it is the first time the user is approaching one of their sites.
User behaviour analytics can help answer bigger questions, such as:
- How did the user behave previously when they logged in? Are they behaving the same now?
- When the user is inputting data, is it similar to how they’ve interacted before, or is it completely different?
- Is this ‘user’ creating a fraudulent mobile wallet with stolen account information?
- Is their behaviour repeated? If the behaviour is the same every time, perhaps it is a good user. But if it’s the same behaviour that 1,000 users are all repeating, it could indicate a crime ring creating bogus accounts with stolen credit card data.
Observing user behaviour in detail enables the best chance of beating fraud.
Fighting fraud
There are at least 20 mobile wallet systems currently in use, according to a study from the Carlisle & Gallagher Group, expanding the threat landscape significantly. The fact that The Which? team was able to purchase goods online with card details stolen from an NFC transaction suggests that contactless cards are not a solution to risk in and of themselves.
Having more accurate detection at the point of sale or at the login would protect consumers, merchants and banks from fraud no matter how the credentials were attained.
Relying on a single layer of defence at a single point in the transaction chain is always going to end badly. Profiling across multiple channels, and using analysis from billions of transactions, provides the insight needed to more accurately detect mobile wallet fraud.
Behavioural analytics offer banks the insight they need in order to protect themselves and their customers from fraudulent activity.
NuData Security predicts fraudulent transactions by identifying good users from bad, based on their online behaviour. By analysing over 20 billion behaviours annually, NuData harnesses the power of behavioural and biometric analysis, enabling its clients to predict fraud with 99% accuracy.
