By Ryan Wilk, director, NuData Security
Mobile wallets are enjoying increasing adoption. Payments made via mobile devices in the US are expected to total $90 billion by 2017, a big jump from the $12.8 billion spent in 2012, according to Forrester Research.
There are two different types of mobile payments. The first type works through contactless technologies such as near field communication (NFC) built into mobile phones. In the case of contactless technologies, the payment traverses the merchant’s POS system and the relevant payment-processing environment, not relying on the mobile carrier’s network.
The second type of mobile payment is a mobile application (mobile wallet,) that allows payment to be processed through the mobile carrier’s network, as is the case with banks. A mobile wallet has several key components, including the ability to provision account information, payment origination and payment processing.
With the near-ubiquity of mobile devices, banks are under pressure to come out with their own mobile banking apps, but security fears abound.
Legitimate applications
Mobile apps currently hold many and varied credit card details, raising concerns about security. These valid worries include loss of privacy, loss of security around financial transactions, data loss and the perception of insecurity.
Legitimate applications passing user data to other applications or third parties in an unauthorised manner is gaining more attention in the public arena, as it should. In addition, a possible drawback to the mobile wallet and secure element solution is that a single pin unlocks all of the accounts stored in the wallet, resulting in much greater exposure.
Financial institutions that can ease security fears, offer money saving incentives and promote widespread acceptance of mobile wallets may see more customers embrace them, but where to begin? With a company’s bottom line, brand reputation and customer loyalty on the line, how can institutions secure payments via mobile wallets?
Companies need to really trust the user behind the device by verifying the user based on behaviour. Deploying advanced user behavioural analytics will allow the organisation to detect genuine good users more accurately and improve the customer experience. Tracking behavioural patterns lets you learn who the real user is behind the wallet, from the kind of device they use to even detecting behavioural anomalies over time. When it comes to fraud attempts, banks can leverage that same information to quickly spot bad actors attempting to cycle stolen card details.
Loosing visibility
Behavioural analytics focuses on observed characteristics of who the user is, not just who they tell you they are. Until recently, security technology looked solely at what data was entered and what device was connected. But organisations can only build up so much of an understanding of who a person is with only two pieces of information. And what if the user changes or upgrades their device? You would lose half the visibility. There can be a good user that continually logs into an account, and now all of a sudden they change their computer, switching from a Mac to a PC and now the visibility of ‘this is my customer’ becomes lost.
User behaviour analytics (UBA) adds multiple layers of nuanced information of passively observed behaviour that goes beyond what data they input and what device they use and to really understand how the user interacts with the mobile or web portal. When bringing in the idea of biometrics, we are learning something from that user, regardless of if they switch devices. It allows organisations to not just look at that user as a one-off interaction but go a level deeper and look at that user in the context of their history and their previous behaviour.
Behavioural analytics continuously profiles users and accounts through their entire lifecycle across multiple channels, including desktop, mobile web and native apps. Continuously profiling users’ behaviour empowers two key capabilities. First, it enables risk managers to detect and respond to risk sooner, reducing the chance of financial loss. Second, when the user does reach a transaction point, fraud managers have full context of all their previous actions and behaviour to make a better decision on the transaction. Through this it gives organisations a higher level of understanding of who their customers are, creating an even deeper assurance that it really is their good customer when all of those different data points match.
Anonymised identities
Billions of transactions are analysed and from them observed characteristics are used to create anonymised identities that are then categorised as good users and riskier users, all while adhering to strict privacy laws. Taking that behavioural information and being able to store and aggregate it over time, allows you to have a better understanding of what your good user looks like at a behavioural level. Every time they return to the environment you have an understanding of what they look like historically and will be able to look at multiple layers of analysis and really understand, “Does this really look like it’s still my same user?” or “Has this user now deviated?”
By knowing the users true behaviour over time, all the way from the point of login through to the transaction, organisations are able to better determine that a purchase may not be legitimate even if the user logged in properly. And when these robust profiles are anonymously compared across multiple vendors, a bank is provided an early warning system that is able to alert them when a user is behaving ‘badly’ even if it is the first time the user is approaching one of their sites. Observing user behaviour in detail offers the best chance of beating fraud.
There are at least 20 mobile wallet systems currently in use, according to a study from the Carlisle & Gallagher Group. This expands the threat landscape significantly. The fact that the Which? team was able to purchase goods online with card details stolen from an NFC transaction suggests that contactless cards are not a solution to risk in and of themselves. Of course, preventing data lost in the first place would be the ideal, but we have to be realistic. Having more accurate detection at the point of sale or at the login would protect consumers, merchants and banks from fraud no matter how the credentials were attained.
Relying on a single layer of defence at a single point in the transaction chain is always going to end badly. Profiling across multiple channels, using analysis from billions of transactions, provides the insight needed to more accurately detect mobile wallet fraud. Behavioural analytics offer banks the insight they need in order to protect themselves and their customers from fraudulent activity.
NuData Security positively verifies users online through real time behavioural and statistical analytics to detect automated and human attacks.
