How to Protect m-Commerce in the Age of Mobile Payments
This Interview was originally posted on the Blog-site of GoeMerchant
Jimmy Fong is VP Sales-International at InAuth, a leading next-generation device authentication and intelligence partner which was recently acquired by American Express. Jimmy offers consulting services to over 120 merchants worldwide who benefit from his passion for fintech. He advises e-merchants on how to optimize their e-commerce, m-commerce, anti-fraud and global payment strategies as they aim to increase their international customer base. Jimmy previously worked for GlobalCollect (acquired by Ingenico Group) and for CyberSource (acquired by Visa).
According to Goldman Sachs, half of all online sales will be purchased through mobile devices by 2018. More than 60% of omnichannel shoppers said they plan to start making purchases using mobile devices or will do so even more in the upcoming year, according to a study released by Facebook. With m-commerce making a quantum leap within e-commerce, fraudsters are adapting their modus operandi. This is reflected in a rapid increase of cyber-crime explicitly designed to target mobile devices and in an urgent need for strong mobile device authentication.
Shanty Elena: Hi Jimmy, e-commerce offers merchants tremendous opportunities, but fraudsters haven’t lagged behind in adopting new strategies. In which ways have the rise of mobile payments and growing m-commerce impacted cyber-crime?
JF: When one door of opportunity closes for a fraudster, they quickly move onto new channels. According to Juniper Research, in the 1st half of 2016, 4 out of 5 malware infections originated from a smartphone, compared with 1 out of 5 malware infections originating on a desktop. This shows us that fraudsters are concentrating their efforts on this newer channel. This, combined with consumers moving to smartphones has massively increased opportunities for fraudsters to attack.
Q: From malware that specifically targets mobile apps to reverse engineering, cybercriminals apply a range of innovative schemes to steal mobile users’ data and money. What are the best risk management strategies to detect and counter such cyber-attacks?
JF: There is no silver bullet approach to fraud prevention. What we see work best is a multi-layered and holistic strategy. What InAuth does is deep device intelligence, which has two key benefits. One is it provide a permanent way to identify each device in your network interacting with your business. If you have this digital “fingerprint,” it can help you make decisions about whether to do business with that device.
The second area that we advocate for is validating the trustworthiness of the device. For example, does the device have malware/crime ware on it, does the location information contextually make sense? Is there suspicious behavior we can identify by behavioral and mobility data, such as the accelerometer, and device data, such as battery usage? Only by adopting a sophisticated, real time analysis of both the device fingerprint and the trustworthiness of the device can we fully understand if we want to do business with it.
Q: What is device authentication and how have browser fingerprints been proven to be useful against financial crime?
JF: Device fingerprinting has been around for 15 to 20 years. Device authentication has become a commonly used element in fraud prevention. The challenge we found in the market is that this was really engineered for the desktop browser and there is an inherent weakness with this technology.
We approach device fingerprinting differently from what existed in the market. We engineered a print for mobile that is 100% permanent versus persistent. This means that other prints persist for a limited amount of time before a new ID has to be regenerated. 100% Permanence allows the fraud teams we work with to rely on this data and pair the device to the user, knowing that it is indeed the same device across multiple interactions with a business. This allows merchants to focus not only on preventing fraud but also on providing the best possible experience to their customers.
Q: Can you talk to us about biometric identification methods as part of risk departments’ AML and KYC strategies?
JF: Biometrics will become a very useful tool in replacing passwords, but again we recommend the best strategies are multi layered in sophistication and approach. It has been proven again and again that there is no silver bullet approach with fraud and this is just as relevant here. What we’re seeing as a best practice is a multi-layered approach that gets as much contextual information from all parts of the interaction, whether that be KYC, KYD (know your device) or transaction information so you can make a fully informed choice – ideally in real time – to accept, reject or review.
Q: Article 97 in the European Payment Service Directive (PSD2) demands Strong Customer Authentication (SCA). What are the consequences of PSD2 for risk management departments of financial institutions in the global cross-border e-commerce space?
JF: The consequences will be threefold. They are checkout conversion, the technology necessary to implement these provisions, and the organizational impact. Next month we expect the revised technical standards that offer specific guidance on what constitutes “strong customer authentication” and there is an expectation this will be less intrusive on the customer shopping journey, but we will have to wait and see. We are leveraging our 100% permanent device fingerprint so that a merchant can reliably send contextual and “in-app” messages seeking confirmation from the consumer via a secured channel.
Q: Merchants Category Codes (MCCs) and risk analysis are crucial during the client acceptancy process. They are part of a merchant acquirers legally required due diligence program. Although the travel industry isn’t considered “high-risk” from a reputational (damage) perspective, it is high-risk in many other ways. Could you explain why and what strategies the travel industry should apply in order to detect and reduce its alarming fraud figures?
JF: To use an analogy, the acquiring world is comparable to the insurance business model. Merchant acquirers underwrite the perceived risk they can tolerate and create a portfolio. Travel can be viewed as higher risk given the size of transactions, volume of transactions and exposure to economic factors and consumer demand. The best travel companies use tools that analyze and allow trusted customers to flow swiftly through the buying experience, whilst spotting anomalies and stopping the suspicious devices and users.
Q: Inauth was recently acquired by American Express, which is a great achievement for such a young company. What makes your solutions so powerful that they raised the interests of Amex?
The acquisition complements and enhances American Express’ comprehensive data analytics and fraud prevention capabilities, which have enabled Amex to achieve the lowest fraud rates in the industry. The acquisition also positions the company to capture new opportunities as more consumer activity – from payments to account origination and servicing – moves to digital channels.
As commerce has increasingly shifted to online and mobile channels, so too has the risk of fraud. Seventy percent of U.S. merchants have experienced an increase in sales through online and mobile channels over the previous year, according to the 2016 American Express Digital Payments Security Survey. 1 At the same time, 60% of merchants reported having experienced fraud from online and mobile sales.