As Internet commerce began to take flight a decade ago, there was great concern that the growth of online business would be stymied by consumer’s reluctance to entrust their personal and financial data to the emerging security risks of vulnerable websites.
Yet, Internet commerce has grown unabated, as businesses have proven their ability to (usually) protect client data, and to cover consumers for losses in those cases where they don’t.
More recently, as the use of smartphones and similar mobile devices has become ubiquitous, the same arguments are being heard again: the growth of mobile commerce will be limited unless adequate security can be demonstrably in place. These fears are actually more justified this time around, as wireless mobile transactions are by their very nature more difficult to protect.
Nevertheless, consumers choose to conduct business from wherever they may be, and are willing to entrust both personal and financial information to the digital airwaves, as long as there are reasonable protections in place, and that they are not restricted from conducting business.
As with credit card transactions, consumers believe that any risks in using mobile devices to conduct commerce should be borne by the merchants or card issuers. Therefore, consumers are less likely from being deterred from using their devices, despite the increased risk of fraud.
Emerging applications such as Google Wallet, Square Wallet, Isis and similar software applications now allow consumers to use their smartphones as mobile wallets. Ultimately it is convenience, which seems to trump risk, that is driving mobile commerce’s growth.
Research from Forrester validates this trend. Their report “The State of Mobile Banking 2012” predicts that there will be 108 million U.S. mobile banking users by 2017, representing 46% of all U.S. bank account holders and roughly triple current levels.
Binary Security Considered Inadequate
Various data encryption, identity verification and password-protection technologies have been developed to make using mobile devices more secure. However, the criminals are equally adept at overcoming these more basic security measures.
In an age of social media, where vast amounts of personal information is openly shared on public forums, confirming identity by simply asking for basic information is no longer sufficient. According to the analyst firm Javelin, the average social media site user is lax about sharing personal data:
- Thirty-one percent share their birth date and year
- Forty-seven percent share their email address
- Twelve percent share their phone number
- Nine percent share their pet’s name
Unfortunately, this is precisely the kind of information that binary rules-based authentication relies upon. Studies by Experian’s Decision Analytics confirm that the use of a single binary condition such as address, phone number or date of birth does not provide adequate predictive separation between “fraudulent” accounts and “legitimate” accounts.
This means an unnecessarily high frequency of transactions (often greater than 30%), get flagged for review and are costly to clear, though are not high risk.
FIs Make Mobile Fraud Prevention a Priority
The need to combat fraud without unduly restricting merchants or consumers, while simultaneously making mobile transactions easier, has become a priority for financial institutions. According to Aite Group, which interviewed 32 North American financial institutions, mobile divisions within these institutions are a high priority for fraud prevention technology investments, with 26% of institutions citing it as their highest priority.
Many of these investments are being steered toward a new class of technology called “risk-based authentication,” which offers more comprehensive fraud detection and prevention than binary security alone, making it better-suited to mobile applications.
A risk-based fraud prevention system allows institutions to make customer relationship and transactional decisions based not on merely a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft.
Next Page: A Multi-Faceted Approach
A Multi-Faceted Approach
Effective risk assessment should combine multiple factors including complex device recognition, identity authentication and real-time risk evaluation, while balancing mobile authentication with customer ease of use. Recent guidance from the Federal Financial Institutions Examination Council supports the position that for fraud prevention to be viable, it should rely on more than one method of validation.
In its 2011 “Supplement to Authentication in an Internet Banking Environment,” the FFIEC states: “Although no device authentication method can mitigate all threats, the Agencies consider complex device identification to be more secure and preferable to simple device identification. Institutions should no longer consider simple device identification, as a primary control, to be an effective risk mitigation.”
Rather than basic binary security measures, there are risk-based authentication tools that use robust data sources to provide a more accurate picture of each applicant. By combining identity proofing with out-of-wallet-question tools in a single platform, these analytics produce actionable risk-based authentication and fraud scores for use in identity proofing.
Such a risk-based authentication system allows credit providers to make faster and more consistent credit decisions, mitigating the risk of fraud while speeding transaction processing. In addition to using data scoring tools to verify the identity of an individual, risk management technology can also be used to confirm the legitimacy of the device being used to access an account.
Adapting Authentication to the Mobile Environment
Mobile commerce is here to stay. As devices such as smart phones get smarter, so too is the way they’re used. Authentication methods are adapting to a world where people increasingly use mobile devices for transactions of all sorts.
A new breed of tools is providing a holistic assessment of the identity of the user as well as the device being used. These tools, tailored expressly for the mobile environment, simultaneously reduce fraud and minimize the number of non-fraudulent transactions being declined or requiring manual review.