Editor’s Note: Welcome to our weekly Reader Forum section. In an attempt to broaden our interaction with our readers we have created this forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.
Mobile applications undermine conventional online controls against fraud but open up several much stronger controls – although they are dependent on a deep understanding of mobile and fraud. With the proper security built in, mobile apps can offer the richest user experience and be the most secure channel for mobile transactions.
Online commerce and banking are not only increasingly moving to the mobile channel, but also being extended into new areas such as remote check deposit and mobile payments. Like the conventional online channel, mobile transactions bring with them the full fraud risks of the Internet – anonymity, scalability and global reach. The real person on the other end of the transaction only can be inferred through digitized data used as a proxy to identity. Best practices for protecting online transactions involve applying layered protection, knowing who is on the other end of a transaction via familiarity in devices and connections and looking for additional factors that may indicate risk.
While the mobile channel is typically treated like another version of online, this approach can make it much riskier than conventional online for several important reasons.
First, mobile undermines the controls that online authentication and transacting have come to rely on. Mobile-network Internet Protocol addresses are centralized, reused and shared, making them unusable for typical fraud controls such as velocities, negative lists, familiarity checks and IP-based geo-location. Browser-based device identification that was built for non-mobile devices is similarly impaired, as it does not provide effective distinctions among mobile devices.
Second, the mobile environment itself differentiates it significantly from online. Users lack caution in installing apps on their devices – even from third-party Android stores, where rogue apps often lurk. Fraudsters may exploit the small display and lack of obvious contextual information, as phone screens show only a limited portion of long URLs, and text messages reveal very little about their senders. The experience may be similarly truncated from the service provider side, as the client-server nature of interaction with mobile apps often limits the exchange to minimal data focused tightly on the transaction at hand, reducing context that would otherwise support or deny the familiarity of the device and user.
The final critical mobile difference that should not be ignored is also the channel’s redemption – that mobile apps enable strong new anti-fraud capabilities for the merchant, bank or service provider. While the previously covered differences will, without intervention, make the mobile channel very weak in terms of fraud prevention, the power of having an app on the device can more than make up for this; app-based mobile can be the strongest channel, if the appropriate controls are included.
With a deep understanding of how mobile works and how fraud is perpetrated, security and anti-fraud modules can be built into mobile apps that allow for stronger authentication than ever before, that find risk factors, that lay traps for fraudsters and that can improve on the typically weak link of challenging the user.
While browser-based device interrogation yields tens of device characteristics, the mobile app can yield hundreds. While IP-based geo-location is subject to both unintentional distortion and deliberate manipulation by virtual private networks and proxies, mobile-device location can be based on multiple factors and manipulation attempts can be clearly identified. While browser-based risk factors are limited to a few things that are unintentionally exposed by the fraudsters, mobile can check a device for specific and genuinely threatening malware that exploits the legitimate user – or for “crimeware” that is used by fraudsters to bypass security controls. While users previously were challenged at relatively high rates and the challenge presented was actually a weaker form of security, mobile allows for almost no challenging (due to very robust recognition) and a much stronger means for extended trust when a challenge is truly needed (such as when a truly new device attempts to access an account).
Drilling down on the challenge scenario will help illustrate mobile apps’ potential. Challenges are typically a weak link in the authentication and fraud-prevention chain. Answers to challenge questions may be researched or phished from the victim. Text message-based passcodes are subject to a number of exploits that get the one-time code into the hands of the fraudster. Even calls directly to the customer can be routed to the fraudster, who is often able to successfully impersonate the victim.
Mobile is a game changer here in that it brings to bear new means for addressing challenges, or even pushing them behind the scenes. One of these is voice biometrics. Built into mobile apps, voice biometrics will allow for a much stronger challenge and can be set up to ensure that a recording would not pass, even if the fraudster were able to record the genuine user.
In the context of voice-command functionality that is being increasingly brought into apps (Siri-like functionality is on deck for apps in a number of areas), the voice-biometric technology can be completely behind the scenes. Even without voice commands, voice biometrics can replace typically weak challenges with something much stronger and more convenient that can be done completely within the app. And this is but one example of many layers and modules that can be brought to bear.
In summary, mobile apps undermine conventional online controls against fraud but open up several much stronger controls – although they are dependent on a deep understanding of mobile and fraud. With the proper security built in, mobile apps can be the most secure channel, as a device can be directly tied to a history of safe usage, and apps can provide more effective means of bridging to new devices. Without these controls, mobile will become the weakest channel as more capabilities are added to it for fraudsters to exploit. The difference between the two lies in pursuing a mobile-centric approach to security and fraud prevention versus treating it as a one-off from online.