In a previous post, we talked about what user authentication looks like in today’s world. This involves methods that aim to limit access so the person who gains access to an account isn’t a malicious person looking to commit fraud. This involves things that can be done on the individual user’s end.

We also discussed the people committing fraud and their intentions.

What about the business side? What are businesses doing to stop fraud? What tools are they using? Does it make a difference where the fraud come from (mobile devices/desktop)?

Consider this: You want to buy something from an app on your phone. You previously opened an account on this app and stored your credit card in it for future purchases. How does a business decide whether you are a real customer or a fraudster that hacked into your account?

In this post, we’ll discuss some of the common methods businesses use to detect mobile fraud.

Device Identification

One way companies can detect fraud is through identifying the mobile device. This is called device fingerprinting. The idea behind this is collecting as much data as possible from the device to inform a decision.

This is the most common method of detecting fraud on computers. It uses a set of system configurations to identify a device. Identifying a computer is as simple as determining a unique IP address linked to a location. In theory, mobile devices can operate the same way.

2015-11-18_23-03-45.jpg

Unfortunately, mobile devices have a lot of limitations in terms of what kind of data they collect and IP address identification doesn’t always work on these devices. For example, mobile devices don’t have Flash cookies. The lack of data can make them hard to identify. IP addresses are also hard to nail down on mobile devices because it is common for users to move between networks.

On mobile devices, device fingerprinting can be ineffective and lead to high amounts of false positives, meaning a regular, “safe” user is flagged as a fraudster. So fraud detection involves a huge risk, as declined customers often don’t return. This translates into lost business.

2015-11-18_23-02-18.jpg

Companies are also taking steps to make identification more difficult among growing concerns from users about how their information is used. Specifically, the Apple operating system makes identifying devices difficult in an effort to protect its customers’ privacy. They banned apps that use Unique Device ID (UDID) to keep track of customers.

With few ways to identify devices, each one looks exactly the same to companies, making detecting fraud difficult.

Geolocation

This method uses the location of a device to detect fraud. Geolocation can be done two ways, either through the device itself by GPS location or through APIs provided by mobile network operators.

Many smartphone users opt into GPS location on their own. There are specific apps devoted to this. For example, with Foursquare, users can share their location with their friends. Even social networking sites like Facebook and Twitter now allow users to display their location.

2015-11-18_22-49-40.jpg

This location data can be critical to detecting fraud. For example, if an IP address shows the device is located in Europe, but the GPS says the device is in the United States, chances are something fishy is going on.

The problem with geolocation is either the user has to agree to use a GPS, or the mobile network has to provide an API. With growing concern about privacy, people are becoming more wary of allowing their location to be known.

2015-11-18_22-51-56.jpg

This method also has the potential to result in a high rate of false positives. This is the risk involved with many detection methods, as whether a user is “bad” or “good” is reduced to a single data point—location.

Fraud Detection and User Friction

Mobile security involves a delicate balance. Businesses need new methods of detecting fraud while providing low friction. This is incredibly important, as almost half of mobile customers quit the checkout process because it took too long, according to Jumio.

The struggle involves coming up with highly secure methods that don’t complicate the checkout process. Also, they need to have low levels of false positives, which frustrate declined users. Throw privacy concerns into the equation and mobile fraud detection can feel like a hopeless battle.

The fraud detection methods of today are not enough. New ways to detect mobile fraud must be developed. Companies must support mobile security by investing in several methods of fraud detection that work together from different angles. Also, a fraud detection plan must constantly be accessed to integrate new changes.

Developing a fraud detection plan involves strategic change. Over 50% of retailers feel they aren’t prepared to deal with fraud increases associated with new payment methods and devices. This creates a hole fraudsters can weasel their way into.

With fraudsters getting increasingly cunning, mobile fraud detection is a race to come up with better methods before the fraudsters win.