Digital identity theft is a year-round issue, but the hectic holiday season is prime time for crooks looking to steal your personal information. And now that smartphones are everywhere, and as their owners start to get a serious case of holiday fever, the opportunities for crooks to defraud consumers are endless.
Jingle bells, jingle bells... fraud all the way
Winter holidays is a wonderful time of the year: people are happy, they hang out with their families and friends, and shop. A lot. Even those who are usually very careful about their spending, tend to loosen their purse strings and splurge.
The rise of mobile payments and m-commerce
Payment fraud attempts peak during holidays - more transactions translate into more opportunities for the criminals, who constantly refine methods to outsmart fraud prevention measures. For example, retail fraud attempts during the 2016 holiday season increased by 31%, while the number of overall transactions only increased by 16%. Overall, in 2016, 1 out of every 97 transactions was a fraudulent attempt and fraud attempt rates were highest on Christmas Eve (1.6 percent).
Merchants and marketplaces take advantage of the holiday fever and launch promotions that are hard to resist. On November 11th, Alibaba has launched its “singles day” with countless promotions to choose from. The result? A staggering $25 billion in sales, breaking the record for a single-day online revenue. This translates into 256,000 transactions per second. And about 90% of transactions were conducted via mobile.
In fact, mobile is the new normal. In 2016, mobile traffic constituted 59% of all sessions, surpassing desktop traffic on global eCommerce websites for the first time. In 2015, over 50% of eCommerce sales in Japan and the UK were conducted via mobile, and the US is predicted to pass the 50% threshold in 2017. According to new benchmark data from the Global Consumer Survey: Consumer Trust and Security Perceptions published by ACI Worldwide and Aite, 17% of U.S. consumers now regularly use their smartphone to make payments, up from 6% in 2014 when the survey was last conducted. The trend is clear - eCommerce enterprises need to be prepared to accommodate mobile users. And while the future looks promising, these companies still have a long way to go to prevent fraud losses from this channel.
Although the consumer confidence regarding mobile payments remains high, numbers related to fraud, identity theft, and data breaches show that security of private information has never been thinner. Companies need to prioritize catering to its mobile users and work on closing the gap between robust security and superior user experience.
A reality check
As online sales continue to rise, confidence rates regarding the security of mobile payments has actually dropped in several countries. The reason for this drop? Increasing reports of new mobile frauds and scams.
The growth of mobile channel presents a serious challenge when it comes to fraud. Two of the most common forms of fraud on mobile are CNP fraud and identity theft. According to WorldPay report, mobile channel poses significant additional risks, due low use of 3DS as well as vulnerability to malicious apps. According to another research by Javelin Strategy & Research, fraud related to mobile payments will increase 4x by 2018.
Security vs UX: pick one
Current authentication solutions essentially force the consumers to choose between security and convenience. For millennials who comprise most of the mobile transaction user base, a frictionless UX is the key factor in their decision to use a mobile shoppinh application in the first place. As a result, users either skip necessary authentication steps or abandon the transaction altogether due to the hurdles of step-up authentication. By prioritizing convenience, many mobile payment applications remain vulnerable to fraud.
Continuous Authentication To The Rescue
To prevent payment fraud on mobile, it is not enough to authenticate the user at login. In the era of advanced fraud, automated bots and sophisticated RAT attacks, a binary “yes” or “no” at entry into the app will no longer suffice.
For example, debit card skimming scheme that is especially prevalent during holiday season, involves the use of valid digital information from the card. Simply possessing valid credentials is no longer enough to verify the legitimate user. At the same time, malicious bots and fraudsters using emulators are a serious issue. Losses stemming from automated e-gift card fraud cost retailers nearly $1 billion in 2016, and this numbers are very likely to increase. The scary thing is - bots and emulators are becoming increasingly more sophisticated, and are able to emulate legitimate logins, devices and sessions more convincingly than ever before.
What we need is a solution that continuously authenticates the user throughout the length of the entire session. The previous solution to the problem involved step up authentication, resulting in increased user friction, frustration and transaction abandonment.
Behavioral biometrics offers continuous authentication that runs in the background of the application, ensuring that the legitimate users’ experience is not interrupted. The user doesn’t need to repeatedly enter passwords or confirmation codes. All he or she needs to do - be themselves. By identifying hundreds of unique behavioral traits such as finger pressure on the screen, angle the device is held, typing speed, it is possible to know that only the legitimate user has access to the app throughout the entire session, preventing account takeover attempts. It is also possible to distinguish between human and non-human behavior, eliminating the possibility of automatic fraud attacks.
Having the possibility for risk-based authentication is another huge advantage of behavioral biometrics. Security needs differ for each type of action, even within the same session. For example, making a 1$ purchase is much less risky than purchasing something worth more than $100. Behavioral biometrics eliminates the need for additional authentication steps even for risky transactions, since it runs continuously throughout the entire session and flags suspicious events.
While user credentials such as passwords, as well as static biometric data such as fingerprints can be stolen, behavioral biometrics prevents the possibility for the digital identity theft altogether, as the data contains no PII information.