As mobile commerce continues to boom, so, too, does m-commerce fraud. For businesses, the solution is to create a multilayered defense.
When we talk about e-commerce, often what we're really talking about is m-commerce, because it's growing to dominate the e-commerce landscape. The global value of mobile commerce is expected to reach $3.56 billion by 2021. At that point, the mobile channel will account for nearly 73% of all e-commerce.
Consumers love m-commerce because it's convenient. That preference can drive sales and revenue growth for merchants. But m-commerce presents some unique fraud and security risks that can't be mitigated by a one-size-fits-all fraud prevention strategy.
Mobile fraud attempts more than doubled from 2018 to 2019 and completed m-commerce fraud costs more on average than e-commerce fraud committed on computers. Fraudsters see m-commerce as a lucrative opportunity, because many merchants haven't adapted their fraud prevention practices for the smaller screen. That means they're not keeping up with the ways that cybercriminals can now exploit the mobile channel.
Here's what merchants need to know to avoid seeing their m-commerce grains eroded by mobile fraud.
How mobile commerce fraud harms merchants
The impacts of fraud on e-commerce merchants are similar regardless of sales channel. The larger problem is that mobile occupies an ever-growing proportion of e-commerce sales, which means that rising m-channel fraud has an outsize impact on sellers.
LexisNexis reported in 2019 that mid/large e-commerce merchants that sell digital goods lose an average of $4.06 for every dollar of fraud to chargeback fees, lost product costs and other expenses. By comparison, similar merchants without m-commerce lost $3.50 per dollar of fraud.
Mobile fraud can create other problems for merchants, including:
Customer loss and brand damage. If your business has a data breach that exposes customer information, customers are likely to not trust the merchant with their information in the future. In addition to abandoning the merchant, customers may speak up about their experience on social media and in reviews. This can dent your brand reputation for a long time.
More false declines. Merchants are in a dire situation where they need to protect every penny of their revenue. Out of that concern, they decline any transaction that might be fraudulent. Unfortunately, you might end up denying a transaction from a legitimate customer and losing their business forever.
- Checkout friction. If you try to filter out fraudulent transactions with added security features, you might reduce the likelihood of fraud but also add friction to the checkout process. This can increase the rate of cart abandonment and cost you sales.
2FA isn't a complete fix for mobile fraud risks
Customer verification is one of the top mobile channel fraud-prevention challenges, so anything that helps is worth exploring. And two-factor authentication (2FA), which requires customers to enter a one-time validation code sent to their phones, can help merchants verify buyers' identities before approving their orders.
Because it adds another layer of security, 2FA has been promoted as an easy way to secure many kinds of accounts and transactions. Organizations that don't implement it may face bad press in the wake of a breach or fraud. For example, when a Deloitte breach in September 2017 exposed clients' emails, including those of U.S. large enterprises and government agencies, security experts were quick to point out that the account that led to the breach was not secured by two-factor authentication. Attackers had exploited a single password to gain access to Deloitte's email system through an administrator account. Many professionals argued that two-factor authentication could have prevented the breach.
However, 2FA is not a one-step security solution. Variations among 2FA regulations in different markets can make it difficult to authenticate cross-border customers, in turn creating a poor customer experience. That's a serious potential problem in an economy where cross-border m-commerce volume increased by 43% from 2018 to 2019.
And time and again, breaches and fraud schemes highlight the reality that basic 2FA tools like SMS-based one-time passwords and knowledge-based questions can be evaded through simple phishing attacks and social engineering. Some criminals also use SIM swaps and malware attacks to thwart 2FA and take over accounts.
SIM swap attacks present an opportunity for account takeover. In this kind of attack, fraudsters hijack a victim's phone number by getting it transferred to a SIM card they control. This way they gain access to the victim's email address. In one instance, this led a victim to lose their life savings.
Once fraudsters have access to the victim's phone number, they can break into their social media accounts, which are often linked to payment services and retail accounts. SIM swapping also allows cybercriminals to hijack SMS two-factor authentication messages and change passwords for email, banking and shopping accounts. E-commerce merchants might not realize they're being defrauded because the account still maps to a loyal customer.
One way to avoid this gap in 2FA is to replace SMS-based codes with one-time codes generated on an authentication app on the user's device. Because these codes aren't sent over the mobile network, they can't be intercepted by a SIM swap hijacker. However, it appears that criminals have found a workaround for this 2FA measure, too.
In February, cybersecurity researchers announced the discovery of Android malware that could exploit a vulnerability in Google Authenticator, a popular 2FA app for Android. The researchers uncovered a new variety of the Cerberus banking trojan that can allow attackers to remotely access a customer's online banking account and then take a screenshot of the generated Authenticator 2FA code, bypassing security.
The researchers said that although this variant of Cerberus is designed to attack bank accounts, it could easily be adapted to hijack other types of authentication-based 2FA-protected accounts. It's perhaps the most recent example of how 2FA can't provide total security for consumers and e-commerce merchants.
At the same time, the additional step 2FA requires users to take to authenticate themselves can drive them toward frustration. The need to balance fraud protection and customer experience can leave e-commerce merchants with little room to strike a balance between transactional security and customer experience.
Creating a multilayered defense against mobile fraud
There's no one-step fix for mobile commerce fraud, but there are steps you can take to reduce your fraud risk while keeping good customers happy.
- Require customers to choose strong passwords for their online shopping accounts. Encourage them to use password managers so they can use unique passwords across all online accounts.
- Consider offering two-factor authentication that sends codes to an authenticator app as one layer among many in your security program.
If you implement 2FA, carefully monitor your conversion and cart abandonment rates to see if you need to change course.
- Encourage customers to opt in to receive real-time alerts whenever their password is changed or when they make an unusually large purchase.
- Manually review flagged transactions instead of automatically denying them. This can help you reduce false declines and identify compromised accounts.
- Educate your customers on how to identify secure websites before they enter sensitive data, like checking that the website name begins with HTTPs or has the lock symbol.
- Respond quickly to customers' fraud grievances. You might set up a dedicated email address or phone number where customers can report fraud.
- Create a multilayered fraud defense system with a combination of skilled analysts and deep learning algorithms that scan every transaction to identify and prevent false declines.
- Detect potential SIM swapping incidents by using mobile-specific screening measures to compare geolocation, device and behavioral biometric history to the current mobile specifics.
You can also use machine learning and knowledge about fraudster behavior to analyze batches of orders for patterns that indicate potential fraud. For example, fraudsters often use the same shipping address for many hijacked accounts and set up fake email addresses on the same domain names. If you spot such a pattern across customer accounts, it's time to investigate potential fraud.
Clearly, there's no quick fix or single solution for the growing challenge of mobile commerce fraud. But by understanding the signs of potential fraud, screening all transactions, communicating with your customers, and creating a layered system of fraud defenses, you can safeguard your business, grow your m-commerce revenue, and offer the convenient experience your loyal mobile customers want.