In an earlier post, I discussed vulnerabilities associated with mobile devices that drive up fraud risk for banking and payments made through these devices. These range from malicious apps, to network security issues, to targeted man in the middle attacks. So, what can be done to counteract these vulnerabilities?
One option is to look to fraud detection residing on the mobile itself. You could monitor phone behavior patterns—in terms of calls made, time/day of week patterns, apps accessed, and browser behavior—to determine whether there is a change in usage patterns indicative of someone else using the phone or a malicious app.
However, this would require coordination between all apps to access all usage transactions in a single application monitoring for misuse. Furthermore, usernames/passwords and sessions could still be captured and compromised in the network.
For better fraud ROI on the mobile device itself, improve virus detection and firewalls to prevent compromise of information, and look to capturing unique and hard-to-reproduce biometric information that could be attached to banking and payment transactions.
A mobile device is an access device to a payment account and channel. Before funds are moved, say from a credit account or DDA account, the request for payment should be assessed for fraud risk. This is similar to when a payment is made via online banking or an online card-not-present credit card transaction. Here, the transaction is marked as from an online channel, and fraud risk is computed based on this transaction and the history of transactions made on the account. Monitoring would include day/time patterns, typical transaction amounts, common merchants / destination accounts for P2P, etc.
In addition, there would be value in capturing the mobile device ID (IMEI), Browser/Operating System details, and the above mentioned biometric information. Monitoring at the payment account is essential given that malicious apps may take over the device, or the payment details may be compromised and changed in flight through man-in-the-middle attacks.
The final piece of a solution is recognition that mobile banking/payments are evolving, and the acceptance of them as a legitimate payment and banking media is starting to take hold. There will be various changes in the services and apps marketed to the users of mobile devices, and to the security defenses attached to phones.
As a result, hard-to-change rule sets or static analytic models are not recommended because the transaction activity and risk of the mobile channel will evolve constantly over time. More dynamic fraud detection is essential.
In these situations, an adapting analytic technology is best. Quantification of fraud risk should be based on self-calibrating outlier techniques, where what is considered an outlier payment transaction is compared both to the specific mobile user’s typical behavior/transactional patterns through a transaction profile but across the segment of customers that the mobile user belongs. These self-calibrating techniques should—in real-time—compute the distribution of the fraud feature variables to indicate what features of the mobile device transaction profile are considered outliers, and by how much, in order to allow a computation of a fraud score.
