This article was published on March 9, 2015

Securing mobile transactions: How to stop e-commerce fraud before it happens


Securing mobile transactions: How to stop e-commerce fraud before it happens

Online banking, mobile banking and mobile payments have grown sporadically over the last decade. The mobile wallet started in 2000 with the introduction of Smart Money in the Philippines, the world’s first electronic cash card linked to a mobile phone. Since then, mobile payment services have proliferated in a number of emerging markets, such as Kenya and Pakistan.

Innovations in developed markets are gathering pace. This is propelled by near field communications-enabled (NFC) smartphones, the growing usage of mobile wallets and hardware- and app-based innovations, like Square and PayPal. With new developments in this space, the value and volume of mobile payments transactions are expected to increase globally, with non-banks accounting for a rising share.

Apple Pay, with its partnership with Visa, Mastercard and American Express, is a non-bank that allows iPhone, iPad and Apple Watch users to pay in store with a single tap of their device. Samsung has recently followed suit with its own Pay system for the Galaxy S6.

samsung pay

Several analysts have estimated that by 2017, the mobile payments industry will be worth $1 trillion. Forrester predicts that by 2019, mobile-based payments in the US will reach $142 billion in volume, a steep increase from the $50 billion it is at currently.

Another factor to consider with digital transactions is the rise of Bitcoin, a virtual currency established to enable quick and cheap online payments without the need for traditional banking channels. Bitcoin gained traction when its price increased from $20.41 in January 2013 to a whopping $1124.76 in November 2013.

Although it has not reached mass acceptance – with 76 percent of respondents in a US survey conducted in January 2014 saying that they are not familiar with Bitcoin – it is still used by a growing number of businesses.

The rise in e-commerce, mobile banking and payments as well as new digital currencies like Bitcoin has increased the need for security and securing transactions. Outlined below are the points in a user’s transaction journey where an account can be susceptible to fraud.

Downloading of a banking or payment app

It is important to confirm the user’s identity when they download a banking or payment app to their phone. If the app is installed on a device that is not owned by the user, then security is immediately compromised.

Resetting of account passwords

According to Ping Identity, 40 percent of internet users have been victimized by stolen passwords. It is therefore important to keep the process for resetting account passwords secure to prevent hackers or fraudsters from gaining access into a user’s account with widely known information.

This could result in them locking the user out of his/her own account and making fraudulent transactions. An example of a non-secure process is asking an account recovery question like ‘What is your mother’s maiden name?’ where the answer can be found from a few Google or Facebook searches.

Authenticating transactions

Online shopping

Security measures should be applied at the transaction level. An out of band (using a different channel/band of communication) PIN should be used to authenticate transactions.

An example of this is a mobile application that works over the internet (IP channel) requiring a code sent via SMS or phone call (telecom network channel) to be entered before the transaction can go through. By using two different channels, it will be harder for hackers to make false transactions.

Phone number verification is a great way of securing transactions for all of the above use cases. It involves sending a one-time password (OTP) to a user over a separate communication channel (SMS or voice) than the IP channel (internet) used by the application. This provides security in case the IP channel is compromised.

By using SMS, only the owner of that phone number gets access to the password, allowing them to log into the application and verify their identity with a PIN code. For added security, this single-use password can be set to expire within a few minutes to prevent scammers from collecting old PIN codes and using them for fraudulent signups.

This method can be used together with passwords to provide two-factor authentication. Additionally, you can draw further insight into the user based on the number they provide. You can determine whether the number is a mobile, landline or virtual number (e.g. Skype). If the number is a virtual one, the user can be blocked or informed to provide a mobile or landline number.

It can also be detected whether a phone is on/off or roaming so that you can match this with normal user activity levels. Furthermore, the user’s IP location can be gleaned to further verify that the user is genuine before enabling transactions. If the user is signing up for a US service but the number is currently in a different country, there might be something fishy going on.

There are also several reasons why phone number verification is a viable method to complement traditional passwords to provide an extra layer of security.

Global availability

Almost every person in the world has at least one phone number. Phone number verification via call or SMS is not reliant on high speed internet, which makes essentially everyone in modern society within reach.

The low barrier to communicating in this manner lets users receive messages (e.g. PIN code) quickly, allowing the user to act in a time-sensitive manner.

Long-lasting numbers

People keep the same number for a long time as it is an important communication channef. It is also possible to keep the same number in some countries when people switch service providers.

Phonebook via Thinkstock

Resilience

Phone numbers are relatively expensive and time-consuming to fake. Virtual and ported numbers can be sniffed out using certain APIs like Nexmo’s Number Insight, therefore one would have to go through either a highly sophisticated hacking process or a tedious manual process to fake a number.

Affordability

No additional hardware is required to be made available to the user since most people have a basic phone and SIM card. Sending and receiving messages are also inexpensive.

Other aspects to consider in securing transactions are the conversion rate and user experience. People may abandon their carts if the transaction method is too complicated, lengthy or doesn’t seem to work (e.g. user does not receive a code).

Consumers believe there should be a balance between the consumer experience and security in mobile payments. Again, phone verification is a good solution that provides this balance, as the entire process can take only a few seconds.

Securing transactions has become a vital part of today’s digital world. With the security of traditional passwords being compromised by various hack attacks, it is recommended to add an extra layer of security for transactions without compromising the user experience.

A viable method to complement traditional passwords is the implementation of phone number verification as it is globally accessible, hard to fake and relatively inexpensive.

Read next: What types of companies are using SMS?

Get the TNW newsletter

Get the most important tech news in your inbox each week.