With the advancement of e-commerce, digital payment technology has experienced significant developments, especially in mobile payments. This has led to a growth of mobile commerce, and fraudsters have taken note, adapting and developing new methods to carry out their crimes. While merchants who sell services and goods via mobile devices should be aware of mobile fraud risks, they should not give up on this method. To protect your mobile customers, you need to be aware of the risks and prevention methods.

Mobile Wallet Application Users Threats

Phishing attacks: Mobiles have personal and corporate information of customer which may carry out sophisticated attacks. These attacks user by phishing emails. It is an attempt to trap a user to disclose the information.

Social engineering: In social engineering,  user data available in the public domain and the attackers can steal it from there. This information monetized or sold in underground market forums or used for fraudulent payments. Sometimes attackers use this theft information as their identity.  

Unintentional installation of rogue and malware applications: Attackers will install malware by malicious attachment, Redirecting the user to a malicious  URL, insecure WiFi hotspots,  a network spoofing attack, fake access point with the same network, fake website, etc. Then use user information for mobile wallet payment.  Mobile Operating System Access Permissions: Users give certain permission to OS access,  that can be used by attackers to access sensitive data and harm the mobile application

Leading types of mobile fraud
The following are a few types of fraud that merchants must be aware of:

Identity theft – Identity fraud is when fraudsters intercept sensitive data that is not properly protected and use this identity to make online or card-not-present purchases. In the case of mobile wallets, fraudsters physically steal mobile devices and use them to make unauthorized purchases.  
Loyalty fraud – This can happen when fraudsters intercept loyalty programs or members’ accounts for theft and transfer of points. There are also cases in which points are sold and transferred to others for monetary gain.
Friendly fraud – This occurs when legitimate orders are disputed by the consumer, requiring merchants to refund payments (chargebacks). This form of fraud can be unintentional, with the consumer forgetting they placed the order, or one family member using another’s payment card without permission. There are also cases where this is intentional fraud, with fraudsters placing orders and then claiming they never received the goods, enjoying both a refund and the purchased goods.

Best practices for e-commerce retailers to implement in their fight against mobile fraud

Distinguish between e-commerce and m-commerce – While the end result may be identical, it is important to understand the scope of fraud from each channel and effectively allocate resources to circumvent the different types of fraud. Review fraudulent attempts and successes, and distinguish between the fraud origin, to implement security programs that offer the best coverage.

Implement PCI DSS Level 1 security standards – The Payment Card Industry Data Security Standard, or PCI DSS, is a set of standards ensuring the adoption of best practices and security methods to safeguard sensitive information of payment cards. It is a requirement for all merchants that take credit cards, and the levels of security are dictated by the volume of transactions performed. Level 1 offers the highest protection. Mobile retailers can implement payment methods via a certified PSP and enjoy Level 1 coverage for their transactions, decreasing their susceptibility to fraud. These payment service providers also provide risk management services and regularly analyze blacklists for increased protection.

Use multi-factor authentication – Mobile devices are perfectly suited for multi-factor authentication, whether that’s biometric authentication, fingerprints or even mobile sensor-powered authentication methods. Additional methods of authentication are identification questions and PIN codes. By combining authentication methods, the chances of successful identity fraud decrease. Consumers are more than willing to use these methods that serve to protect their secure data, with 78 per cent willing to enter their CVV code, and 70 per cent willing to answer an identification question.

Track customer behaviour and set velocity limits – Variances on customer behaviour can signify account takeover. Retailers should use tools to track purchasing behaviour of specific customers and reach out directly to the customer for verification when purchases exceed their predefined limits.
Mobile retailers that implement seamless and secure payment solutions offer their customers a better user experience. The safer customers feel, the more likely they are to adopt and increase their mobile commerce activity.  
As technologies constantly evolve, merchants must stay up to date on both the new and different types of fraud and the new security technologies available to them.

Possible Security Measures of Payment Service Provider  

Secure by-default design.  Vulnerability testing Patching of POI  terminal (card machines) H/W and S/W.  Fix S/W vulnerabilities in POI. POI and payment gateways hosted at the payment service providers.  Enforce secure point to point connections between merchant  POS and PSP and between PSP and acquirers.

Security  Measures of  Mobile Payment  Application Provider

Enforce information security policies and processes requiring identification and remediation of vulnerabilities in servers and applications.   Deploy malware detection and prevention measures. Enforce 2FA for internal user ’s access to critical servers such as digital wallet services where cardholder data and user profile information is stored.   Enforce user entitlements and minimum privileges. Deploy fraud detection and prevention for high-risk functions such as change of account profile, credit card enrolment and payment transactions. Deploy anti-DoS measures for critical servers hosted in data centres and in the cloud.