Circumventing Mobile Fraud Protections

With many payment channels, bad actors seek to take advantage of vulnerabilities to secure goods or funds at little to no cost to them; the same holds true for mobile payment applications. With each merchant mobile app implementation, different combinations and permutations of entry points for fraudsters arise, and in my experience, it’s the combination of these entry points that allow fraudsters to have the highest impact on a business’ bottom line, resulting from an increase in the costs and time of resources forced to manage and mitigate the activity, as well as the loss of revenue from the stolen goods. The following details some of the more common vulnerabilities of mobile implementations that allow fraudsters to circumvent traditional protections.

Download Instances

Individually tagged, disparate download instances are a vulnerability specific to mobile applications, because it must be intuitive for a user to download and redownload an application with ease if the app is to survive. Unfortunately, fraudsters will use this same capability to circumvent policies put in place by deleting and redownloading an app to a mobile device.  Since the app is newly downloaded, there is often a new identifier assigned to the consumer or device – if a fraudster is blocked from transacting based on suspect behavior, they often will delete and redownload the app to, in effect, clean their slate. . Once merchants recognize this scheme and implement fraud protections, fraudsters often still circumvent merchant efforts by keeping a local copy of an earlier app version and putting that app version on their device. This is a viable option for fraud because merchants must allow viability of older app versions too allow time for legitimate consumers to update their apps.

Dummy Emails

Many merchants require consumers to create profiles and make purchases through their mobile apps. However, since it is just as easy to enter false credentials as it is to enter genuine credentials, fraudsters use online services to create hundreds of dummy email accounts. Dummy emails function in the same way as the previously explained vulnerability regarding download instances; they give fraudsters a clean slate. With a new email comes a renewed opportunity to make fraudulent purchases. By creating infinite amounts of dummy emails, fraudsters isolate specific behavior patterns to specific accounts, making it almost impossible for IT systems to link the behavior from one seemingly fraudulent account to another with 100% certainty.

Multiple Devices

Most consumers have only one mobile device on which they shop, maybe two, and rarely three; but fraudsters have myriad devices they use to make fraudulent purchases. Fraudsters purchase cheap devices, use them until the devices are locked out of the merchant system, then simply purchase another device. Though the iPhone is the go-to choice for typical consumers, Android devices are much preferred by fraudsters due to the range of low-cost devices. Fraudsters often purchase multiple devices for less than $50 a device and can even load the same credentials onto the different devices, making it look like different consumers are purchasing concurrently, even though it is only one bad actor. Large numbers of devices provide a higher degree of flexibility to fraudsters, giving them increased opportunities to start over once they’ve been identified.

All three of the discussed vulnerabilities work to achieve the same result- a fresh start for the latest fraudulent account. Clean slates allow fraudsters to continue their pattern of behavior and create difficulties for merchants that are trying to separate valid, new participating customers from the latest pack of fraudulent accounts. Since fraudulent behavior can sometimes look like good behavior from legitimate customers, fraud management is often a reactive instead of a proactive operation. The balancing act of ensuring that you are blocking fraudsters while allowing activity by good customers (regardless of their anomalous purchasing habits) can be more difficult than it would seem at first glance.

The vulnerabilities outlined above are only a sample of the tactics deployed by fraudsters to infiltrate mobile apps. Taking into consideration these vulnerabilities and the vulnerabilities unique to a company’s purchasing experience, organizations can avoid the potentially multi-million-dollar exposure perpetrated by fraudsters using strategic decision making based on careful analysis, first-hand industry knowledge, and experiential insight.

For further discussion around mobile fraud protections, contact Mason Zurovchak at mzurovchak@wcapra.com.