In their eagerness to use mobile devices to attract new business, many merchants are inadvertently creating new openings for credit and debit card fraud.
Fraudsters have noticed.
Many hackers now favor the mobile versions of e-commerce sites, which have fewer protections than desktop sites, data-security experts said in a panel discussion last week at the
One of the biggest new categories of fraud tracked by Threatmetrix Inc. was that originating "not from a mobile device, but from fraudsters spoofing a mobile device from a real computer," said Peter Liske, vice president of product management at
"Fraudsters have found a way around the protections through the mobile channels using other tools."
The problem stems from merchants that value speed to market over security when they create mobile versions of their e-commerce sites.
"A lot of merchants are not doing all the usual fraud screenings they do for general e-commerce and they're creating brand-new opportunities for fraudsters," he said.
This is a growing problem for merchants, said Walt Conway, a security consultant with San Francisco-based
"Clearly mobile is taking off and the retail industry is just going with it, but there are no standards," he said.
The Payment Card Industry security standards council, which manages the PCI data security standard, "is still studying it, but there is not a lot of guidance on what is a secure application," Conway said.
"We don't know what all these devices are doing, storing data or how things are being transmitted."
Indeed, as more companies build out their mobile offerings, more security vulnerabilities are being reported. Google Inc., for example, recently had to fix a flaw in its Google Wallet payment system that could allow someone access to the funds stored in the digital wallet by deleting the user's PIN.
Merchants tend to underestimate the various ways in which card and payment data is exposed through e-commerce and mobile sites, Conway said.
"Merchants are often the last ones to know all the places they are storing cardholder data," he said. "Even if they are PCI-compliant, most merchants would be unpleasantly surprised to see the many ways their systems are storing data without their realizing it."
While e-commerce is growing by about 20% annually, and more transactions are moving daily to mobile devices, most companies are not planning to boost transaction-reviewing budgets accordingly, Carl Tucker, principal of managed risk at
Electronics merchants tend to review about 27% of all online transactions to screen for fraud, while apparel merchants review about 9% of all online transactions, Tucker said. Many merchants review "about six to 100 orders per day," he said.
To improve the effectiveness of screening for fraud, merchants should consider letting information technology departments get more involved, Liske said.
"I see a trend where fraud-screening is moving to IT and engineering, to enhance development of prescreening tools and also to speed things up," he said. With IT in control, "you're not tying up [customer service] people making calls to verify transactions."
Reducing fraud and charge-backs by even 1% "can be a very effective way to boost merchants' overall revenue," Tucker said. "It's worth it."
Although fraud is rising in e-commerce and mobile channels, overall global transaction fraud levels are not significantly higher, Tucker said.
"As systems improve, we'll continue to see lower amounts of fraud perpetrated in North America, but at the same time I'm expecting to see fraud coming from zones like Brazil, Central America and Southeast Asia to rise," Tucker said.
Fraud "is always evolving," and merchants must find ways to use their budgets more efficiently to combat it, Tucker said.
This article originally appeared on the American Banker website.
