If you’ve ever published a mobile app, you know that unique coding constraints add a level of complexity to the development process. And when it comes to coding for mobile payments, things get a little more complicated.
One of the most careful considerations app developers have to make when coding mobile payments, is balancing UX with solid security protocols that will protect both the user & merchant. If the UX is complicated, you will lose customers. But without some security friction, can you really trust any user?
To find out who is on the mobile end of the internet connection, merchants typically leverage push notifications or a location request from their application. This works reasonably well for some mobile applications. For instance, a Google Maps or Waze user will understand why he/she should enable location services. But if a 3rd party goods merchant begins asking a user to provide their location, the user could see this as an unnecessary intrusion of privacy and may prompt a “do not allow” action on the device. Plus, do you really want a first-time user to be bombarded with permission requests?
For most payment app developers, silently gathering the information needed to help secure payments is considered to be the best approach. So what security and device detection protocols should you leverage to monitor for fraud behind the scenes? Let’s take a look at the top five.
1. Device fingerprinting
Gathering relevant data about the device initiating a transaction can help inform the particular fraud risk at play. Device fingerprinting uniquely identifies a device each time it visits, and can identify whether this particular device has initiated other transactions or payment authorization requests from the app. Tracking how many requests have been made and where can help reveal suspicious oddities in behavior. Device fingerprinting can also provide other valuable details that developers like to see such as operating system statistics, device carrier and hardware versions.
2. Application integrity
Similar to device fingerprinting, checking the application integrity verifies if the authorization request is coming from the official app or a counterfeit app. Integrity checks also gather information about OS vulnerabilities & malicious apps/software on the device. If the device being used to make a request has an old OS that has never been updated, the out-of-date security protocols may make the device, and hence the transaction, more vulnerable to fraud. Checking application integrity can help reduce this vulnerability.
3. Device geolocation
Knowing the general location of an authorization request can help identify fraudulent transactions, especially if the information provided by the user says something vastly different. Billing address and home address in Los Angeles, California but device geolocation points to an internet café in South America? Sounds like we might want to prompt for some more information on this one. Unfortunately determining a mobile device’s true location is a bit more complicated than simply tracking the IP address for an eCommerce transaction. Many mobile devices now carry an internal GPS chip, however even if you don’t prompt the user to enable location services, it’s still possible to get a general location from the network connection in use, the cell provider, the ISP, and cell tower activity. Asking for location and determining the precise location isn’t necessary to spot a fraud scammer ordering goods from South America, but shipping them to Los Angeles. Strong Device SDKs can be your friend here.
4. Remote access and true connection detection
Determining whether a device has been potentially tampered with is also an important aspect of securing mobile payments, and the APIs that merchants create to support those applications. A compromised phone or PC could easily become a threat in the form of a malicious bot ready to submit orders to your system, or even as a man-in-the-middle attack, intercepting and manipulating where your customers’ payment information is going. Similar to device integrity checks, remote access detection for mobile and PCs can shine a bright light into these dark threats. For connections, VPN or TOR network detection can help determine if a device is being made to appear as though it is coming from somewhere else, similar to typical IP proxy technologies. Since device geolocation can identify that scammer in South America sending goods to Los Angeles, a more thorough fraudster might employ a proxy server to make the phone appear to be in Los Angeles to avoid suspicion. Good VPN detection tools can be used to eliminate that risk.
5. Large digital identity network
And finally, the success of any of these solutions depends on a large network of data to score against. The average merchant on their own doesn’t have the transaction volume or capabilities to score global fraud risks. A merchant may check the IP address and think it looks legitimate without the benefit of data revealing the frequency of a fraudster’s transactions that that device has made that same day. A large database will have data points for billions of mobile payments, segmented by use case and context. And, most importantly, it should adapt to new fraud trends as fraudsters continue to evolve their craft and find new vulnerabilities. Leveraging these new massive systems is a no-brainer when coding for mobile payments.
Ultimately you could source software of some sort for each of these measures to secure your app. But investing in an existing dynamic decision platform provider instead is significantly more economical and provides the advantages of a larger fraud database as discussed above. The proverbial “two birds with one stone” could be expanded to “an entire flock with one SDK” in this instance. At Vantiv, we take fraud very seriously and have the tools and technology to help our developer partners and their clients avoid being targeted and exploited by fraudsters during mobile payments.