September 20, 2018
The Device Deception: Top Tips for Payment Processors
Posted June 21, 2018
Online and mobile payment fraud targeting the payment processing industry is hitting new records. Thanks to the rapidly-accelerating adoption of smartphones and the growth in digital commerce, the evolving payments landscape has given rise to mobile payment apps, wallets, and new point-of-service devices, offering faster, more convenient ways to pay for goods and services.
Unfortunately, while this offers tremendous new opportunities for payment processors, increasingly sophisticated cyberattacks demonstrate just how relentless fraudsters can be to uncover and exploit vulnerabilities in their defenses. As a result, online payment fraud is now 19 times higher than old-school offline fraud involving physical checks and credit cards.
As discussed in a recent ThreatMetrix blog post, bot attacks against payments firms are very elevated. But according to the Cybercrime Report for Payment Processors from ThreatMetrix, device spoofing continues to represent the highest attack vector for payment processors as fraudsters attempt to slip past device recognition and detection systems.
Device is a crucial component when assessing true digital identity in order to protect against online and mobile payment fraud. Payment processors and other verticals must ensure they are using the most sophisticated methods of device identification, global device intelligence and device binding – crucial tools in their full contextual assessment of transactions.
Online & Mobile Payments: A Fraudster’s Paradise?
According to ThreatMetrix data, the boom in payment options over the last year resulted in 361 million digital payment transactions within the company’s global Digital Identity Network in the last quarter of 2017 and remained elevated in Q1 2018 with 331 million.
Not surprisingly, mobile payments are on the rise as more consumers in more parts of the world make use of smartphones for daily transactions. Among the 1.2 billion transactions among payment processors analysed through the ThreatMetrix network over the last year, 43 percent now originate from mobile devices.
Unfortunately, the bad guys seem to have noticed. Today, cybercriminals armed with an endless supply of stolen identity credentials continue to launch attacks aimed at monetizing that information by hijacking existing accounts, opening new ones, or by going on unrestricted shopping sprees.
Yes, desktop payments continue to be more heavily attacked, with fraudsters opting to exploit vulnerabilities of desktop sessions instead of more secure mobile app sessions over the last year. But that will begin to change as mobile adoption continues and as payment options within the mobile channel proliferate. Indeed, mobile payment apps such as Apple Pay, PayPal and others are expected to see user bases expand nearly 50 percent by 2022. With that kind of growth, cybercriminals won’t be far behind.
Either way, while the number of cyberattacks is rising across all industry sectors, attack rates on payment processors are now nearly double the cross-industry average. And device spoofing appears to be a major contributor.
Five Top Tips for Protecting Against Device-Based Attacks
According to the Payments Cybercrime Report, in the fourth quarter of 2017, device spoofing spiked to more than double the rate of other attack vectors, as fraudsters look to masquerade as legitimate users through device-based attacks. Here are some quick tips on the methods to adopt to ensure that you are accurately assessing how trusted a user is based on analysis of their device.
- Cookie-less device identification technology and digital identity-based user verification solutions capable of differentiating between customers and cybercriminals when cookies are deleted, or changes are made to browser settings. For example, one of the best ways to do this is to prioritise analysis of high-risk/high-velocity cookie deletions—such as a high number of repeat visits per hour or day, for instance.
- Leverage global device intelligence that gives insight into the trustworthiness of connecting devices and identifies devices that have been previously associated with fraudulent attacks or suspicious activity on other websites and apps.
- Advanced link analysis technology that looks at the connections between devices and users in order to see how these interactions compare with historical trusted behaviour and to identify anomalies that indicate fraud.
- Persistent device binding through technologies that use cryptographic keys means that returning devices are instantly recognized and additional authentication is not required for trusted users.
- Threat detection that identifies malware, compromised devices & applications and hacked sessions that indicate that a transaction is high-risk.
With losses from mobile and online payment fraud expected to top $31 billion by 2020, payment processors need to prioritise these tools in order to protect transactions and offer a secure service to their merchants without negatively affecting the user experience.
To learn more about device spoofing and solutions for reducing online and mobile payment fraud, download a FREE copy of the ThreatMetrix Cybercrime Report for Payment Processors.