This article in Mobile Payments Today presents an argument that most payment fraud and cart abandonment problems are solved when user mobile phone account data derived from the mobile carriers is integrated with the payment process.
The article begins by presenting a false argument that the payment industry has made no effort to make stolen credentials unusable:
“Today, most solutions target preventing the initial theft of the data. Unfortunately in the complex world of payments, companies often find themselves on the wrong side of the security arms race. By the time they discover a new exploit, their data is gone. What is particularly frustrating about this situation is that the companies that are often responsible for the stolen data are not the ones that will be defrauded and suffer losses in the future.
It is time for the payments industry to broaden their security strategies to include preventing the use of stolen data, since they are unable to prevent data from being stolen 100 percent of the time.”
In reality, the payments industry has a broad focus on preventing fraud, from preventing theft of credentials (PCI), to long term and ongoing investments to make stolen credentials useless (EMV/Tokens), and to prevent the use of any credentials that are stolen (real time scoring and back end fraud management).
But, now back to the sales pitch that claims to offer a revolutionary way to prevent fraud (my words not theirs):
“But now, new, much needed technologies are surfacing that can provide a whole new level of insight into the person conducting the transactions. By leveraging a transactor’s mobile phone, new insights into the legitimacy of a transaction can be identified by the merchant.
Typically, when a user enters a mobile phone number into their shopping cart, the number is used to arrange shipment. Rather than a merchant submitting just the phone and payment information for authorization, a merchant can also submit the data they can now collect to an outside party for authentication. The customer name, address, phone, and card data can be verified for ownership against both credit bureau and mobile carrier datasets. Furthermore, the network-identified location of the mobile phone can be compared to the transaction’s IP location and the shipping address to identify anomalies that may indicate fraud.
For the criminal sitting in the foreign café spoofing a U.S. IP address, they would now have to come up with a mobile phone associated to the credit card account at the same location as the transaction IP address. Even if the fraudster knows the correct mobile number of the cardholder, they still need to be able to conduct the transaction from an IP address matching the current phone location. These are almost insurmountable challenges that will reduce the opportunities to exploit stolen card data.”
This isn’t a new idea. Several suppliers offer merchants data elements derived from mobile carriers to reduce payment fraud and have for some time. While used by many eCommerce sites, it is a method especially common on eCommerce sites that include the sale of mobile gift cards.
There is however this nugget in the article that does present an interesting additional use case for the data derived from the consumer’s mobile account:
“This revolutionary technology can even go a step further by using a phone owner’s account data to prepopulate the shopping cart checkout form. With a consumer’s consent, their name, address and other relevant data from their mobile carrier can be loaded into a checkout form. The result is faster checkout, fewer errors and reduced abandonment for merchants. For first-time customers, this enhanced experience is especially important to successfully completing a transaction since entering information using a tiny mobile screen can be problematic.”
Here are two last notes of caution to those prepared to use this revolutionary new approach. First, there will never be one mechanism, no matter how simple or complex, that stops payment fraud. Reducing payment fraud requires using multiple techniques and the bad news is that the more techniques utilized, the more complex (typically for you and the user) and costly the solution. Finally, if you use the technique indicated in this article as a component of your risk management solution, recognize that it fails to address the 29% of the mobile phone market in the U.S. that utilizes prepaid phones, which is heavily slanted towards the low and moderate income earners. If you lock that audience out, not only do you risk losing revenue, you risk a backlash.
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
Read the full story