With mobile transactions up 591% last holiday season, the problem mounts.

Last holiday season, fraud prevention service provider ThreatMetrix measured a 591% increase in mobile transactions among its clients. While retailers with sites optimized for mobile devices are benefiting from that surge, many are still figuring out how to make those sites as secure as their regular web sites, says Alisdair Faulkner, chief products officer at ThreatMetrix.

“Once they figure mobile commerce out, they need to pretty quickly figure out how to stop money going out the wrong direction,” he says.  The wrong direction is into the wallets of criminals, many of whom capitalize on the fact that retailers are still learning how to best monitor and safeguard mobile transactions.

To prevent fraud, retailers need a holistic plan for how to monitor consumers on both mobile and web sites to give “a consolidated image of transactions in one tool that can filter and risk score from all browsers,” Faulkner says. The advice sounds basic, but because mobile commerce is still relatively new, many retailers treat it separately from web commerce to avoid problems in adapting legacy e-commerce systems for mobile sites. Or to try and figure out what rules for risk-minimizing will work on mobile versus on a PC. 

Another challenge for retailers is the way that mobile devices access the web makes them harder to monitor externally. For one thing, mobile networks have difficulty identifying unique Internet addresses and geo-locations, Faulkner says, because devices frequently switch between cell towers, blurring the resolution of unique users and locations. This is why someone listening to Internet radio on a smartphone in San Francisco might hear ads from Los Angeles, for example. 

Tracking consumer behavior is also more difficult on smartphones and tablets, which tend to use more privacy-focused operating systems than PCs, for example, by not allowing tracking cookies to download on web pages. “Mobile infrastructure presents challenges in how mobile looks to fraud teams—there are challenges in the devices themselves,” Faulkner says. “You are typically able to get a lot more information from a PC than from an iOS, because iOS is built to be more locked down.” iOS is Apple Inc.’s mobile operating system for the iPhone, iPod Touch and iPad.


Criminals can exploit this by sitting at a PC and minimizing their screens or using a plug-in to fool their browsers into thinking they are on mobile devices; they assume that a retailer might not have the same standards of fraud screening on mobile. For example, manual reviews of transactions don’t always work in a mobile economy, he says, “That means we need more mobile tools to verify transactions autonomously as they happen.” ThreatMetrix and other fraud prevention companies can provide such tools, which often come as downloadable kits that retailers can add to their mobile apps. The tools can detect things such as what device and browser a customer is on and whether he is buying from a jail-broken device, which means the operating system has been hacked into in order to download additional applications, extensions, and themes that are unavailable through the official Apple App Store. When that is the case, the tools note that the transaction may be risky.

Another trend ThreatMetrix has seen is Android phone users in foreign countries using the Opera mini-browser or other mini-browser alternatives to the Android-installed Google Inc.’s browser, Faulkner says. That enables them to direct their web traffic through a proxy site, which could have an Internet address associated with any location on Earth. This leads to many transactions that appear to be coming from credible U.S. addresses but are actually originating somewhere abroad.