Gunnar Assmy - Fotolia

Mobile e-commerce fraud leading to big losses for enterprises

E-commerce fraud is plaguing payment transactions over mobile devices, costing companies millions of dollars, according to a new study.

With more electronic payment transactions occurring over smartphones and tablets, enterprises are facing growing revenue losses from mobile e-commerce fraud, according to a new study -- and few enterprises are taking the steps needed to protect themselves from the threat.

The study by J. Gold Associates, a technology analyst firm based in Northborough, Mass., surveyed 250 enterprises with an average of $2.54 billion in annual revenue. According to the study, organizations lost an average of $92.3 million due to fraudulent mobile transactions for a 3% loss of total revenue per year.

Meanwhile, the enterprises surveyed said they expect an average mobile transaction growth rate of 47% over the next five years. Despite the fact that most companies said they believed they were sufficiently protected against mobile fraud, 48% of survey respondents said they've experienced between one and 24 incidents of e-commerce fraud in the last year.

"They think they're protected, but they're really not," Jack Gold, founder and principal analyst of J. Gold Associates, said. "They're not spending anywhere near enough energy and resources to protect themselves."

The survey, which was co-sponsored by RSA Security and mobile identity management firm TeleSign, illustrated a number of pressing threats to mobile payment transactions, from mobile operating system malware and fake mobile apps, to e-wallet fraud and account hijacking. And with many enterprises looking to grow their mobile revenue in the future, that could lead to increased risk, said Angel Grant, director of antifraud solutions at RSA.

"More functionality means more opportunity for fraud," Grant said. "We're starting to see an increase in volume [of mobile transactions], but parallel to that, we're also starting to see an increase in fraudulent activity."

According to Grant, some companies are looking to focus most or all of their IT development on the mobile market. But as interest and revenue around mobile e-commerce grows, the same can't be said for mobile security, according to both RSA and TeleSign.

More functionality means more opportunity for [mobile] fraud.
Angel Grant, director of antifraud solutions at RSA

"There have been years of people being educated on what not to do online: to avoid phishing emails, to avoid downloading email attachments and whatnot," Stacy Stubblefield, co-founder and vice president of TeleSign, said. "That type of education is pretty new on mobile. A password getting leaked, or even just usernames in some cases, is all it takes "

But a leak of credentials, according to Stubblefield, could be even more of a problem when it involves mobile devices that are being used to impersonate a paying user. Stubblefield explained that the credentials are then tested on various financial-oriented accounts in attempts to match the information and steal the customer's identity.

"What's happening is fraudsters are shifting over and testing credentials on mobile devices because it's much more difficult to identify the testing activity on mobile," Stubblefield said. "IP addresses often lead back to the IP of the provider, like Verizon or Sprint, rather than specific to the user they are testing."

According to the study, 59% of enterprises did not use IP address recognition to authenticate mobile users. In addition to this, the applications on smartphones and tablets themselves provide an opportunity for hackers to mimic the actions of legitimate pay systems to fool consumers into revealing their information.

"We also see fraudsters will create [a] fake app -- that will look like a global banking app -- and they're just using it to get credentials from users," Stubblefield said.

Others, Grant said, are set as traps to obtain control over the device.

"What we're seeing with the mobile malware coming out is that they're more targeted toward permissions -- asking for permission for pictures, voice, contacts records," Grant said. "That malware is waiting until [the customers] go to a legitimate app or legitimate site, and that's where the monetary damage is occurring."

The study also showed nearly 77% of enterprises currently rely on usernames and passwords to authenticate mobile users, 28% used phone-based two-factor authentication, 19% used soft tokens and 17% used biometrics.

Mobile user authenticationmethods

Grant said some companies are reluctant to add additional security layers and authentication steps out of fear of negatively impacting the customer experience.

"Because of the nature of the consumer world, organizations are still struggling with interrupting the user's sessions and minimizing the option of cart abandonment," Grant said. "When a user is checking out, they want to do it securely, yet they want to make sure it's not so cumbersome that shoppers are going to abandon their cart."

With the ever-present instances of security breaches in the news, however, enterprises  are planning to adopt heftier security measures and additional levels of authentication. When asked what methods of mobile authentication they plan to use in the future, 47% of respondents said biometrics and 32% said phone-based two factor authentication.

"We've been doing Internet commerce on PCs for a decade and a half, two decades now -- mobile commerce is relatively new," Gold explained. "Security just hasn't caught up yet."

But companies first need to understand where their mobile losses are coming from before they can address the issues, Gold said. While 57% of enterprises said they used analytics tools to track mobile fraud, nearly 40% said they didn't use such tools, and 3% said they didn't know if they used tools or not.

"The vast majority of companies don't have a good way of tracking and understanding what their actual losses are," Gold said. "I will bet that no more than 10% or 15% of companies out there, on a good day, will actually be able to give you those numbers based on statistics and tracking and analytics. The rest are just pulling numbers out of a hat."

Next Steps

Learn more about the benefits and risks of going mobile in the enterprise

Find out how Google's controversial patch policy will affect Android security

Dig Deeper on Mobile security threats and prevention