When it comes to providing online security solutions, there are several companies that assess and mitigate the risks of online transactions for businesses and their customers. But according to iovation’s Scott Olson, VP of Product, these businesses and their providers need to acknowledge that consumers and fraudsters nowadays are using multiple devices to transact (or steal) online. Anti-fraud solution providers must fully understand these various devices, collectively and individually, before they can effectively secure them – all the while remaining behind the scenes in the process. In a recent podcast, Olson offered insight on how iovation uniquely tackles online security via one platform across multiple industries.
What’s the biggest priority when it comes to protecting payment transaction data when consumers use mobile devices to pay?
SO: Many businesses today are trying to figure out what they are going to do about mobile security, and we’ve found that so many of them don’t fully appreciate the risk that’s associated with those online transactions, either through the web or through an app. One thing that’s clear is that usability and the customer experience are not second to security. Security has to map to a highly interactive, user-friendly experience because otherwise it won’t get the adoption that companies want.
The secret is to map security in a way that’s transparent and seamless to the end user. That’s what we’ve found to be most effective, and one of the benefits of using device intelligence to assess and mitigate risk. Most of the time, it’s completely challenge-free. We are not popping up SMS text messages with a one-time password, or trying to interact with the user to enable that security. We’re focused on being behind the scenes so that the app can be the best possible.
iovation recently conducted a study on mobile operating system global market share and mobile commerce usage. What were the findings, and do you see these data points evolving in the next few years?
SO: We process over 10 million transactions a day on behalf of our customers. About a third of those are mobile transactions, so we get a really good look at the evolution of the mobile ecosystem, and what devices people are using to conduct online commerce. Most surveys out there today in terms of market share and adoption are skewed toward Android operating systems which is true and the market share of Android is especially large in developing markets. But when it comes to online commerce, our data shows that large market share doesn’t equate to online usage. Today, Apple’s iOS platform has broader usage than Android. That’s an interesting finding, that despite proliferation and market share advantage of Android, more people are using Apple devices to transact online.
What mobile operating system is the most vulnerable when it comes to mobile fraud and how can developers take action to decrease this risk?
SO: In our experience, from reported incidence of fraud, Android has higher risk and fraud rates than Apple. Android is a more open system, and the ability to get apps is much more open, and it’s more susceptible to malicious applications as opposed to iOS. We’ve found fraud rate to be more than three times Apple’s fraud rate on the Android platform.
As far as decreasing risk on mobile platforms, a few things need to be done.
First of all, we have to understand that most individuals don’t just use one device to transact online. So understanding the groupings of devices – the laptop, tablet, and phone, perhaps – is important because if they are using one device for bad activity, that can map other devices that they use. The other thing that needs to be done is assessing the risk of the device used.
For example, taking a look to see if the device has been jail-broken in the case of an Apple device or rooted in the case of an Android device. This would be indicative of higher risk rates because these devices are more susceptible to malware. Then, just using typical risk methods that vendors would with any kind of online transaction, like using geo-location, understanding the attributes of a device, and taking a look for mobile emulators. There are many things that can be done to assess and reduce the risk.
How do service providers deliver fraud solutions that reflect the unique situations of each consumer and industry segment yet don’t cost a small fortune to implement?
SO: We are fortunate that we work with a wide range of industries – financial services, insurance companies, retailers, social media and dating sites, and online games. Each one of them has a risk that’s unique to their business, and then there are a lot of risks that are common across all of them. For example, account takeover might be a common risk across industries. However, particular industries like online games may have spam or chat abuse. Financial services may have bad credit applications, and retailers might have stolen credit cards being used.
What we do is categorize fraud history that has been associated with any given group of devices. Whether it’s identity theft, credit card theft, or any other type of fraud, we track it and then let our companies use them to guide future interactions with those devices. We’ve built a platform so that all of our customers across industries can work together to fight fraud that’s not just unique to one business.
It’s sort of scary now as we hear more about mobile banking being hacked – there was just an incident in South Korea. As mobile banking matures, what are the crucial fraud protection measures developers need to integrate into their applications?
SO: We look at this from a few different perspectives. They need to provide mobile data, understanding the device they are interacting with – what version of operating system, or any inherent risks with the device. Looking at location – understanding location of the device both through IP geo-location and native geo-location through GPS on mobile devices. Finally, taking a look at the security of the operating system and the app itself –ensuring that neither has been tampered with and mapping that to the valid users. Again, understanding the groups of devices that a person uses online can become an element of authentication of good users, preventing account takeover and other types of threats.
With all of all the methods out there for preventing online fraud, what sets iovation apart from other fraud prevention solutions?
SO: What sets us apart is that we tackle fraud independent of personal information. We actually offer a service that exposes risk through the device being used to conduct the transaction online. We have a device intelligence database that can understand the groups of devices that both good users as well as fraudsters use to transact business online. When one of those consumers or fraudsters is visiting an online site, we can tell the history of good or fraudulent activity, understand the relationship that users have with each other, and we also look for characteristics of fraud in the transaction itself – for example, are they trying to masquerade as another type of device, or hide their location or details about their online interaction.
To download the 2014 Mobile Fraud Trends and Impact Report, click the button below.
VP of Product, iovation
Scott Olson has over 20 years leading marketing and product strategy in startups. In addition to his time at iovation, Scott has started three companies and served as VP of Marketing at two others. These companies have been successfully acquired by such companies as Cisco Systems, Symantec, and Trustwave.
Across these roles, Scott has personally driven the product and marketing strategy and focused on building thought leadership in new markets. He has contributed articles to major publications like ComputerWorld and VentureBeat, and has spoken at events like RSA, Networld Interop, Secure World, and Digital ID World. In addition he has guest lectured on entrepreneurship at the University of Texas at Austin.
Scott holds a B.S.E. in Electrical Engineering from Duke University and an MBA from the University of Texas at Austin. In 2007 Scott received the Distinguished Young Alumni award from the Duke University Pratt School of Engineering. He also held a Certified Information Systems Security Professional (CISSP) certification from 2002-2008.
Listen to the full podcast here.