Consumers love paying for goods and services with their smartphones. But as more retailers release their own mobile apps with in-store payment options, the threat of fraud must be carefully considered. Retailers offering in-store purchasing through a mobile app should be aware of major card-not-present fraud schemes.
Let’s imagine a fictitious retailer called Smoothie Shop; its mobile app allows saves customers’ credit card information to facilitate in-store purchases. And that opens the door to at least three kinds of potential fraud.
In the first scenario, the fraudster takes over an existing Smoothie Shop account. Since the account already has a credit card saved in the app, the fraudster can simply walk over to a Smoothie Shop, present the mobile app with the saved credit card information, and enjoy a refreshing smoothie that was paid for with someone else’s stored credit card.
In a second scenario, the fraudster takes over a Smoothie Shop account again, except this account lacks a saved credit card. That in turn prompts the fraudster to buy a stolen credit card off the Dark Web or some other electronic market, then add the newly obtained card to the Smoothie Shop account and app. They can then proceed to the closest shop to buy smoothies using the stolen credit card.
Why would fraudsters go through the trouble of taking over an existing account instead of just creating a brand new account to commit fraud? It’s because savvy fraudsters know that “aged” accounts more than 3–6 months old with a good transaction history are less closely scrutinized than a brand new account with no transaction history.
Finally, in a third and more sophisticated scheme, the fraudster uses a bot tool or a human click farm to create hundreds of fake Smoothie Shop accounts. Once the fraudster has access to multiple fake accounts, he can then add as many stolen credit cards as he pleases in order to make in-store purchases.
What, then, can retailers and consumers do to protect themselves?
Prevent account takeover (ATO)
There are many ways to prevent or at least significantly reduce the amount of ATO — eliminating credential stuffing, for instance. The goal of the organization should be to eliminate the economic advantage that fraudsters obtain from taking over an account. If the cost/effort of taking over an account outweighs the value of said account, there will be no incentive for the fraudster, and they will likely go elsewhere to commit fraud.
Maintain control of the account creation process
Creation of accounts by bots and scripts can be limited by using a captcha, but these can be bypassed by mid-level sophistication fraudsters, and consumers generally dislike captchas. Preventing bulk creation of accounts requires collecting device-level information in order to restrict the number of new accounts that can be created by a single device. Forcing the fraudster to leverage a device farm could make their rate of return less desirable and push the fraudster elsewhere.
Ensure customers aren’t logging in with compromised credentials
This is a set of NIST recommendations concerning authentication and digital identities that make a lot of sense in today’s world of daily breaches. The customers who are logging in to your website or mobile app with compromised credentials are most likely the accounts that will be taken over and defrauded first.
Build controls around misuse of credit cards in the mobile app
Legitimate customers will likely need to add one, maybe two, unique credit cards to their account/device. Any account/device trying to add a third or more credit cards to an account should be closely inspected and possibly restricted from adding more. The stored credit card should also be tied to the device rather than to the account. That way, if an account is taken over from a new device, there will be no stored credit card information available for the fraudster to use. Both of these require a strong and unique identifier at the device level.
Even if apps are more convenient for customers and encourage repeat business, they’re a liability for consumers and retailers alike. It’s important retailers learn how to protect their customers and avoid the fallout from a breach by making critical changes in the development and monitoring of their apps. After all, while using apps to purchase goods is a fun novelty, it’s even better when no one has to worry whether the credit card info has been stolen.
Carlos Asuncion manages a team of Strategic Solutions Engineers at Shape Security, helping the world’s largest organizations prevent automated and human fraud. His cybersecurity experience spans 10 years across SIEM, DLP, IAM, DPI, EDR, TI, and many other obscure acronyms. … View Full Bio