"Because of the improving browser experiences on smartphones, mobile commerce and transaction execution are set to increase rapidly," said William Clark, research vice president at Gartner. "We estimate that by the end of 2013, 12.5 per cent of all e-commerce transactions will be mobile."
"Enterprise applications must detect fraud in these mobile environments, but fraud detection tools available today that work in fixed-line computing environments don't work well or at all in the mobile world," Mr Clark said. "There are a number of methods that can be implemented to help organisations detect fraud in the mobile space, but they are still in their early stages of development, and it will take until at least 2012 for them to transform from embryonic applications to technically mature systems that work easily and transparently across disparate mobile networks."
"The evolution of these fraud detection tools will play a part in turning mobile commerce into location- and context-aware commerce by increasing the confidence of businesses, financial institutions and end users," said Avivah Litan, vice president and distinguished analyst at Gartner. "This increase in confidence will help open up new possibilities for context awareness that will be richer than they are in fixed-line commerce."
Fraud prevention methods available today to mobile applications include:
Mobile device identification - This is enabled through a JavaScript on the server that the user logs in to, which captures whatever information it can get from the user's browser and phone, depending on whether the user is using a browser or native application. If the application is browser-based, then the JavaScript application captures whatever information it can get from the user's browser to uniquely identify that particular user's browser and mobile device. If the mobile application is native and residing on the mobile handset, native applications can additionally gather the phone's serial number and network card number. This will require opt-in by the user.
Location of device - This is based on the phone's location information independent of the browser (IP address), so the user does not have to have his or her mobile browser application open for this to work; the phone only needs to be turned on. Organisations may want to check and correlate the location of the device relative to anything else they know about the user's location through other systems they may interact with at the enterprise. For mobile phones, there are two architectures that are used to obtain location information: One relies on device information (e.g., using the GPS-API applications that the user must opt into); the other employs APIs provided through mobile network operators that don't require the users to opt in to releasing this information.
Some online fraud detection vendors are starting to tune their risk scoring and/or rule-based models specifically for mobile applications - For example, some vendors are looking at the mobile device itself, the location of the phone, and the behaviour of the user inside the host application while transacting from the phone. This area is very new to the fraud detection vendors, as there is little mobile transaction experience to draw on in order to build effective risk models and scores that significantly improve on risk models that have already been built for fixed-line computing. It tries to combine some of the methods listed above, including mobile device identification and examining the location of the mobile phone in relation to other information known about the user and his/her location.
"Given the explosive growth of smartphones and other mobile devices, the increase in mobile commerce, and the migration of fraud attacks to these devices, using mobile fraud detection in mobile commerce environments is an imperative," Ms Litan said. "While smartphones are a catalyst for mobile commerce, enterprises need to also consider the potential of using context information for fraud detection for nonmobile transactions by combining and correlating the location information that can now be derived from any kind of mobile phone worldwide with the other process information associated with the consumer who owns the phone."
Gartner estimates that 70 per cent of the largest 20 global card issuers (who authorise more than 50 per cent of all payment card transactions) will gradually adopt mobile context information to help detect fraud on fixed-line transactions, and that by year-end 2015, more than 15 per cent of all payment card transactions will be validated using context-aware profile information.
"Organisations that want to remain competitive in electronic commerce over the next five years should begin exploring context-aware applications by year-end 2011, for both fraud detection and later on for customer acquisition and retention activities afforded by personalised and customised marketing and advertising information," Mr Clark said. "Both users and service providers should have a better and more secure experience enabled through the use of rich contextual information coming from mobile phones."
Additional information is available in the report "Get Smart With Context-Aware Mobile Fraud Detection" which is available on Gartner's website at http://www.gartner.com/....
Ms Litan will highlight the top five Gartner recommendations for how organisations can protect their customers' data and explore the future of payments security at the Gartner Security & Risk Management Summit 2010 being held on September 22-23 in London.
About Gartner Security & Risk Management Summit 2010
The Gartner Security & Risk Management Summit 2010 comes at a time when the relationships between information security, business and risk management are crucial. As organisations prepare for a return to growth, they continue to face financial challenges which represent opportunities for security, risk and privacy professionals to become key partners in their organisations' strategies for renewed growth. Gartner analysts will help organisations protect their infrastructure and manage their identities in the most efficient and effective ways, but also discuss best practices in risk management and governance. For further information on the Summit, please visit europe.gartner.com/security. Members of the media can register by contacting Ben Tudor, Gartner PR, at ben.tudor@gartner.com. Additional information from the event will be shared on Twitter at http://twitter.com/... and using #GartnerSecurity.