Mobile Payment Magazine

Consumers Union Warns About Mobile Payment Security

by

Most cell phone and tablet users can purchase digital goods and charge them to their monthly bill or prepaid phone account. But they may not get the protections they need to limit their financial liability if something goes wrong with the transaction. The protections consumers receive will vary depending on their wireless carrier’s policies and what?s in their cell phone contract, according to a new analysis by Consumers Union.

“Consumers using mobile payments should get the same strong protections they currently enjoy when they make purchases with a credit card or debit card,” said Michelle Jun, senior attorney for Consumers Union, the nonprofit advocacy arm of Consumer Reports. “But we found that consumer rights can vary widely between wireless carriers and the protections carriers claim to provide are often nowhere to be found in customer contracts.”

In May 2011, Consumers Union called on the top wireless carriers to strengthen their contracts to protect consumers in the event that their phone is lost or stolen or if a merchant makes a billing mistake or the customer is not satisfied with a purchase. The consumer group urged the carriers to provide the same strong protections guaranteed by law when consumers use a credit card or debit card. In addition, Consumers Union pressed the companies to provide consumers across the country with the same protections California phone customers are entitled to receive as a result of regulations issued by the state’s Public Utilities Commission (PUC).

Since May, Consumers Union has been in communication with representatives from AT&T, Sprint, T-Mobile, and Verizon Wireless to find out how they handle disputed mobile payment transactions. All four carriers maintain that they provide ample protections for consumers.

However, Consumers Union found that the protections these carriers provide fall short of what consumers get when they use credit cards and debit cards or when California consumers report a disputed charge on their phone accounts. In addition, many of the protections that wireless carrier representatives described to Consumers Union are not disclosed in customer contracts, making it difficult to know whether consumers can count on these safeguards when problems arise.

“As new mobile payment options become available, consumers are better off sticking to services linked to credit cards or debit cards, which come with strong protections required by law,” said Jun. “If wireless carriers want consumers to have confidence in direct carrier billing programs, they should strengthen their contracts with the protections consumers need.”

Below is a summary of the protections that Consumers Union analyzed and what is provided by the top wireless carriers:

Limit liability when phones are lost or stolen: A credit card customer’s liability is limited to no more than $50 for unauthorized charges. In practice, credit card issuers usually shield customers from any financial liability for fraudulent charges. Verizon Wireless? contract makes clear that its customers are not liable for charges related to a lost or stolen phone. Contracts for AT&T, Sprint, and T-Mobile protect customers from fraudulent charges made after a phone is reported lost or stolen but consumers may be on the hook for charges made before making a report.

Limit liability for disputed charges: If a billing error appears on a monthly credit card statement, there is no liability for the customer as long as the customer reports the error within 60 days. “Billing error” also includes a dispute with a merchant about the delivery or acceptability of goods or services. While all four wireless carriers insist they provide refunds for billing errors or when customers are unhappy with purchases, these rights are not clearly disclosed in their contracts.

Re-credit pre-paid customers within 10 days for disputed charges: After a consumer reports a fraudulent transaction involving a debit card, the bank must either complete its investigation within 10 business days or provisionally re-credit the consumer’s funds within that time. AT&T, Sprint, and T-Mobile indicated that they strive to provide prompt refunds but none guarantee in their contracts that pre-paid customers will get a provisional refund within ten days after reporting fraudulent charges. Verizon Wireless does not allow customers with pre-paid phone accounts to make mobile payment charges.

Give customers the right to withhold payments for disputed charges: California’s PUC rule gives phone customers in that state the right to withhold payment of disputed charges while an investigation is conducted and requires investigations to be completed within 30 days. Sprint’s contract indicates that customers don’t have to pay for disputed charges as long as they are reported within 60 days. AT&T said that it gives all customers the right to withhold payments during an investigation but its contract only discloses this right to Californians. T-Mobile discloses these rights for California customers but not for customers living in other states. Verizon Wireless’ contract allows customers to withhold payment for charges related to lost or stolen phones but it does not indicate that consumers have this same right for other kinds of disputed charges.

Enable customers to set a cap on mobile payment charges: The California PUC rule allows consumers to block third party charges on their accounts. All four wireless carriers allow customers to block third party charges but AT&T and Sprint do not disclose this right in their contracts. AT&T, Sprint and Verizon Wireless set their own dollar limits on allowable charges (AT&T has a $100 limit per month per line while Sprint and Verizon Wireless limit charges to $25 per month per line). AT&T enables consumers to set their own limits but charges $4.99 per line each month to do so.

For more details, see How Top Wireless Carriers Compare on Consumers Protections for Mobile Payments.

For Consumers Union’s mobile payment tips for consumers, see: Mobile Payments Tip Sheet: What Can Consumers Do Now

Source: Consumers Union

Fraud “Waiting to Happen” with Mobile Payments, Says Report

by

As the use of mobile payments grows globally, so too does the risk of mobile payments fraud. Gartner, and other eminent research companies, predict that these services will be extremely attractive to fraudsters and those seeking vehicles for money laundering. According to Gartner, mobile payment services are expected to reach US$245 billion in value worldwide by 2014.

According to Neural Technologies, an appreciation of the fraud and risk threats posed by mobile payments can be achieved through understanding the various mobile payment products and services on offer, as well as the different technologies used to deliver them. [Read more…]

ThreatMetrix Announces New Cloud-Based Fraud Prevention Platform

by

ThreatMetrix, a provider of fraud prevention solutions that do not require personally identifiable information (PII), today announced the availability of the ThreatMetrix Cloud-Based Fraud Prevention Platform, which incorporates cookieless device identification and enhanced mobile authentication that makes it easy for banks, merchants, online businesses, payment gateways and payment providers to detect and screen for fraud. The comprehensive fraud platform helps companies fight online fraud during account creation, login authentication and payment authorization regardless of the device. With the growth of mobile commerce and mobile banking, there is a growing need for fraud solutions in this channel.

“The ThreatMetrix Cloud-Based Fraud Prevention Platform provides companies with the ability to authenticate payments, new accounts and returning customers online regardless of the device involved — be it a smartphone, personal or tablet computer — without requiring a forklift install of hardware or software,” said Reed Taussig, president and CEO, ThreatMetrix. “A smarter approach to device identification combined with aggregated fraud intelligence in the cloud allows customers to benefit from proactive protection without needing to share personally identifiable information.”

ThreatMetrix’s solution to cookieless device identification, called ThreatMetrix SmartID, goes beyond traditional device identification solutions by incorporating device fingerprint attributes instead of cookies, which can be wiped or blocked. ThreatMetrix SmartID, which incorporates unique TCIP/IP packet intelligence, cross correlates and scores device attributes and behavior with session and browser cookies to more accurately establish and authenticate a device identity.

“Using ThreatMetrix SmartID, ThreatMetrix provides the most effective first perimeter of defense for transaction security from cybercrime, hidden proxies, scripted attacks and cookie and browser manipulation by fraudsters,” said Taussig.

The ThreatMetrix Cloud-Based Fraud Prevention Platform

The ThreatMetrix Cloud-Based Fraud Prevention Platform includes several new features including:

  • Enterprise Risk Engine: ThreatMetrix provides real-time contextual scoring based on device, customer and transaction attributes and historic analysis through a customer configurable rules engine. Default rules and algorithms will detect many anomalies such as hidden proxies, high-risk geographies, anomalous language and time settings, potential cookie wiping and blacklisted attributes. More advanced rules allow for correlation of other transaction data such as detecting multiple identities, payment accounts or shipping addresses used by the same device, or an unusually high volume of transactions from a device across the ThreatMetrix network. ThreatMetrix rules can be updated by analysts and activated immediately to respond to changing threats.
  • Global Network Intelligence: ThreatMetrix customers benefit from anonymous and aggregated device and transaction behavior seen across the global ThreatMetrix network through both automated scoring as well as customizable fraud filters. The ThreatMetrix Cloud-Based Fraud Prevention Platform provides proactive protection that gets smarter with every customer and transaction without, requiring extensive manual input.
  • Queue Management: Manual review of transactions is time consuming and expensive. To address this, ThreatMetrix allows for custom tuning of rules to reduce false positives, and also automated assignment of transactions to analyst queues by configurable rules. This enables analysts to focus on the highest risk transactions, based on score, transaction amount, or criteria such as geographical origin, for instance. When a transaction is reviewed, it can be marked as rejected/accepted to improve the ability of ThreatMetrix to score transactions through predictive scoring.
  • Customizable Alerting: ThreatMetrix supports automated alert rules to notify an analyst by email when a transaction meets specified criteria. These alerts can be set based on risk, transaction or device attributes, or associated with specific fraud behavior. Alert content can be customized and linked directly back to the transaction for review.
  • Online Portal and Dashboard for Transaction Monitoring and Link Analysis: In addition to a real-time API that immediately returns device identifiers, anomaly indicators and risk scores, ThreatMetrix provides an online portal to review past transactions. It includes a dashboard that shows recent high-risk transactions and trends, as well as advanced search capabilities to assist fraud analysts in finding related transactions and discovering links between suspicious activities.
  • Bulletproof Security and Privacy Protection: ThreatMetrix provides advanced device identification technology to detect and alert based on suspicious device anomalies. For even more powerful fraud detection, transaction identifiers (such as an email address, payment account hash, phone number, etc.) can be passed to allow for more correlation. When provided, ThreatMetrix protects these identifiers with encryption and one-way hashing so the data is never exposed or shared. In addition, power role-based permissions and full auditing meet and exceed enterprise security compliance requirements.

Source: Marketwire