Mobile operators are estimated to process $47 billion worth of payments by 2020, four times more than they are today. A key reason for this is the amount of people from emerging markets becoming smartphone owners who don’t have access to bank-based payment methods. At the same time, major digital merchants like Apple, Google and Spotify are increasingly adopting and driving usage of the payment method.
Carrier billing brings several benefits to mobile operators. ARPU increases, along with a decline in churn thanks to the stronger value proposition brought along by promotion deals and bundling with services that consumers perceive as valuable. But as this positive growth is taking place, the negative aspect of payment processing should not be overlooked.
Card fraud is today causing the payments industry $16 billion loss annually. As carriers increasingly work with global, high-profile companies, their billing solutions will also come under scrutiny from criminals. Ignoring this topic puts carriers at risk of both damaging their reputation with their partners as with subscribers who have been targeted. How to prepare a carrier billing platform to combat fraud in light of growing transaction volumes?
What types of fraud can occur?
In order to combat fraud done through carrier billing, the first step is to understand the different ways in which damage can be caused. The simplest way to categorize fraud is by its source: merchants or consumers. Merchant-side risks are easy to solve as working only with reputable service providers means the risk is essentially non-existent. As merchants are already used to card-based fraud, their solutions are also likely to be more advanced than those of the carriers.
Consumer-orienting fraud is a bit trickier. Here carriers are put at risk from two fronts: individual consumers who detect loopholes in the payment system and try to take advantage of them and actual criminals attempting to commit large-scale fraud.
In the first case, the consumer generally does not attempt to hack the billing system but rather issues are caused by the carrier’s own infrastructure. For example, migrating to a newer billing platform can lead to failures in billing systems, with users being charged for lower amounts of money than the services they purchase are worth. Another example would be top-up promotions or free prepaid SIM card distribution where the intent is for users to spend bonus credit on calls or messaging but the carrier has forgotten to disable free credit for payment services.
Another big challenge with consumers is “friendly fraud” or people who make purchases but then demand refunds. This is a common issue in the card payments industry. Having a clear refund policy in place and blacklisting “friendly fraud” users from future payments helps mitigate the issues. Fortunately, there are ways for carriers to deal with both types of activity in order to mitigate risk and reduce the loss of revenue.
The other aspect of consumer-orienting fraud is targeted attacks by criminals. Such activities also attempt to exploit weaknesses in the carrier’s billing infrastructure but are usually technically more complicated and also harder to detect. Common examples of these include using data SIM cards in 4G routers to make payments; tricking people into giving confirmation to payments without their awareness; and topping up prepaid SIM cards through stolen credit cards which can be then used to purchase resellable services, such as virtual gift cards.
Answers to carrier billing fraud: data analysis and risk management
While the threat of fraud is serious, fortunately for carriers there is no need to reinvent the wheel. Many of the best practices in combating fraudulent purchases can be adapted from the card payments industry with some modifications that are specific to the subscriber-telco relationship.
A good starting point in combating is setting up a payment tracking system which allows monitoring purchases in real time. Looking at data on an aggregated level helps understand behavior patterns that are normal and figure out what type of usage is anomalous. Any other fraud prevention mechanisms are ineffective unless real-time information is available and action can be taken based on it. In parallel, this also helps ensure that fraud prevention is not set up so strictly that it is preventing legitimate users from making payments.
But what type of information to capture in such a system? In order to understand whether a transaction is legitimate, we need to look at the payment being processed from two angles: whether the user is who they claim to be and whether the transaction that they are attempting to make falls under the normal purchasing behavior.
To verify the identity of users making payments, carriers have a wide variety of data available: MSISDN, ACR, the subscriber’s network provider, IP/cookie/geolocation information and device identity. For understanding whether the purchase is legitimate, there are additional parameters at a carrier’s disposal: subscriber account age, provisioning status, past record of refunds, payment history with other merchants and with the specific merchant for whom the transaction is being processed. So what can be done with this information?
On user identification side, the key is to understand whether the user is who they claim to be. For example, if one MSISDN is used across 10 different smartphones, it is not normal behavior. If the user opens up a payment window from one country but the payment is confirmed in a network located in another country, then that can also be considered suspicious. If the device is a 4G data router and not a phone, payments should be disabled by default. This nips a majority of fraud in the bud as any fraudster will look to cover their tracks, which leads to anomalies in the parameters.
Carriers should also critically look over their payment authorization and confirmation messages in order to reduce attempts at phishing attacks. In phishing attacks, fraudster attempts to initiate a payment with someone else’s number and requests the user to send their PIN confirmation back to the fraudster in order to finish it. Having the price, service purchased and contact information clearly displayed in payment notifications makes this type of fraud very hard to conduct.
But when a user does pass this initial test and is a legitimate end-user, the second step in detecting fraud is figuring out whether the payment that they are attempting to make is considered normal for a user of that profile. For this, we can look at past purchasing history with other merchants: how much they usually spend with carrier billing per month. We can also look at history with the specific merchant - if the user is already subscribed to a video streaming service with their phone number, it would not make sense for them to subscribe a second time.
There is no fixed principle in place for how big the transaction and limits are as they largely depend on user income in each country, but looking at data from a long period of time gives a good estimate of average user behavior.
In addition to evaluating each transaction, we also need to look at the user behavior from a higher level. Here is where spending limits and risk management come into play. Different users have different habits: some play a lot of mobile games and spend money on them; others simply subscribe to a streaming service and do not spend money elsewhere. Applying the same fraud rules and spend limits across the entire subscriber base does not make sense.
While spend limits are again specific to each country and heavily depend on user income, each market follows the same general logic. There are users that have low risk (e.g. existing high ARPU postpaid customers who have been with the network for a long time as well as prepaid customers) and high risk users (e.g. new postpaid customers or those who have requested refunds in the past). For each user group, a different spending limit should be applied which ideally is reviewed on an ongoing basis and can also be changed by the user themselves, in order to avoid blocking off legitimate payment behavior. Even in markets where a majority of users are primarily prepaid customers, fraud is not an issue to be overlooked. Any carrier has at least some prepaid subscribers on their network and the open credit line will make them an attractive target for criminals.
Fortunately for carriers, the technical set-up of carrier billing means fraud is much more difficult to conduct. This is mainly because payment confirmations require the user to have physical access to their phone, unlike with credit cards where the fraudster only needs to know the card number and a few additional details. This is also the reason why proportionally, the amount of fraudulent transactions done today through carriers is much lower compared to card-based payments.
But as carrier billing volumes continue to grow, the risks will grow as well. Analyzing data and putting in place a technical infrastructure that allows carriers to track and respond to illegitimate usage of their network prevent the negative aspects of payment processing from being carried over to carrier billing. Criminals always look for the easiest systems with the biggest gaps available to exploit. When carriers become proactive and respond to threats before they start occurring, those who wish cause harm will find easier victims elsewhere.