Carrier billing: Fraud and risk management in 2019 and beyond

Alex Radonjic

Online sales from mobile devices have been skyrocketing. Juniper Research estimates that in 2018, the total value of digital content paid for via carrier billing alone was $27.7 billion worldwide. Global digital merchants, like Google and Apple, have implemented carrier billing as a paying method and are strongly increasing their market share.

Google Play now offers the payment option across much of Asia (including major markets such as India, Indonesia, Japan, Philippines, Thailand and Vietnam) and the Middle East, as well as Europe and North America. Apple is also venturing into selected Asian and Middle Eastern markets.

As with any payment method, fraud remains a constant companion and a source of concern. Wherever transactions and billing are happening on a larger scale, there’s a growing likelihood that fraudsters will attempt to take a piece of the pie. Carrier billing has been no exception. Fraud and risk management in carrier billing have seen lots of talking, examination - and some serious action over the last few years.

– Payments fraud has been a persistent problem in the European marketplace, Michael Reitblat, CEO of Forter told Mobile Payments Today. He cited recent data showing that criminals stole $1.46 billion, associated with the theft of data from more than three million payment cards.

According to 2019 Identity Study from Javelin Strategy & Research, which looks into the tactics among cybercriminals, their focus seems to be shifting to account takeover (ATO) and new account fraud. These are far more threatening — and much harder to detect, experts say.

And how do things look for carrier billing when it comes to fraud and security? Clickjacking and iframe masking remain sources of concern, but they’re also being successfully countered by a growing number of security mechanisms.

Clickjacking is a type of fraud in which the user is tricked into clicking a webpage element which is invisible or disguised as another element. This can cause a download of malware, a visit to a malicious web or worse - provide credentials or sensitive information and unwitting transfer money. This type of hacking is performed by displaying an invisible page (or HTML element) inside an iframe, on top of the page. The user believes they are clicking the visible page but in fact they are clicking an invisible element that could be a malicious page, or it could lead to a new page, let’s say, the user’s banking site that authorizes the transfer of money.

Two general ways to defend against clickjacking are client-side methods and server-side methods. Some efforts to tackle fraud includes two-step online/offline authorisation by telco providers.

There have been instances of problems with the carrier infrastructure, which is common when transferring or upgrading the billing platform. Other cases of consumer fraud are characterised by criminal targeted attacks that attempt to exploit any weaknesses in the billing infrastructure that are harder to detect.

On the merchant side, the key is to invest in security products. And in recent years, carrier billing providers have also developed a series of mechanisms to improve the security of transactions charged to subscribers’ telco plans.

Mobile payment industry must look beyond static identity data for their fraud solutions to make their infrastructure more secure and transparent. Setting up a payment system which allows monitoring purchases in real-time, having the ability to verify the user who is making a payment and to establish whether the user's payment falls in the territory of their purchasing behaviour. For all those additional parameters there needs to be a payment history and records of refunds among others at carrier’s disposal.

Centili has some of the best fraud management tools and security processes in carrier billing, as rated by MNOs from across the globe in 2018 ROCCO’s independent survey of carrier billing vendors.

Some of the general ones are active traffic monitoring, which allows any unusual spikes or aberrations in traffic to be detected quickly. Those types of changes are often good indicators of trouble and call for attention. Risk score estimation per transaction is another measure employed to increase security. It is calculated in real-time, expressing the probability that an attempted transaction could be fraudulent.

Centili keeps a regularly updated list of malicious applications which goes hand in hand with their malicious app detection that can detect apps that initiate transactions and blocks ones that are unsafe. Centili also started comparing IP addresses which initiated and confirmed a transaction. If they are different, it’s IP initiation-confirmation check will block any transaction that is confirmed from a different IP address.

A feature called SIMTCHA challenge will, similar as CAPTCHA, stop bots from automatically clicking on a 1-click-transaction button by giving them a task which they can’t perform. Knowing recent Regulatory Trends in the region, Centili can provide MSISDN hashing, which implies that local servers will hash the MSISDN numbers used for authentication, so international servers only use the hashed version, meaning that the MSISDN number never leaves the country.

Iframe blocker and screen capture will automatically block all misuses for confirmation except those highly trusted ones. Equally important is limits management that protects end-users from unwanted charges.

This is only a small portion of solutions and techniques which Centili has in place, in order to improve the security of transactions charged to subscribers’ telco plans.

Interested in the topic? Get in touch with Centili experts!