Securing FinTech Apps With GPS Data
Updated: Nov 2, 2020
Mobile-based fintech solutions are becoming the first port of call for many financial services, as people embrace the simplicity, cost-effectiveness and speed of mobile payments. However, digital fraud is rising as fast, if not faster, and thus fraud monitoring based on robust customer authentication have become as important as the services mCommerce has to offer customers.
According to statistics released by Statista, the number of smartphone users worldwide has surpassed three billion and is forecast to grow by hundreds of millions of users over the next few years. China, India and the US have the highest number of smartphone users. Alongside the steep increase in the numbers of individuals using smartphone has been a rise in the proportion of users making orders via their mobiles and buying online. Research by Outerbox Design found that 79% of US mobile phone users had ordered by mobile and 10% of all retail sales were now conducted electronically (see graph below).
Digital choice is also expanding exponentially. By the fourth quarter of 2019, the number of Android apps had exceeded 2.5 million, according to Statista figures, and Apple’s app store offered more than 1.8 million apps.
In a white paper on evaluating fraud detection tools, One Span highlights the importance of adopting a layered, context-aware online security approach to fraud detection. It said anti-fraud weapons need to evolve alongside the evolution of fraud, which continues because it offers such huge potential profits for criminals.
One Span says the fraud monitoring framework should dynamically trigger the most suitable authentication method for a given situation, according to its risk level. For example, if a certain transaction is evaluated as suspicious, due to unusual timing, location of the user or significantly larger amount than before, the security solution should be able to step up the authentication criteria instead of simply rejecting the transaction or putting it on hold for manual review.
To keep pace with the growth in mCommerce and ebanking and to combat the ever-evolving incidences of fraud, the European Union has implemented the Payments Services Directive 2 (PSD2), which is strict regulation that governs electronic payment services. Although the regulation officially governs payment providers in the EU, many other countries have adopted the standards. The PSD2 regulations are bringing about major changes in digital security, requiring the use of what it defines as strong customer authentication (SCA) when customers are engaging in remote payment transactions.
CAPS Open Framework, which is a market initiative that brings together multiple stakeholders who have a common interest in making the Payment Services Directive 2 (PSD2) work safely, published a white paper the rising consumer preference mobile devices over alternative digital payment options will result in an increasing number of use cases in which mobile customer authentication will be required. It says that the mobile operators’ data points can be useful complementary information to increase security by leveraging contextual information available to mobile operators. For example, a service provider can check whether the user’s handset is in an unusual location and act on that information. The contextual information the paper refers to includes location-based authentication provided by Global Positioning System (GPS) information. GPS tracking is undoubtedly a reliable way of monitoring the movements of an individual because they usually have their phones on them and thus provides valuable data that can be used in fraud detection.
Using mobile GPS data as an added level of security allows banks or other payment providers to use the geolocation information gained from the app to determine whether a transaction aligns with the location of the individual’s mobile. If not, it can act quickly in response to the possibility that a fraudulent transaction is underway.
By establishing the geolocation of the client, it also enables the authentication of a customer’s identity to prevent impersonation and identity theft. Other uses include customization of services and content based on the information banks get from the geolocation of a customer. The location-based information also enables companies to use the information to comply with regulations in various jurisdictions, for instance, different regional copyright and financial regulations, as well as trade agreements.
In an article titled, GPS: The Future of Authentication?, author Tracy Kitten notes that most smartphones, such as the iPhone, have built-in GPS tracking. “It's a nice feature for the security of the phone itself, in case the phone gets left at the grocery checkout or someone lifts it when the owner is not looking,” she says.
Gartner Research delved into the potential offered by mobile-enabled GPS as a security mechanism. The lead author of the report, Avivah Litan, concluded the only device you can count on to provide stronger authentication from location tracking is the cell phone. Gartner predicted that location or profile information derived from mobile devices eventually could be used to validate and detect fraud on 90% of mobile transactions. Kitten explained how location authentication of financial transactions would work: “When a user conducts a card transaction at an ATM or POS terminal, the location of the ATM or POS device would be compared with the location of the user's mobile phone via GPS. So, if a card transaction is initiated at an ATM in Phoenix, but the GPS tracking says the cardholder's phone is currently in Atlanta, the bank could flag the transaction as suspect.”
Location tracking does raise privacy concerns. To deal with these, however, payment companies wanting to use this security measure can ask customers to opt-in to the added security layer.
Banks and fintech payment providers who have incorporated location-based authentication based on a mobile phone’s GPS data include PayPal’s Venmo, Velmie, Temenos, MasterCard and Visa. Visa developed a Geolocation Services, which was an opt-in technology that integrated into the bank’s mobile apps and enabled the company to match the location of a card transaction with the location of the user’s phone.
Velmie, a financial technology provider, is one of the few fintech solutions providers that has recognized the importance of using location-based security technology to protect customers making use of mobile payments solutions. As such, it has integrated mobile GPS data gathering into its white-label mobile wallets to safeguard customers from fraud and other security risks when making payment and other financial transactions via mobile wallets. The primary benefit of adding an additional contextual layer of location-based security to mobile phone-based financial services is the level of comfort it will give customers considering whether or not to make payments and transactions on their mobile phone.