Mobile devices offer special vulnerabilities to fraud
As the types of mobile devices grow, expect more kinds of mobile-specific fraud.
Fraud hits online publishers and advertisers on every platform, but mobile devices offer some special opportunities. And, as the types of mobile devices increase, the types of special vulnerabilities are likely to increase.
To get a sense of a few mobile-specific fraud weaknesses, we checked in recently with several experts.
For Maor Sadra, managing director and CRO of mobile ad platform AppLift, last-touch attribution for app installs is a key weak spot.
App installs are mostly priced as cost-per-install (CPI), he noted, where the advertiser whose ad is the customer’s last touch point gets the attributed credit — and therefore the payment for the app install.
“This is flawed by nature,” he said, since the first ad impression has the biggest impact. While multitouch attribution is becoming more common for many kinds of sales or actions, Sadra said last touch point is still common for app install payments.
It’s a flaw, he said, that allows fraudulent publishers to simulate a user’s click on an ad even if no ad has been shown and no user has clicked. That fake click then triggers a payment to the publisher, because it is the last touch before someone randomly downloaded the app from the store.
“The hot potato,” he added, “is the debate between flawed and fraud, [since] that flaw creates a lot of fraud.”
For instance, let’s say game maker Rovio wants to get more downloads for an app, and they’re willing to pay $1 per install, based on third-party attribution.
A fraudulent website could generate fake clicks for an ad it didn’t run, perhaps thousands of fake clicks. The attribution service will look for the “nearest click to the install,” Sadra said, “and, because the industry often assigns [credit] to the last click, this works.”
“It’s click spamming, [wrongly] getting credit for an install that really happened.”
He added that false clicks are difficult to filter because they might be generated on real devices in developing countries by real users who are paid pennies.
To fix this vulnerability, Sadra believes the mobile standard should be multitouch attribution, not last click. Plus, he said, app publishers should be able to get more info and have more control in their app store page. Currently, app stores don’t provide publishers/developers with much information on app downloads, he said, which hinders their ability to assign the proper credit.
Amit Joshi, director of product and data science at fraud detection service Forensiq, pointed out that detection of ad click hijacking is also complicated by the fact that each click-tracking service has its own methods.
Not to mention, he pointed out, that app installs themselves can be faked through emulators — or even actual people on those low-wage farms — that use a stream of fake mobile device IDs to download the apps.
For John Hugg, founding engineer at high performance database firm VoltDB, there’s a specific 50 to 100 millisecond window that is left open to mobile fraud.
It’s the time between entering a username/password and being authenticated for mobile purchases.
It’s in that tiny slice of time, he noted, when an e-commerce site can quickly look at that user’s history and, using machine learning, determine if there’s some pattern that looks wrong. This is a service his company provides.
The user might have logged into the site from a device in Florida, for instance, but the fraud can be detected because, an hour later, the same user hits the site from a device in the UK.
On the desktop version of the e-commerce site, digital fingerprinting of the user’s browser can employ multiple unique attributes to identify the user. But, Hugg noted, “fingerprinting a browser for mobile is different.”
A desktop site can, for instance, look at a variety of specific browser attributes — version, settings, device types and so on — that help to identify the different devices employed. But there are few browser versions and other clues in mobile, he said, and fewer mobile sites employ machine learning to look for fraudulent patterns between request and authentication.
Mobile devices are now the most dynamic arena for computing and communications. But, as smartphones, tablets and watches are joined by intelligent cars, glasses and other new mobile incarnations, the device-specific vulnerabilities for fraud are likely to grow as well.