Mobile devices may be used for making remote transactions, for example in purchases of various products or bank balance transfers. Security for mobile transactions is often obtained by a user providing an authorized user name and a password. However, passwords and user names are often stolen in various ways, such as by hackers and phishing expeditions. Stolen login information results in the authorized mobile device user suffering what is known as account takeover, where their mobile device login information is used to steal their money by purchasing objects on their account. Generally, the stolen login information is used on a different mobile device (e.g., the mobile device of the hacker) than the authorized user device.
Conventional schemes for improving security for mobile transactions may use additional levels of information in addition to passwords, for example number generating fobs, individualized account response keys, or knowledge based authentication questions, such as your mother's maiden name, to reduce account takeover. These schemes require a longer login process, increased levels of information memorization, and customer irritation.
It is known to use what are called risk engines to examine features of a remote user's behavior to assess the risk that a preliminary identification (ID) of the user is really the authorized user. Risk engines may examine the hardware ID of the mobile device, the mobile device location, the time of the transaction, or the input device used in the transaction to help reduce the risk that a preliminary ID of a remote user that depends upon the user name and password, is not in fact the authorized user.