Mobile Fraud Trends #CreditChat – there’s always a first time for everything

June 25, 2014 by David Britton

Today I co-hosted a TweetChat with Experian on mobile fraud trends. To be honest, it was the first Twitter Chat I took part in. It was fun, informative and a great way to connect with folks in our industry – from our customer base, partners and more.

The discussion was fast paced and the 140-character limit for tweets means I wasn’t able to elaborate on many of the points I made. Thus, thought I would share my insight through a blog post.

What are the most common types of mobile fraud?  

Malware. According to Forbes, 97 percent of mobile malware is on Android devices. That’s not to say that Apple isn’t seeing it, too. They are, but at a much reduced scale due to their validation processes. Forbes also states that android malware rose from 238 threats in 2012 to 804 new threats in 2013 and continues to rise.

Mobile malware has a couple of varieties that everyone should be aware of. They’re increasingly common and you’ve likely seen the first one making media headlines like rapid fire in recent months:

  1. Ransomware: locks a user’s phone and fraudsters demand payment to unlock it.
  2. Credential stealing malware: attempts to capture the credentials of the victim as they access a service.
  3. Premium dialing/texting malware that uses victim phones to increase traffic and charges to rogue accounts.

Courtesy of AppleInsider

Mobile fraud, as a category, also needs to include the use of the mobile device by fraudsters as the attacking instrument. Fraudsters exploit the fact that organizations may not have applied the same security measures to their mobile access points that they have in their traditional online access. Big mistake. All organizations should make sure that they are not exposed to fraud originating from the mobile channel (either mobile app or mobile web based.) Companies need to ensure they can identify the device regardless of platform.

Am I more at risk on my mobile device than I am on my computer? 

As a consumer, industry data has illustrated that there is no significant difference between the risk of the PC and a mobile device. The PC is still a much more valuable target to fraudsters, considering its wide use. But as the mobile platform continues to grow, mobile exploits are also growing, forcing the industry to build in more robust strategies around mobile access. This includes the platform providers, app developers and businesses that want to increase their mobile offerings.

The bigger point here is that the Apple platform has much less malware activity than the Android platform does today. Apple has stringent developer policies and scrutiny.

For businesses, as a relative percentage of device activity, we are beginning to see that there is more fraud in the mobile channel than in the traditional channel. Bear in mind that mobile volumes today are still much smaller than the traditional PC. Mobile can also be a fraud staging area, where fraudsters can see balances and activity and then takeover your account… But this is not a vulnerability with the consumer using their device, rather it’s with the fraudsters using the mobile channel since it’s a separate channel where the banks may not have effective cross-channel visibility.

How do I know if you have a legitimate app vs a fake / fraudulent app? 

There are a few simple steps to verify the legitimacy of apps – check for typos, grainy logos and images and check user reviews on the app store. Moreover, this is an issue of where users are getting their apps. Make sure you are only downloading apps from the platforms’ authorized app environments. And keep in mind that the prevalence of malware on the Google Play platform is much higher than that on the AppStore.

What other risks do mobile devices pose to personal identity?

The phone doesn’t necessarily present greater risks than PCs, but people do tend to use them more frequently, and with less of a thought toward security. My advice: make a habit of locking your phone and don’t buy apps from sketchy platforms.

What are the methods that banks and retailers are choosing to secure mobile payments?

It’s a device access versus personal access issue. Need for business is to recognize devices regardless of payment type.  In the NFC space, there’s also a question of liability… who is on the hook when happens? Is it the merchant? The card issuer?  There are still some gray areas when it comes to mobile wallet (NFC) transactions being used for physical purchases.

For NFC (in person) payments, the POS makers use industry standards – but they can still be vulnerable to attack based on malware distributed via POS terminals, as we have seen lately.

For mobile bank payments – some banks use device recognition and device behavior– but all banks really should use it – best way to detect rogue activity from the device.

Most retail mobile payments are tied to a wallet – so wallet providers must also secure access to the wallet ensure that it doesn’t become the weakest link.

Will passwords ever die? What other forms of identification might be used?  

For businesses, passwords are already dead, since most have been stolen over the years. Businesses should be using device recognition – it’s one of the strongest tools to differentiate between good and bad users.

Any final tips on how people can protect themselves from mobile fraud? 

Don’t buy apps from sketchy third party platforms. Don’t click on links from untrusted parties, lock your device, make sure your device is backed up and don’t pay ransomware demands.

If you have any other questions that weren’t answered in the #TweetChat, please leave a comment here or tweet to me at @DBritton41st.