Mobile, as a financial fraud threat vector, is growing dramatically. Fifty-eight percent of digital transactions now originate from mobile devices, and one-third of attacks are via mobile. It is worse in the U.S., which saw a 44% increase year on year compared to a 24% global increase (perhaps partly reflecting the predicted switch from card-present to online fraud following the introduction of EMV cards in the U.S.).
The figures come from the Q2 2018 Cybercrime Report (PDF) from ThreatMetrix, based on the analysis of 17.6 billion digital transactions during the first half of 2018.
“Mobile is quickly becoming the predominant way people access online goods and services, and as a result organizations need to anticipate that the barrage of mobile attacks will only increase,” said Alisdair Faulkner, Chief Identity Officer at ThreatMetrix. The primary reason is that the medium is liked by both users and vendors: identity can be tied to the phone.
For vendors, mobile transactions can be more secure than desktop transactions; while for users, mobile authentication can provide low friction authentication. The basic principle is that individual devices can be securely identified, while individual users can be tied to the device via strong authentication using built-in biometrics (commonly face, voice or fingerprint recognition).
Mastercard is spearheading the use of mobile phones for authentication with its Identity Check phone-based biometric authentication. This will only increase the use of mobile phones for financial transactions. It is, however, a double-edged sword. “Biometric data stored by a service provider is just as valuable a target for cybercriminals as a database containing usernames and passwords,” warns David Emm, principal security researcher at Kaspersky Lab. His concern is that while a stolen password can be changed, a stolen biometric cannot. “Biometric data, unlike a username or password, is persistent: we carry it with us for life,” he added.
“The good news,” continued Faulkner, “is that as mobile usage continues to increase, so too does overall customer recognition rates, as mobile apps offer a wealth of techniques to authenticate returning customers with a very high degree of accuracy. The key point of vulnerability, however, is at the app registration and account creation stage.”
This ‘point of vulnerability’ is likely to increase over the short term. Europe’s PSD2 (the open banking directive) in particular is intended and expected to fuel growth in new fintech companies and applications. This will inevitably focus on mobile financial services; and criminals will seek to exploit any weaknesses or loopholes they can find in the new services. “The [FinServ] industry continues to perch on the precipice of reform, with European banks cautiously waiting to see how opening their APIs to third party providers (Account Information Service Providers and Payment Initiation Service Providers), will influence both fraud levels as well as customer satisfaction.”
The biggest threat comes from device spoofing where fraudsters attempt to trick banks into thinking that login attempts come from new customer devices. More than 5% of all attempted transactions were recognized as such attacks. Identity spoofing is the second most significant threat, comprising 3.6% of all transactions. It was lower for finserv-specific attacks where the criminals often use stolen rather than spoofed identities. 25% of new eCommerce account applications are fraudulent, a 130% increase compared to Q2 2017.
Other common attack vectors include IP spoofing (2.2%) and man-in-the-browser or bot attacks (1.8%). The use of bots is booming, with 2.6 billion bot attacks detected in Q2 2018 — an increase of 60% from Q1. “Bots,” explains the report, “are automated scripts that attempt to gain access to accounts with stolen credentials or create fake accounts and transactions.”
In the latest quarter. bot traffic has come from Vietnam, Indonesia, Russia, Malaysia and South Korea. “These bots,” explains the report, “are mainly attempting to takeover good user accounts, slicing down lists of stolen identity data until they get a hit, often adjusting their rate controls to a ‘low-and-slow’ attack speed to mimic legitimate customer traffic.”
The report notes the growth of criminal activity focused around the summer’s World Cup football tournament in Russia, and the spread of financial fraud activity to emerging economies. Russian president Putin claimed that “during the World Cup almost 25 million cyberattacks and other criminal attempts on Russia’s information infrastructure, connected in one way or another to the running of the football World Cup, were neutralized.”
As the world becomes more connected both financially and by travel, ThreatMetrix warns “enterprises need to ensure they have dynamic, behavioral analytics-based fraud detection systems in place, which can both identify good returning customers in unusual situations (such as travelling abroad to the World Cup), as well as spotting fraudulent use of credentials which criminals try to mask by hiding in unusually high transaction volumes.”
Founded in 2005, San Jose, Calif.-based ThreatMetrix’s technology analyzes connections among devices, locations, identity information and threat intelligence, and combines the data with behavioral analytics to identify high-risk transactions in real time. It announced its acquisition by RELX Group in January 2018.