Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

How Mobile Commerce is Challenging Fraud Detection

With the growing popularity of tablets and smartphones, organizations are quickly moving forward in mobile commerce. As more transactions are conducted via mobile devices, its important for these companies to learn to recognize mobile fraud, as well, according to security experts.

With the growing popularity of tablets and smartphones, organizations are quickly moving forward in mobile commerce. As more transactions are conducted via mobile devices, its important for these companies to learn to recognize mobile fraud, as well, according to security experts.

“Mobile fraud is very much like Internet banking fraud 10 years ago,” Andreas Baumhof, CTO of ThreatMetrix, told SecurityWeek.

Where there is money to be made, there will be fraud. However, mobile commerce is still a relatively new area and organizations are still feeling their way along. Cyber-criminals are also exploring the possibilities, and there isn’t a lot of information about the techniques they are testing or the extent of their activities. There is also plenty that can go wrong, and the attack surface is “immense,” Baumhof said.

Fraud Conducted from Mobile DevicesIn terms of straight numbers, though, mobile fraud is still on the low end, Scott Waddell, CTO of iovation, told SecurityWeek. Mobile devices are still not the platform of choice for fraudsters, since the platform isn’t conducive to automated campaigns and “broad-brushed fraud,” he said. “Using a mobile device just doesn’t have the return on investment for their efforts,” Waddell said.

A lot of mobile fraud actually occurs when the criminals “pretend” to be on a mobile platform even when they are not, Baumhof said. They may do this by changing the browser string, for example. ThreatMetrix relies on TCP fingerprinting, a way to collect configuration details from a remote device, to detect this type of fraud, Baumhof said.

Detecting fraud on mobile devices is challenging, and some of the problems can come from the apps themselves. Many of the mobile apps are developed in a very short timeframe by people who are experts in developing a good user interface, but may have no idea about secure development, Baumhof said. This is why many apps come with built-in vulnerabilities, such as storing passwords as plain-text or a flawed mechanism that can be easily exploited.

Combine that with the idea that user experience is king when it comes to mobile, even trumping security. While there are ways to code security into the app, security is not a priority because developers don’t want anything to potentially detract from the user experience, Baumhof said.

For example, many mobile apps keep the user logged into the site by default so that users don’t have to log in every single time. This exposes the user to possible session hijacking attacks, Baumhof said.

Collecting the data and analyzing the data to identify fraud needs to be real-time—and this is even more important when talking about mobile, Baumhof said.

Many organizations treat mobile transactions differently than those that come from the Web. For example, a ThreatMetrix customer saw a lot of credit card fraud coming in over the company’s iPad app, Baumhof. This happened because the fraudsters had figured out the company wasn’t applying the same level of verification for mobile transactions as they do for the Web, he said.

Organizations should have the same backend transactions processing systems for all transactions and subject to the same policy set, Baumhof said.

Just like the case with credit card fraud and other types of financial fraud, information is key. To combat mobile fraud, companies need to collect more datapoints, “signals,” to create a profile that can be used to verify transactions, Baumhof said.

Mobile devices are harder to recognize uniquely on their own, so organizations have to understand them in the context of the user behind the collection of devices, Waddell said. The power of device reputation hinges on recognizing the associations between a “group of devices” that reveal the level of risk involved in a transaction, he said.

This is also a challenge, since—at least in the case of Apple and iOS 7—the vendor have their own set of restrictions. The most common technique for detecting fraud on the Web and desktop, device fingerprinting, is not very effective and leads to a number of false positives, Sift Science’s Steve Lambe wrote on the company blog.

Device fingerprinting relies on a set of system configuration settings that can be used to identify the device, such as Flash cookies and user customizable plug-ins and extensions, Lambe said. With Apple telling developers they can no longer collect or track UDID away to differentiate between different users, “mobile developers haven’t had an easy way to identify devices,” Lambe said. Mobile devices also don’t have many of the system configuration settings, so they appear as identical devices to many site operators.

IP addresses aren’t always useful for mobile devices because some mobile carriers, such as MetroPCS, have a relatively small pool of available addresses to begin with, Lambe wrote. Some Sift Science customers used Bluetooth MAC addresses as a substitute for mobile device fingerprinting, and some saw credit card fraud drop by as much as 80 percent, Lambe said. However, developers will no longer be able to access the MAC address in iOS 7.

IP addresses are relatively useless because they change dynamically as the fraudster moves around the Web, Waddell said.

This is why large-scale machine learning, where every possible data point is integrated and adapted to the business and common fraud types, is the best approach, according to SiftScience.

Machine learning is just “one tool in the toolbox, not as the be-all and end-all of fraud recognition,” Waddell said. It’s important to understand device and account associations across the business in a shared device reputation network and analyze multiple factors related to fraud risk across an aggregate group of devices, he said.

ThreatMetrix’s Baumhof noted that the information collected could be as varied as device ID, whether or not the device is jailbroken, the geographic location, among others. Fraud prevention providers who have transaction data across multiple organizations can also detect commonalities between different fraud cases across companies.

“The context of the transaction makes the difference,” Baumhof said.

Related Reading: Apple Adds Data Security, MDM Configuration Goodies to iOS 7

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.