With the growing popularity of tablets and smartphones, organizations are quickly moving forward in mobile commerce. As more transactions are conducted via mobile devices, its important for these companies to learn to recognize mobile fraud, as well, according to security experts.
“Mobile fraud is very much like Internet banking fraud 10 years ago,” Andreas Baumhof, CTO of ThreatMetrix, told SecurityWeek.
Where there is money to be made, there will be fraud. However, mobile commerce is still a relatively new area and organizations are still feeling their way along. Cyber-criminals are also exploring the possibilities, and there isn’t a lot of information about the techniques they are testing or the extent of their activities. There is also plenty that can go wrong, and the attack surface is “immense,” Baumhof said.
A lot of mobile fraud actually occurs when the criminals “pretend” to be on a mobile platform even when they are not, Baumhof said. They may do this by changing the browser string, for example. ThreatMetrix relies on TCP fingerprinting, a way to collect configuration details from a remote device, to detect this type of fraud, Baumhof said.
Detecting fraud on mobile devices is challenging, and some of the problems can come from the apps themselves. Many of the mobile apps are developed in a very short timeframe by people who are experts in developing a good user interface, but may have no idea about secure development, Baumhof said. This is why many apps come with built-in vulnerabilities, such as storing passwords as plain-text or a flawed mechanism that can be easily exploited.
Combine that with the idea that user experience is king when it comes to mobile, even trumping security. While there are ways to code security into the app, security is not a priority because developers don’t want anything to potentially detract from the user experience, Baumhof said.
For example, many mobile apps keep the user logged into the site by default so that users don’t have to log in every single time. This exposes the user to possible session hijacking attacks, Baumhof said.
Collecting the data and analyzing the data to identify fraud needs to be real-time—and this is even more important when talking about mobile, Baumhof said.
Many organizations treat mobile transactions differently than those that come from the Web. For example, a ThreatMetrix customer saw a lot of credit card fraud coming in over the company’s iPad app, Baumhof. This happened because the fraudsters had figured out the company wasn’t applying the same level of verification for mobile transactions as they do for the Web, he said.
Organizations should have the same backend transactions processing systems for all transactions and subject to the same policy set, Baumhof said.
Just like the case with credit card fraud and other types of financial fraud, information is key. To combat mobile fraud, companies need to collect more datapoints, “signals,” to create a profile that can be used to verify transactions, Baumhof said.
Mobile devices are harder to recognize uniquely on their own, so organizations have to understand them in the context of the user behind the collection of devices, Waddell said. The power of device reputation hinges on recognizing the associations between a “group of devices” that reveal the level of risk involved in a transaction, he said.
This is also a challenge, since—at least in the case of Apple and iOS 7—the vendor have their own set of restrictions. The most common technique for detecting fraud on the Web and desktop, device fingerprinting, is not very effective and leads to a number of false positives, Sift Science’s Steve Lambe wrote on the company blog.
Device fingerprinting relies on a set of system configuration settings that can be used to identify the device, such as Flash cookies and user customizable plug-ins and extensions, Lambe said. With Apple telling developers they can no longer collect or track UDID away to differentiate between different users, “mobile developers haven’t had an easy way to identify devices,” Lambe said. Mobile devices also don’t have many of the system configuration settings, so they appear as identical devices to many site operators.
IP addresses aren’t always useful for mobile devices because some mobile carriers, such as MetroPCS, have a relatively small pool of available addresses to begin with, Lambe wrote. Some Sift Science customers used Bluetooth MAC addresses as a substitute for mobile device fingerprinting, and some saw credit card fraud drop by as much as 80 percent, Lambe said. However, developers will no longer be able to access the MAC address in iOS 7.
IP addresses are relatively useless because they change dynamically as the fraudster moves around the Web, Waddell said.
This is why large-scale machine learning, where every possible data point is integrated and adapted to the business and common fraud types, is the best approach, according to SiftScience.
Machine learning is just “one tool in the toolbox, not as the be-all and end-all of fraud recognition,” Waddell said. It’s important to understand device and account associations across the business in a shared device reputation network and analyze multiple factors related to fraud risk across an aggregate group of devices, he said.
ThreatMetrix’s Baumhof noted that the information collected could be as varied as device ID, whether or not the device is jailbroken, the geographic location, among others. Fraud prevention providers who have transaction data across multiple organizations can also detect commonalities between different fraud cases across companies.
“The context of the transaction makes the difference,” Baumhof said.
Related Reading: Apple Adds Data Security, MDM Configuration Goodies to iOS 7