Everyone would agree that fraud is bad. Everyone except those committing the fraud.
People committing fraud can cause a lot of grief. Not only is it frustrating for individual victims of fraud, it is costly for businesses.
In particular, mobile payment fraud is more prevalent and costs more than online and offline fraud. Beyond paying for the stolen goods or money, businesses must rebuild trust in their customers. A weakened reputation can scare customers away from using your app/website to make purchases.
In the last post, we reviewed some common methods fraudsters use to wreak havoc. To understand mobile payment fraud further, we decided to delve into some information to figure out who fraudsters are and what they want. This way businesses will know the risks and how to minimize them.
Who commits mobile fraud and what do they want?
Mobile fraud can be committed by individuals or groups. Fraud can be part of an organized, underground crime. One trend today is networks of people working together to commit fraud. One example of this is with mobile malware. Mobile malware is a huge problem. Over 1% of mobile devices contain a malware infection. The problem is exacerbated by the fact that people can sell mobile malware used to hack into phones for more than $5,000 in the underground market.
The malware involves bots that can gain control of phone applications and use them for the hacker’s bad intentions. This underground market means big bucks for those who help fraudsters. It also means that almost anyone, regardless of technical skill, can purchase a bot and commit fraud.
You might imagine fraudsters as technical geniuses surrounded by walls of computers. This usually isn’t the case. Mobile payment fraud often doesn’t involve that much technical skill. Once a fraudster obtains a bot, hacking is relatively easy.
After malware is obtained, it becomes a matter of installing it on a victim’s phone. This can be done by luring victims into downloading malicious applications that can be found in mainstream app markets like Google Play. Unassuming victims become players in an attack aimed at them.
Of course, fraud can also be committed by large-scale operations of fraudsters working together and using their expertise. These operations can have automated kits that search for vulnerabilities in applications. These vulnerabilities represent an easy-in for fraudsters.
One example of an app vulnerability is with Apple Pay. Apple pay allows users to upload credit cards to pay through their app. Unfortunately, this means fraudsters can upload a stolen credit card without having to go through the hassle of producing a physical card with all the right details. This vulnerability became a fairly low-tech way for fraudsters to steal money, as long as they had access to stolen card information.
Fraudsters are out for one thing: money. They effectively “go where the money goes.” They try to steal in the easiest and most effective ways possible, and they’re constantly searching for more avenues to do this.
The most common way to do this is to have the victims themselves give all the details a fraudster needs to steal money. As mentioned before, this is more common than someone hacking into a business and stealing straight from there, although fraudsters are also known to use sophisticated techniques to do this.
What type of businesses do fraudsters target? Research by Vesta shows businesses that sell digital goods (services, tickets, software, etc.) are more likely to be victims of fraud than businesses that sell physical, tangible goods. This is because digital goods sales skip an extra data point businesses that sell physical goods use to validate customer identity. Customers demand quick access to their digital purchase, so there is less time for businesses to debate a risky situation. Higher incidence of fraud translates to digital goods companies spending more of their budget to deal with fraud.
Image from Vesta research
Changing the mobile fraud landscape
Research shows fraudsters are moving from online to mobile channels because security has not yet caught up with the crime. Since fraudsters haven’t had to work around many security challenges, mobile fraud has remained relatively low-tech. Increasing security will make committing fraud more difficult. It won’t make fraud obsolete, though. By turning their heads to mobile fraud, businesses will only hurt themselves in the end.
Another issue to tackle is the pervasive belief that mobile devices are more secure than computers. People are more likely to download malicious files on their mobile devices than their computers.
Part of changing the mobile fraud landscape involves education. Businesses should encourage customers to avoid suspicious applications and phishing. They should alert customers of potential scams on their applications.
In addition, businesses must be careful about possible vulnerabilities within their applications to avoid situations like the one with Apple Pay. They can also offer and encourage app updates to address known security issues.
Unfortunately, the mobile fraud landscape might get worse before it gets better. With the inevitable implementation of EMV in the United States, more fraudsters will move toward card not present (CNP) methods of fraud, as happened in the United Kingdom. By avoiding physical forms of fraud, more fraudsters may be driven to the mobile world.
EMV credit card