- News & Events
Mobility is the theme of week two of National Cyber Security Awareness Month (otherwise known as October). Last week, I spoke about “Cybersecurity and Shared Responsibility.” This week, I wanted to share with you some data from the ThreatMetrix™ Global Trust Intelligence Network that may influence your behavior when using mobile devices for online transactions.
Let’s start with something you already know: mobility is hot. Our network data confirms the growing use of mobile devices for banking and shopping. Of the transactions served on the ThreatMetrix global network, across almost 2000 businesses:
• Over 33% of online banking transactions are mobile
• 26% of all of the transactions are mobile
That’s a staggering number of mobile transactions – and the numbers are growing, as many of our customers are just now building mobile apps using TrustDefender™ Mobile for embedded fraud prevention.
Mobile devices are a central part of our lives, and this has major cybersecurity implications. For example, we happily use free downloaded games or other ‘fun’ apps on the same device we use for mobile banking – making our transactions vulnerable to malware.
Here are some facts you may not be aware of.
Mobile Transactions Aren’t Always as Secure as Other Transactions
For many reasons, purchases or banking operations from your phone may not go through the same security and fraud prevention measures as those you make on a desktop computer.
• Mobile browsers are different. They don’t provide the same scope and accuracy of information as their desktop counterparts, invalidating some security measures. For example, a mobile device using Opera with Turbo Mode makes it appear that the device is connecting from an IP address in Norway, no matter where the device is.
• Mobile apps use different back-end processes. In the rush to get mobile-optimized apps and sites out, many companies implement alternate back-end processes for mobile transactions. They may bypass security controls or be segregated from other transactions – creating blind spots in which hackers can operate.
• Usability trumps security. Companies often make decisions that compromise mobile security. For example, you’re often never logged out of mobile apps, and mobile devices can use a 4-digit PIN instead of a password for convenience.
Hackers are Exploiting Mobile Devices
Looking across the ThreatMetrix Global Trust Intelligence Network, the data shows us that hackers are fully aware of these vulnerabilities, and using them to their advantage.
For example, one large online retailer in our network sells digital goods both through its website and mobile apps, including an application for the iPad. They see a large number of transactions using stolen credit cards coming from the iPad application. The credit card thieves assume that these applications have lighter security.
They’re Pretending to Use Mobile Devices
In another twist, a growing number of suspicious transactions come from PCs that are pretending to be mobile devices by disguising their browser IDs as mobile browsers. Again, this is in the hope that they can get by with lighter security or fraud measures. (ThreatMetrix can detect the anomaly between reported device and actual device, which is how we can track this trend.)
What Can You Do?
As a consumer, you should be particularly sensitive to the risks of malware on your mobile devices. This means locking your mobile phone and using care about which applications you install and trust. See the Mobile Safety Tips available from the US Computer Emergency Readiness Team (CERT) at http://www.us-cert.gov/ncas/tips/ST06-007.
On Android devices, be careful about where you download apps, as most malware targets Android. I’d also recommend strongly against using a jailbroken iPhone, which is much more susceptible to malware.
As consumers, we can all start asking our vendors to make mobile transaction security a high priority. “Optimized for mobile” should not mean an attractive user interface at the expense of security. In the long term, a great user interface is no good if you do not trust the application’s safety.
ThreatMetrix™ secures Web transactions against account takeover, payment fraud, identity spoofing, malware, and data breaches. The ThreatMetrix™ Global Trust Intelligence Network, which analyzes 500 million monthly transactions, provides context-based authentication and Web fraud prevention to help companies accelerate revenue, reduce costs and eliminate friction. ThreatMetrix protects more than 1,900 customers and 9,000 websites across a variety of industries, including financial services, enterprise, e-commerce, payments, social networks, government, and insurance. For more information, visit www.threatmetrix.com or call 1-408-200-5755.
To join in the cybersecurity conversation, follow us on Twitter @ThreatMetrix.