Mobile Authentication: Emerging Tools for an Evolving Fraud And Threat Landscape
Posted March 11, 2017
How secure are your mobile logins and transactions?
If there’s one thing we know about fraudsters, it’s that they always follow the money—and increasingly, money is going mobile.
New data from the latest ThreatMetrix Cybercrime Report shows that 45% of all transactions are now conducted on mobile devices, with that figure being significantly higher for financial institutions.
Naturally, cyber crooks are increasingly setting their sights on what has proven to be an especially lucrative target: the financial sector. Is your mobile authentication ready for it?
Dialing for Dollars
In the last 12 months alone, cybercriminals have attacked the financial arm of UK-based supermarket giant Tesco Bank; they have made off with $9 million from Banco del Austro SA; $19 million from Standard Bank of South Africa; and $81 million from the Bangladesh central bank.
To be fair, not all these high profile attacks involved mobile as an attack vector. But competition and consumer demand for slick, friction-free mobile apps means organizations must deliver the convenience and innovation customers want—and fight off a burgeoning number of attacks at the same time.
They’d better hurry. As the Cybercrime Report indicates, 55% of all financial services transactions are already conducted by mobile device—a growth of more than 250% from 2015. In fact, 40% of financial services customers are now mobile-only.
Attack rates tracked on the ThreatMetrix Digital Identity Network still remain higher for desktop than for mobile, and mobile is generally considered safer than desktop. But, fraud in the mobile channel is growing fast. The prevalence of stolen identities and tools to enable cloaking and spoofing is causing attacks targeted at mobile devices to evolve and proliferate.
Key tactics: Fraudsters monitor unsecured wireless networks to intercept user credentials. They encourage users to download hacked versions of legitimate applications from third party stores. And, they are using man-in-the-middle attacks to intercept personal information from otherwise legitimate mobile applications.
The fact is that most mobile devices don’t have updated virus or malware protection, and they become low-hanging fruit for cybercriminals looking to score big. But, that’s not the only problem. People connecting via public and compromised wifi hotspots exposes mobile to additional threats. And, of course fraudsters logging in via mobile with stolen credentials all contribute to a mobile authentication challenge.
According to a February banking survey, 38% of institutions admit that it is getting harder to tell whether a transaction is fraudulent or legit. And nearly half have only partially implemented anti-fraud solutions to fix that.
Yet even in regions adopting new “open banking” standards, a growing number of organizations are discovering that systems based on static forms of verification don’t help distinguish customer from fraudster.
Here’s why: With more than 6 billion identities compromised over the past few years, stolen user IDs, passwords, names, addresses, social security numbers, credit card numbers and even answers to challenge questions and PIN codes are widely available on the dark web, or easily stolen through simple spyware or clever bot attacks.
This enables fraudsters to take over existing accounts or create fraudulent new ones.
To fight back, more organizations are turning to a new generation of dynamic, digital identity based mobile authentication solutions that go far beyond static credentials to instantly identify bad actors—and kick them to the curb fast.
A holistic approach to mobile security:
Organizations who are using the ThreatMetrix Mobile SDK are discovering that dynamic authentication is having a business-critical impact on security, for example:
• Web page fingerprinting and malware detection: Detects MitB attacks or targeted Trojans. Web page fingerprinting can identify whether sites visited through the device have bene altered by cybercriminals, suggesting an attack.
• Advanced Persistent Device Identification: Creates device “fingerprint” information without cookies or storing anything on the device, and can also determine if a device is hidden behind proxies, VPN servers to mask its true identity and location.
• Digital Identity Intelligence: On the backend, the information on the mobile transaction or login can be integrated with broader fraud, risk, compliance and other systems and assessed against 500 different dynamic data elements that zero in on the true identity behind a transaction.
Together, these capabilities protect transactions between the device and your site by instantly detecting whether the device has been compromised by crimeware, Trojans, and phishing attempts. It also spots and defeats MitB attacks, identifies accounts being used for money laundering or mule activities, and rejects fraudulent online account applications and registrations. And it’s lightening fast, so there’s no friction added to the user experience.
Case Study: Protecting Online Banking
Here’s an example of how this mobile authentication all works.
One of America’s leading commercial banks found its new mobile channel was far more susceptible to account takeover attacks than its existing web channel due an inability to accurately separate returning customers from fraudsters. As the number of mobile transactions grew, so did fraud attacks.
Using the ThreatMetrix Mobile SDK, the bank was able toaddress mobile authentication and effectively recognize legitimate customers while significantly reducing fraud levels – without the need to deploy additional infrastructure.
That’s because instead of relying solely on login credentials, or cumbersome two factor authentication, ThreatMetrix Mobile leverages dynamic global threat data to assess device health, user location, and anomalies that may indicate fraud—in real time, without creating friction.
Consumers are now moving seamlessly between connected devices, and expect their experience to be consistent and frictionless—but above all else, secure.
To accommodate modern consumer habits, organizations must put protections in place that work across platforms and recognize their trusted users from all of their devices.
Fraudsters will continue to evolve their tactics, and attacks on mobile transactions are only becoming more prevalent. But with dynamic, digital identity based authentication, businesses can protect their consumers’ logins and transactions long term.
In the battle against increasingly sophisticated cybercrime, this gives you a fighting chance.
To learn more about how to secure your mobile app, check out our whitepaper, “Securing Mobile Applications in an Evolving Fraud and Threat Landscape.”