April 20, 2018
Growing Mobile Threats
We live in an increasingly mobile world, making it vital for businesses to understand the opportunities and threats. ThreatMetrix operates in three use cases, including advanced fraud protection, frictionless authentication, and brand customer protection. We serve a vast array of companies, from small merchants to large financial institutions. This creates a broad cross-section, and continues to expand our Digital Identity Network.
ThreatMetrix CTO, Andreas Baumhof, highlights the various threats that businesses encounter in the mobile environment. These threats include spoofing, premium services, attacks on “PC” based authentication, app replacement, mobile malware wallet, and API reverse engineering. Device spoofing is when a fraudster ‘spoofs’ the type of device, and it is three times more likely on a mobile site. The next type of malware is premium SMS malware. SMS malware works by stealing a user’s phone number, sending a premium SMS to the provider, intercepting the SMS, reading the PIN, and then sending the PIN back. This type of malware can be hard to trace and discover, because users and providers think that they are transacting in a normal way, with consent.
Another type of mobile malware is Zeus, which has a similar process to the SMS malware, but it injects malware directly into the browser. Another type of malware is iDroidbot, which searches and injects into purses on infected machines. iDroidbots are successful at draining victims’ Visa QIWI wallet, and WebMoney Keeper Mobile. Android.DDoS.1.origin, detected in 2012, is the first Android malware that accepts remote commands via SMS. It is not distributed through the official Google Play Store, but it uses the official icon to trick users. These forms of mobile malware are attacking and exploiting businesses, emphasizing the necessity for threat detection and mobile cybersecurity.
Viaforensics conducted a study in 2011 of 32 financial applications. Of those banking apps, 14 passed the security testing, 10 received a warning rating, and 8 received a fail rating. This calls for banks to recognize cybersecurity as a main concern, before they get breached. A more recent study by 10Active, conducted in January of 2014, analyzed 40 home banking apps. The study showed that 40 percent of audited apps did not validate the authenticity of SSL certificates presented, making them susceptible to Man in The Middle (MiTM) Attacks.
Building a Network of Trust
Attacks are increasing as evidenced by an increase in percentage of rejected transactions from our Network data. Our Data reflects what we have heard from financial institutions and the FFIEC, that they are increasingly the target of stolen credentials for account takeover attacks. Although, there are many threats in the mobile landscape, there are also opportunities. Mobile transactions are expanding globally, and there is an opportunity to be a leader in the mobile market. By utilizing the power of the Digital Identity Network, you are able to establish trust with your customers. Trust is critical to modern business, and cybersecurity is a large part of the ability to trust customers and stop fraudsters. In fact, 10 out of 20 of the top e-Commerce sites are protected by ThreatMetrix. While mobile threats abound, businesses can protect themselves by making mobile fraud prevention a priority.