By Mark Somers, Technical Director at 4most Europe www.4-most.co.uk
With an increased reliance by consumers on mobile devices to communicate, transact and authenticate, the hot topic of identity theft and mobile fraud has progressed from being merely a niche occurrence to a widespread and global concern for many. The concerns not only stem from banks, retailers and mobile payments providers, but also for mobile service providers too, who are managing their reputation and brand within this problematic industry. There have been many examples of high sensitivity data being used on mobile phones. Email addresses, password safes, text messages, mobile banking, purchases of apps are just some of the kinds of data consumers store on their mobiles. This makes for an incredible opportunity for would-be fraudsters and protecting the integrity of this data is set to dominate mobile fraud prevention efforts in the next five years.
While the data held on mobile devices is becoming more valuable it is also becoming increasingly apparent that no security or encryption can be guaranteed as flawless (past examples include the Open SSL weakness publicised in April 2014 and the iOS 7 security flaw patched in February 2014). Some have been known to potentially expose private security encryption keys to third parties with the loss being untraceable to the user. These sorts of security flaws combined with the inevitable opportunities of compromised employees releasing sensitive data (for instance, the Morrison’s security leak earlier this year) imply that the possibility of fraud is not something that can be entirely designed out of the digital/mobile environment despite the formidable range of encryption and verification technologies available on these platforms.
Competition is a problem?
Consequently, there are a number of challenges in securing the mobile channel against fraud. Advancements in mobile phones mean that the technology they use is becoming more and more powerful, but even so, it is a far less mature environment than a desktop computer which makes this platform far easier to abuse. Unfortunately there isn’t enough collaboration happening in the industry to tackle these issues, meaning it’s very often unclear as to who exactly holds the responsibility for creating better levels of security; the application developer, the phone manufacturer or the network provider?
That said one of the best places to start is with consumers themselves. Building and retaining consumers’ trust is a major problem for the industry and helping users combat identity theft through improved basic education is an important part of that process. Many mobile phone users are still unaware of the potential risks they face every time they use their mobile phones to store information, transact or communicate. But although the industry does have a responsibility to continue educating, all the education in the world is still never realistically going to be enough to cure this problem. Why? Because even when you communicate the potential risks of mobile fraud on a wide scale, some people will still continue to hand over their personal information to pretty much anyone who asks for it. Therefore it is also essential to use advances in technology to ensure that all consumers and businesses are protected from these risks in a way that they can relate to. The technology does already exist to do this, it must be mobile-based, real time and multi-layered in approach so as not to affect the consumer (or customer) experience.
Validate transactions against location
1) Consumers can monitor their transactions and the information held about them by third parties to enable them to determine if fraudsters are misusing their details. Technology must be improved to make this more of an automated warning system as opposed to requiring manual intervention from the consumer. For example, technology is being developed to enable banking transactions to be validated automatically against the customers’ mobile phone location to provide an early alert if customers’ cards are being used in locations where they are not present. This also extends to behavioural monitoring, normal spending patterns and identifying new events that are a-typical. Similarly credit reference agency CallCredit in the UK, now offers consumers a free service to allow customers to check what credit accounts are being opened in their names and warns them of spurious change of address requests.
2) Multi-factor authentication provides an opportunity to make fraud much more difficult for important transactions or communications. Pre-saved passwords are always potentially vulnerable to attack, either by being cracked by brute force methods or by interception techniques. By adding a second factor, for example a time generated number with a common key only known between recipient and transmitter and preferably held on an independent physical device (e.g. a dongle or card reader) makes the value of single passwords much lower.
3) Currently technology companies are moving towards bio-metric authentication – for example Apple and Samsung have both introduced fingerprint recognition to unlock iPhone 5 and Galaxy 5 respectively. While these approaches are still relatively simple (within hours of release activists had demonstrated security problems within Apples’ fingerprint recognition that would allow anyone who can lift a copy of your fingerprint off of a door handle or pane of glass for example, to gain access). Nonetheless as an added level of security it makes life harder for the fraudster – they now need physical access to your fingerprints. Other biometric markers, while more difficult and inconvenient to read, potentially offer higher security as they are not inadvertently left behind (for example iris scanning).
Time to get serious
In the end fraud, and the measures needed to combat it will always evolve, however, in the battle to minimise the chances of large scale digital mobile fraud, diversity and multiple independent forms of authentication offer the very real opportunity of making fraud confined to a relatively small scale problem. In some ways if suppliers converge on a single approach and a single factor the chances of serious problems become magnified as the prize for breaking the system gets bigger to criminals and the consequences more serious for the rest of us.
The future growth of mobile payments in terms of volume (and the resulting fraud risk) is certain. Researchers and analysts are estimating that $670bn mobile payments will have transacted by the end of 2015, but unless the industry starts to take the security of those payments more seriously, the consequences could be disastrous for many.