Mobile Fraud Saw Sharp Rise In Q1
Mobile fraud is on the rise in 2018 with mobile app marketers exposed to 30 per cent more fraud in the first quarter than the quarterly average for 2017, according to App Flyer’s State of Mobile Fraud Q1 report.
According to Kevin Curran, a senior member of the IEEE and professor of cyber security at Ulster University, the most common types of mobile fraud are:
- Fraudulent subscriptions – where a victim’s personal identifying information is commandeered to sign up for premium subscription services.
- Payment fraud – where a victim’s payment details are intercepted through malware on a mobile and used to make purchases. A similar scam is accessing gift cards associated with apps to run up large bills.
- Stolen devices – where a thief can make purchases on a stolen mobile by logging into apps where the user has pre-selected the “keep me logged in” feature.
- Premium SMS fraud – where users are tricked into messaging expensive SMS services and later billed. There are also malicious apps that can be installed which send SMS messages to premium services.
- Missed call & premium service calls – with this technique, fraudsters sometimes hope that users will miss a call and later call back, which causes them to ring a premium rate service. The fraudsters may also leave recorded messages offering prizes, hoping for the same result.
Financial exposure to fraud is believed to have cost between $700 to $800 million worldwide in the first quarter. The report also found the share of fraudulent installs has increased by 15 per cent, “tainting 11.5 per cent of all marketing-driven installs.”
Perhaps most concerning is the fact that this did not occur only among a few large apps targeted by advanced attacks. Some 22 per cent of apps have over 10 per cent fraudulent installs, while at least 12 per sent are significantly exposed with at least 30 per cent fraudulent installs, the report noted.
Even when new protective measures are introduced, “fraudsters adapt, which leads to new measures, and the cycle continues. Fraud has become a high stakes arms race as both sides are becoming increasingly sophisticated,’’ the report stated.
Bots are now the most dangerous threat, according to Apps Flyer, and are responsible for over 30 per cent of fraudulent installs.
The verticals most susceptible to being targeted are shopping, gaming, finance and travel apps. Android is more vulnerable to fraud, but iOS is also a target. “With greater difficulty perpetrating device fraud on iOS, fraudsters resort mainly to click flood, where iOS is well ahead of Android,’’ the report noted. “In all other types of fraud, Android rates are much higher.”
Banking and financial services are other verticals that “seem to be suffering quite a lot at present,’’ observes Curran.
“The common fraud here is account hijacking and identity theft, malware on mobile bank apps and social engineering fraud involving impersonations of customer service specialists,’’ he says.
Other verticals that are typically targeted include ecommerce and the airline industry.
To help prevent mobile fraud from occurring, organizations accepting payments should be aware that orders placed with mobile devices are an important data feature for evaluating fraud, Curran says.
“They should use three-digit CVV number when accepting credit card payments. They can also probe which browser is being used and even prompt users to upgrade to later versions for added security.”
Additionally, enterprises should create a whitelist of applications that users are permitted to install on their devices. He also recommends using enterprise management tools and enabling the device-wipe capability that is configurable for every platform.
“Users should follow for the most part, the same safe computing principles on mobiles as they do on traditional desktops,’’ Curran says.
“Many mobile service providers have security policies in place such as secret questions or personal PINs along with multi-factor authentication.”
He advises users to set a passcode, keep it locked when not in use and also use biometric features, if available. They also should not store personal details like passwords or PINs in texts or emails on the device.
“A simple way to protect against bad apps is not to download an app without thousands of downloads and mostly positive comments,’’ adds Curran.
“It is also important to apply mobile OS updates when they become available.’’
Even though the use of mobile devices at work has exploded, the security controls and enterprise management tools available have not matured in the same way.
“For at least the time being, mobile security is largely a matter of enforcing IT policies and making use of third-party software applications. Security is important as mobiles have become devices [that] store vital information we do not want leaking.”
Although it seems obvious, it’s worth emphasizing that organizations need to view these devices with the same security scrutiny given to computers and laptops.
“All software has vulnerabilities,’’ Curran stresses.
“The issue is what happens when a flaw is discovered. The quicker a software update can be distributed, the more secure you are. The longer a device remains outdated with known vulnerabilities, the greater the risk.”