At the end of 2013, our CTO Dan Ingevaldson made some predictions about how fraud trends would look in 2014. Now that the year is almost one-quarter over, we can already see how the highly dynamic risk landscape has confirmed some of Dan’s worst fears and then some, in addition to providing new threats appearing through novel attack vectors.
Here is a list of some fraud trends we are seeing that are currently impacting electronic transactions in a big way, and that we expect to see continue throughout the rest of 2014:
- Increased adoption of mobile banking is leading to unprecedented amounts of mobile malware
Mobile banking is growing so fast that by the end of next year it will already overtake online as the main way most people interact with their financial institution. Today, 58% of Americans have at least one smartphone and 42% own a tablet, and offering mobile banking has graduated from being a part of a financial institution’s competitive edge to being a compulsory part of a bank’s services for its clients.
The notorious gangster Willie Sutton once said that he robbed banks because that’s where the money was, and today’s cybercriminals are going to follow the money to the mobile channel where customers are increasingly performing their transactions. A recent study from Juniper Research found that over 80% of smartphones have no protection against the wide range of known malware attacks, a sobering number that almost certainly goes up when including newer attacks that typical mobile anti-malware security programs have not detected yet. Kaspersky also recently reported that over 1,900,000 users worldwide encountered banking-specific malware in 2013 and that 98% of those users also accessed the financial services they target. All of the now-traditional malware attacks have seen in the online banking environment - phishing, fake sites, pharming, man-in-the-middle and man-in-the-browser attacks – are also successfully being launched against mobile banking users, along with a few threats unique to the emerging channel like malicious applications and malware targeting jailbroken Apple devices.
A single solution to deal with the many threats targeting the mobile banking platform is simply not enough to stop the hydra-headed fraud that quickly evolves to seek out any exploitable vulnerability in an institution’s mobile banking infrastructure. Two-factor authentication has been sidestepped by specific malware created to defeat it in high-profile attacks such as Eurograbber and Operation High Roller that resulted in millions of dollars stolen from banks and their customers. These attacks definitively prove that moving authentication to unsecured devices is only facilitating fraud, not mitigating it. If devices are not secure, and banks don’t have visibility into customer browsing behavior and device health, mobile banking will lead to more fraud. Using the multi-faceted protection of Easy Solutions Mobile, financial institutions can design secure push authentication from directly within their mobile banking application, proactively protecting customer devices, gaining crucial visibility into the end-user fraud environment, and allowing devices infected by malware to safely perform mobile transactions.
- Attacks targeting vulnerable parts of the payment card processing chain continue to catch merchants off-guard
Since Black Friday of last year, a number of merchants, and the customers who paid them using credit and debit cards, have fallen victim to sophisticated attacks targeting their POS terminals. Target, Neiman Marcus, Sally Beauty, and Michael’s have all had to deal with the fallout of massive card breaches, and there is much speculation that other stores will soon need to announce that they have been victimized by attacks as well. Financial institutions have done a great job of strengthening their “front door”; that is, they have secured much of the infrastructure that is directly under their control to prevent attacks and limit fraud. But the breaches occurring at the merchant level show that fraudsters will always look for a “back door” that is comparatively unprotected to launch an attack against. Cybercriminals are looking to make the greatest amount of money they can while expending as little effort and running as little risk as possible, and exploiting the unfortunately common security gap discovered in POS terminals has been a boon for fraudsters’ bottom lines. With thousands of merchants to choose from in terms of possible attacks, it is inevitable that other businesses will continue to be victimized, with little that financial institutions can do to prevent it from happening. Even the switch to EMV chip-and-pin cards, while reducing in-person cloning attempts, has led to large increases in fraud in card-not-present transactions, since fraud is in constant evolution to go where the weakest link in the payment processing security chain is located.
While financial institutions can’t stop attacks on turf that is the security responsibility of other businesses in the payment processing chain, they can and must have security in place to mitigate the damage that their company might suffer as a result of such attacks. A passive approach that waits for fraud to occur until the bank responds to shut it down will lead to far greater losses than a strategy that seeks to preemptively thwart fraud with intelligence about imminent attacks and stolen card information. Card information stolen from these attacks shows up almost immediately on black market sites that traffic in pilfered credentials and cloned cards for use in fraudulent purchases, and an institution that is able to see when cards belonging to their customers show up on these sites can cancel those cards before they are used to perpetrate any fraud. DMS Compromised Card Services can give your institution the power to preemptively safeguard customer accounts that appear on black market sites before any unauthorized access or use happens, keeping customer money where it belongs.
- End users continue to avoid using best practices when surfing the web or buying online or through mobile devices, allowing the biggest attacks to occur
The Target attack ended up being launched from infected POS terminals, but it all began with a phishing attack sent to employees at an HVAC vendor that did business with Target. It was this phishing attack that enabled the cybercriminals to eventually gain the access they needed to Target’s infrastructure so that they could ultimately steal millions of credit and debit card numbers undetected. End-user browsing behavior continues to be the Achilles Heel that allows the most successful attacks to rob large amounts of money, and no amount of education seems to put a dent in the customer’s susceptibility to clicking on malicious links and attachments. As much as financial institutions may wish otherwise, customers are simply not fraud-centric in their thinking when they browse the web or makes purchases electronically. Banks are also not able to lash their customers with a wet noodle every time they click on a shortened malware link, download an attachment from a dodgy source, or enter their credentials into a banking website that upon closer examination is quite obviously a phishing website. Once again, banks need a method to mitigate unsafe behavior that is out of their control.
Keeping the occasionally harmful browsing behavior in mind, financial institutions must develop security that assumes the end user will accidentally or carelessly infect their device, and enable them to safely interact with their bank regardless. To this end, Detect Safe Browsing (DSB) harnesses a wide variety of data from user devices to stop fraud attacks in real time, providing a protected channel to the websites that users frequently access. DSB scans devices for the latest malware, including fake applications that may be malware in disguise. Financial institutions also gain valuable insight into customers and devices, and are able to see the types of malware that are threatening their user base in real time, and stopping it before it does any harm.
As the three tendencies in recent fraud attacks described above show, fraud is constantly evolving to overcome the anti-fraud strategies that businesses currently have in place to protect themselves. Any single strategy used to attack fraud will not be enough in today’s constantly-changing fraud landscape, because cybercriminals are constantly probing for new vulnerabilities and weaknesses that can be used in fresh attacks that circumvent that security entirely. The most effective approach to the seemingly endless variety of fraud attacks targeting businesses of all kinds is to implement security at different layers of the transaction process, so that any attack not detected by one security layer can be discovered by another. The Total Fraud Protection strategy from Easy Solutions offers omni-channel and end-to-end protection against all forms of electronic fraud, across all stages of the fraud attack cycle, from planning to cashing. This platform allows your business to use real-time data and intelligence across various protection layers to provide proactive risk management no matter how fraud evolves.