Mobile devices can be used to add a second factor of authentication for bank accounts, but they can also be an easy factor for fraudsters to misuse.
There is growing concern in the industry that relentless fraudsters can gain access to sensitive data by first compromising a consumer's mobile devices, fraud prevention vendor Iovation Inc. stated in its July 2 report, "Fighting Mobile Fraud."
As part of the process of taking over accounts at a business or bank, fraudsters realize consumers are verifying transactions through text messaging features or automated voice calls on mobile devices. As such, fraudsters who steal passwords have been using stolen data to take over phone accounts, which could then help them break into financial accounts.
These attacks can also span industries, taking on different characteristics as they progress, says Jon Karl, vice president of corporate development at Portland, Ore.-based Iovation, in an interview.
"Threats are certainly not created equal, but I would say that they are significantly different from industry to industry," Karl says.
For example, the recent exposure of passwords for LinkedIn users set the stage for later hacking attempts. The passwords, as well as other personal information available on the social networking site, could be used as part of an attack on financial accounts.
Mobile fraud is becoming increasingly complex, making mobile commerce even more difficult to protect, says Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group.
Even though account takeover is escalating, e-commerce merchants tend to have good protection in place because they treat mobile and online processes as "digital transactions," rather than categorizing them separately, McNelley says. Since banks tend to view mobile and online as completely different channels, they may not have defenses in place that equally protect both, she adds.
"Consumers are not exactly helping the situation because they don't treat their mobile devices like they would a desktop computer," McNelley says. "They are not protecting mobile devices with passwords and they tend to be careless with them."
Iovation's report highlights major fraud factors in mobile commerce, including malware detection, mobile device theft and cross-channel "touchpoints," which illustrate how many different mobile devices the same consumer can use to interact with a business or bank.
The report concludes that online merchants, banks and others would be best served by developing "a layered defense to expose hidden relationships between users and devices and assess their reputations" as a way to determine safe transactions.
Iovation offers software called Reputation 360, which recently helped law enforcement officials in Kirkland, Wash., bust an alleged fraud ring.
Even though mobile payment options and accompanying security methods can become overwhelming at times for consumers and merchants alike, Karl says he "strongly believes" that most future payments will be mobile.
"I also believe that fraudsters will always evolve and will always find vulnerabilities," Karl warns.