Mobile is taking the spotlight as fraudsters shift to account takeovers and e-commerce fraud in the wake of EMV chip cards taking hold at the physical point of sale.
Fraudsters know consumers log into their bank accounts more than five times a week from mobile devices, and 55% of financial services transactions came from mobile devices by the end of the year, according to the 2016 ThreatMetrix Cybercrime Report. San Jose-based ThreatMetrix provides fraud prevention tools for payment processors and financial institutions.
"It's like cyber crime in a box," said Vanita Pandey, vice president of product marketing at ThreatMetrix. "It is so easy for anyone to initiate fraud, all while organized crime rings are sending out numerous attack methods."
Cyber crime is more automated and organized than ever before, taking advantage of global transaction volume and making cross-border transactions riskier than domestic ones. In this era of cyber attacks, it is increasingly important for banks, retailers and other businesses to establish stronger customer identity and device identity when screening payments and other financial transactions for potential fraud, Pandey said.
"We look at 300 different attributes on the device, from screen size to device size, or whether it is a mobile device," Pandey said. "You add that to behavioral biometrics such as what your keystroke is like, and whether you are left- or right-handed. These are signals that establish device behavior."
ThreatMetrix says in the fourth quarter of 2016, its digital identity network stopped 122 million attacks in real time, including 75 million rejected e-commerce transactions, a 35% increase over the previous year. Up to 80 million attacks last year against banks and financial services used fake or stolen credentials, ThreatMetrix says.
In the past year, ThreatMetrix saw an increase in "bot" attacks, accounting for 80% to 90% of fraud volume for some companies. Bots generally engage consumers in a chat format or request information to initiate transactions. This trend continues, after ThreatMetrix reported massive bot attacks seeking payment data and new account creation in 2015.
"They use the bot to obtain information and try to log into your account and steal passwords," Pandey added. "If they can't get a password, they will hack in another way."
A key message from the ThreatMetrix report is that banks and merchants should make sure their mobile offerings to consumers have as many security layers as possible, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"I do think that properly fortified, the mobile app has the potential to be far more secure than online commerce," Conroy said. "The 'properly fortified' piece of that is key though, and many banks and merchants aren't there yet."
Another growing area of fraud concern that the ThreatMetrix report confirms is with stolen gift cards, Conroy said.
Gift cards offer fraudsters the perfect opportunity to quickly monetize a stolen credit card, selling them for cash at online auction sites and elsewhere, the report said. Fraudsters are also selling used, counterfeit and fraudulent gift cards, often overstating their value to trusting consumers who have grown accustomed to online gift card marketplaces.
"The holiday gift card spike is not a surprise, and is one that echoes the conversations I've been having with merchants," Conroy said. "Fraudsters love their gift cards."
Because travel and entertainment markets are increasingly connected with digital devices, cyber criminals are targeting those industries to cash out their stolen credentials. Device spoofing, in which fraudsters try to delete and change browser settings in order to mimic the victim's device, is the most common attack vector, at 75%, in travel and entertainment, the report said.
Fraudsters are also enjoying the rise of the "sharing economy" in travel and entertainment, in which consumers rent vacation homes, buy tickets or book cab rides with others. Scammers will create fake listings to trick consumers or develop fake ride-sharing apps to launder money.
"The travel piece is becoming very interesting for fraudsters," Pandey said. "They can take over an account, go onto a site to rent a place, then steal everything at that place."
Stealing points from payment cards is also on the rise, as is fraudsters' attempts to get into the insurance industry with stolen account credentials.
The good news from all of the increasing fraud activity is that protecting a mobile device can be more effective than protecting payment cards or personal documents, via the use of fingerprint readers and other built-in security methods. "I think we will move into a world where a lot of information will be stored in your mobile device and transactions will move from card present to more of a customer present, and the security emphasis will be on who the customer is," Pandey said.