When asked by a reporter why he robbed banks, American bank robber Willie Sutton reportedly answered, “Because that’s where the money is.” While there is some controversy as to whether he actually made the statement, it’s a truism nonetheless and there’s even a diagnosis law named after the famous quote.
Today, mobile transactions are where the money is. Not too long ago, consumers typically used their phones for simply checking prices and quick on-the-spot research. No more. According to threat intelligence services provider ThreatMetrix and its report on cybercrime trends, the criminal targeting of mobile increased substantially in the first half of 2018.
According to ThreatMetrix, at the beginning of 2015, just 19 percent of mobile transactions they analyzed were beyond mere account creation logins and payments. That figure hit 58 percent by the middle of 2018. As Willie Sutton would expect, mobile fraud rates are following suit: In the first half of 2018 worldwide, mobile attack rates rose 24 percent when compared to the first half of 2017. When looking at the United States alone, mobile attack rates grew at 44 percent for the same period.
Globally, a full third of all fraud attacks now target mobile. Still, as the report points out, mobile computing provides ample opportunity to accurately assess user identity, such as native strong user authentication and geolocation, among other attributes useful to behavioral analysis. And such capabilities are being put to use: According to ThreatMetrix, the number of mobile device Strong IDs they observed more than doubled in the first half of 2018.
According to Alisdair Faulkner, chief identity officer at ThreatMetrix, the key weakness in mobile security remains the app registration and account creation stages. “To verify users at this crucial point, organizations need to tap into global intelligence that assesses true digital identity, compiled from the multiple channels that their customers transact on,” he said.
Bot Attacks on the Rise
Attacks targeting mobile transactions and mobile accounts wasn’t the only increase during the period. Large retailers took the brunt of a surge in bot attacks in the first half of 2018. According to the report, fraudsters tried to infiltrate retail accounts in good standing to pilfer sensitive personal data and stored credit card data.
Geographically, the bulk of the bot traffic originated from Vietnam and South Korea.
In total, the ThreatMetrix analysis found a 60 percent spike in bot attacks in the second quarter of the year—increasing from 1 billion bot attacks in the first quarter to 1.6 million bot attacks in the second quarter.
This isn’t just a security problem. The flood of traffic from criminal bots is also impacting the availability of legitimate traffic, and if organizations don’t take mitigative measures, order processing can be negatively impacted.
Consider that at peak traffic times some of these organizations have reported that the attack traffic accounts for greater than half of their transaction volume.
Finally, attackers (just like Willie Sutton) are hitting where they know the money is. According to ThreatMetrix, financial institutions were hit with 81 million cybercrime attacks in the first half of 2018. About 27 million of those attacks targeted mobile devices.
According to the report, the largest threat to financial services firms is device spoofing, which is when fraudsters try to fool organizations on the devices originating transactions.
The bottom line is we will continue to see increased mobile attacks, and these attacks will grow more clever as fraudsters refine their efforts to new transaction channels.