Information Security Today Home

New Books

Insider Computer Fraud: An In-depth Framework for Detecting and Defending against Insider IT Attacks by Kenneth Brancik; ISBN 9781420046595
Managing the Insider Threat: No Dark Corners by Nick Catrantzos; ISBN 9781439872925
Asset Protection through Security Awareness by Tyler Justin Speed; ISBN 9781439809822
Managing an Information Security and Privacy Awareness and Training Program, Second Edition by Rebecca Herold; ISBN 9781439815458
The Frugal CISO: Using Innovation and Smart Approaches to Maximize Your Security Posture by Kerry Ann Anderson; ISBN 9781482220070
A Comprehensive Look at Fraud Identification and Prevention by James R. Youngblood; ISBN 9781498700320

Mobile Wallets: The New Fraud Frontier

By Ryan Wilk, Director, NuData Security

Mobile wallets are enjoying increasing adoption. Payments made via mobile devices in the United States are expected to total $90 billion by 2017, a big jump from the $12.8 billion spent in 2012, according to Forrester Research.

There are two different types of mobile payments. The first type works through contactless technologies such as Near Field Communication (NFC) built into mobile phones. In the case of contactless technologies, the payment traverses the merchant's POS system and the relevant payment-processing environment, not relying on the mobile carrierís network.

The second type of mobile payment is a mobile application (mobile wallet) that allows payment to be processed through the mobile carrier's network, as is the case with banks. A mobile wallet has several key components, including the ability to provision account information, payment origination and payment processing.

With the near-ubiquity of mobile devices, banks are under pressure to come out with their own mobile banking apps, but security fears abound.

Mobile Concerns
Mobile apps currently hold many and varied credit card details, raising concerns about security. These valid concerns include loss of privacy, loss of security around financial transactions, data loss and the perception of insecurity. Legitimate applications passing user data to other applications or third parties in an unauthorised manner is gaining more attention in the public arena–as it should. In addition, a possible drawback to the mobile wallet and secure element solution is that a single pin unlocks all of the accounts stored in the wallet, resulting in much greater exposure.

Financial institutions that can ease security fears, offer money-saving incentives and promote widespread acceptance of mobile wallets may see more customers embrace them.

Behavioral Analytics: Putting Fraud in Context
But where to begin? With a company's bottom line, brand reputation and customer loyalty on the line, how can institutions secure payments via mobile wallets? They need to really trust the user behind the device by verifying the user based on behavior. Deploying advanced user behavioral analytics will allow the organization to detect genuine good users more accurately and improve the customer experience. Tracking behavioral patterns lets you learn who the real user is behind the wallet, from the kind of device they use to even detecting behavioral anomalies over time. When it comes to fraud attempts, banks can leverage that same information to quickly spot bad actors attempting to cycle stolen card details.

How does behavioral analytics work? Behavioral analytics focuses on observed characteristics of who the user is, not just who they tell you they are. It continuously profiles users and accounts through their entire lifecycle across multiple channels, including: desktop and mobile Web and native apps. Continuously profiling users' behavior empowers two key capabilities. First, it enables risk managers to detect and respond to risk sooner, reducing the chance of financial loss. Second, when the user does reach a transaction point, fraud managers have full context of all their previous actions and behavior to make a better decision on the transaction.

To collect all these observed characteristics, non-PII networks analyze billions of transactions, including user behaviors, to create a store of anonymous identities that are categorized as good users and riskier users. These identities remain completely anonymous and adhere to stringent privacy laws. With this collection of identities, a bank is provided an early warning system that is able to alert them when a user is behaving behaving "badly," even if it is the first time the user is approaching one of their sites.

User behavior analytics can help answer bigger questions, such as:

  • How did the user behave previously when they logged in? Are they behaving the same now? In other words, is this the real user accessing this account?
  • When the user is inputting data, is it similar to how they've interacted on the same mobile device before, or is it completely different?
  • Is this "user" creating a fraudulent mobile wallet with stolen account information?
  • Is their behavior repeated? Repeated behavior yields important information. If the behavior is the same every time they visit, perhaps we can say it's a good user, acting the same as always. But if itís the same behavior that 1,000 users are all repeating, it could indicate that this behavior is part of a crime ring that is creating bogus accounts with stolen credit card data. This could be a distributed, low velocity attack–the kind of attack that exposes you to massive amounts of loss.

Observing user behaviour in detail enables the best chance of beating fraud.

Fighting Fraud with Behavioural Insight
There are at least 20 mobile wallet systems currently in use, according to a study from the Carlisle & Gallagher Group. This expands the threat landscape significantly. The fact that The Which? team was able to purchase goods online with card details stolen from an NFC transaction suggests that contactless cards are not a solution to risk in and of themselves. Of course, preventing data lost in the first place would be the ideal, but we have to be realistic. Having more accurate detection at the point of sale or at the login would protect consumers, merchants and banks from fraud no matter how the credentials were attained.

Relying on a single layer of defense at a single point in the transaction chain is always going to end badly. Profiling across multiple channels, using analysis from billions of transactions, provides the insight needed to more accurately detect mobile wallet fraud. Behavioral analytics offer banks the insight they need in order to protect themselves and their customers from fraudulent activity.

Related Reading

The Ripple Effect of Identity Theft

Combating Account Takeover

Subscribe to
Information Security Today

Bookmark and Share

© Copyright 2015 Auerbach Publications