Fraudulent Transactions on Mobile Apps Are a Growing Concern

finjanmobileBlog, Mobile Security

Fraudulent Transactions on Mobile Apps

In a report analyzing consumer fraud data for the first quarter of 2018, RSA Security disclosed that the number of fraudulent transactions on mobile apps has risen by over 600%, since 2015. Some 39% of all fraudulent transactions conducted during the quarter were carried out via mobile apps.

Why is this happening, and what can be done to prevent it – or at least, minimize the effects?

Fraudulent Transactions on Mobile Apps – Part of a Growing Trend

As mobile app integration with online payment platforms and other financial resources has improved over the years, the proportion of legitimate trade conducted using mobile phones and other portable devices has also increased. Little wonder then that mobile channels have been seized upon by cyber-criminals as a new avenue.

According to RSA’s Q1 2018 Fraud Report, while the overall volume of mobile app transactions has increased 200% since 2015, the proportion of fraudulent transactions originating from mobile apps in that period has gone up by a staggering 680%. Though the increased digitalization of banking and other consumer services partly explains this trend, there are other factors involved.

The alarming rise in fraudulent transactions on mobile apps is partly due to the accompanying decline in popularity of desktop web browsers, as the fraudster’s medium of choice. This has seen a reduction in desktop browser exploitation from 62% in 2015, to just 35% this year.

But mobile apps wouldn’t have fueled such an increase in their use for fraud if the mobile platform wasn’t an easy one for fraudsters to use.

Tools of the Trade

Since convenience and marketability often outweigh security in the development of mobile software, developers in a rush to get new products to the app stores often release them with bugs and weaknesses that hackers can easily exploit. Mobile apps as a whole are now quite easy for hackers and cyber-criminals to hijack or corrupt, making them tools for the fraudsters to steal credentials, impersonate genuine account holders, and gain illicit access to funds.

Disposable or “burner” phones are another of the fraudster’s tools of choice. These allow cyber-criminals to avoid capture, as they’re difficult for law enforcement agencies to track. It’s estimated that 82% of all fraudulent transactions using mobile apps in the period covered by the report were carried out using new devices – burner phones, in other words.

Social Media as Enabling Environment

With information gleaned from data leaks, stolen credentials, or simply a bit of imagination, it’s quite easy for fraudsters to set up fake accounts on social media.

Given the lack of caution routinely exercised by users on platforms like Twitter and Facebook, social media is shaping up as an enabling environment for perpetrators of mobile and online fraud. Social channels give cyber-criminals ready access to communicate with targets, “customers” (those who buy their services), and partners. They’re able to trade information with others in the loop, promote their various services, and even create “virtual storefronts” to sell malware, consultation, or stolen credentials.

It’s reckoned that in the not too distant future, social media will overtake the Dark Web as the cybercriminals online environment of choice.

Daniel Cohen, Director at the RSA Fraud and Risk Intelligence Unit, summed it up this way:

“Social media’s scalability, anonymity and reach is providing cyber criminals with the perfect disguise; they can jump between accounts and devices at will, rarely using the same device twice. This makes it much easier to dodge the authorities and continue scamming.”

Protective Measures to Prevent Fraudulent Transactions on Mobile Apps

With around 5% of all fraudulent transactions now associated with a rogue mobile app, there’s an increased need for users to be cautious when downloading new software. Apps should only be sourced from recognized official app stores. It’s always advisable to read a selection of the reviews on each product, to get an idea of how the software performs for other users. This should be followed by a careful appraisal of the permissions demanded by the software, in order for it to run. And a due diligence search on the software developer or publisher is also a good idea.

Phishing tactics and social engineering ploys are part and parcel of the online fraud mechanism, regardless of whether the transactions are conducted via mobile phone, desktop browser, or point of presence. The standard precautions should apply to emails, text messages, or advertising: Avoid taking rash, emotional actions in response to promises or threats, don’t click on embedded links or download file attachments on unsolicited communications, and use alternate methods (phone call, in-person visit, etc.) to verify whether the person or organization that claims to be the sender of a message is actually the one that sent it.

If you’ve become the victim of an attack that’s compromised your financial accounts, the fraudsters will likely begin siphoning off your funds progressively. Monitoring your notifications and statements for suspicious activity and/or transactions that you don’t recall initiating yourself may provide you with sufficient early warning to enable you to contact your finance house and get them to take remedial action.

For businesses, identifying the signs of fraudulent transactions and best practices for dealing with phishing attempts and other attack methods should be communicated to employees through security awareness training, and an enterprise-wide system of notifications and information dissemination.

Processes for identifying devices and authenticating software used by members of an organization should be established and written into corporate security policies and device management protocols. Risk management policies may need to be adjusted, to minimize false positives and to reduce customer friction during logins or transaction events.

Organizations should also monitor social media (using their own IT resources, or third-party threat intelligence and security managers) for threats and fraudulent activities capable of targeting their businesses. Guidelines for the secure use of social media should also be included in employee training programs.

Secure All of Your Devices for One Low Monthly Fee!
Get InvinciBull™ now!

Share this Post