The likelihood is that this year will be a tipping point for smartphones and tablets, given predictions there will be five billion connected devices on planet earth, serving a billion online bank accounts and contributing to US $13trillion in global ecommerce sales and related transactions.
But with so much at stake, there are huge opportunities for fraudsters. This is reflected by the estimated 25 million unique strains of malware, resulting in an 80% annual increase in phishing attacks and 600 million customer information records breached.
Behind the scenes there’s a sophisticated, interconnected, resourceful and growing army of digital fraudsters overseeing the theft, distribution and sale of personal information on an industrial scale. Therefore in developing any anti-fraud strategy, the safest starting point is to assume there’s a possibility customer data has already been compromised – even before any transaction takes place.
Apart from obvious at-risk ‘smart’ devices like phones, tablets, laptops and other PCs, everything from home routers, CCTV cameras, baby monitors, domestic heating and utility gadgets, thermostats, cloud-based data services, printers, firewalls and video-conferencing systems are also all potentially vulnerable.
Take the recent flap over Heartbleed. While the furore may have abated and some may have been lulled back into a sense of security, our huge volume of connected devices means we are still vulnerable.
The software bug simply highlighted a critical flaw in software called Open SSL, which is supposed to make it much harder to steal data. Instead, suitably-informed hackers were able to exploit it by remotely prompting the server to hand over small chunks of the data it has just handled – in many cases disclosing log-in details, passwords, or other sensitive personal information.
Since Heartbleed emerged in May, fears have been raised over a possible computer hack by Russian criminals alleged to have targeted hundreds of thousands of computers worldwide with malware, enabling the theft of more than US$100m from business and personal bank accounts. Hot on the heels of that, another high-profile OpenSSL flaw came to light which could still allow hackers to intercept supposedly secure traffic. Around the same time, genealogy website Ancestry.com – among several others – was intermittently knocked offline following a three-day bout of suspected DDoS (distributed denial of service) cyber-attacks, during which the site was overloaded with traffic and crashed. On this occasion no user information was compromised.
It’s clear that fraudsters are fast, inventive, adaptable and constantly testing for any potential vulnerabilities.
Banking at Risk
Take the UK banking sector, for instance, where more and more Brits are moving away from branches in favour of their mobile phones and tablets. According to the British Bankers’ Association, we’ve now downloaded more than 12.4 million banking apps, while the number of transactions made using them has nearly doubled in a year, hitting 18.6 million per week by the end of 2013. The Royal Bank of Scotland app has clocked up more than a billion logins since its launch, while the average Barclays’ customer uses the bank’s app around 24 times a month. Meanwhile, customers signed up to receive more than 450 million text messages such as balance alerts from their banks in 2013. Two thirds of texts alerts received by HSBC customers warned that a balance had dropped below a pre-agreed point they had set. RBS now claims 5.6 million online banking users, while HSBC says that 72% of all its interactions with customers are now carried over the phone on through the internet.
Fraud Detection
While the relative ease and convenience of online banking is great for consumers, it demands constant vigilance from banks’ back-office teams tasked with fighting fraud across multiple channels. Protecting the keys to the kingdom fundamentally hinges on a layered security strategy underpinned by multiple checks form numerous data sets. Having an armoury of tools that includes device intelligence to block compromised card use, fraudulent enrolments, phishing attacks, hidden measures that assess suspicious activity and multi-set identity verification, will always be worth the investment.
Given the market share that Apple and the MacOS is projected to win during the next few years, having suitably compatible anti-fraud technology will be critical from here on.
Millions of consumers on both sides of the Atlantic regularly put themselves at risk of fraud simply because a lot of us are creatures of habit – to the point of digital delinquency. Recent Experian research has highlighted the prevalence for favouring repetitive online identities often based on a single e-mail address, username and password combination.
Delayed discovery
Similarly, nearly one in four of the 50 million mobile device users in the UK do not password protect their devices, while only around one in three (37%) have the same passcode or PIN on all mobile devices with just half of those who do (43%) have passcodes/PINs shared them with family, friends or colleagues. Only one in six (17%) of mobile device users say they always accept security updates sent to their mobile device, such as OS updates. Just over a third (36.3%) say they rarely request support on security tips when using a mobile device.
Irrespective of the convenience of mobile devices, last year it took an average of 444 days for consumers to discover they had become a victim of identity fraud so living life on the go can come at a hefty personal cost and needs to be done with care. For individuals it’s always worth investing in web monitoring services which offer instant alerts if personal details get misused online
Nick Mothershaw is UK&I Director of Identity & Fraud at Experian