Deconstructing Mobile Fraud RiskToday's enterprise security solutions don't do enough to manage BYOD risk, credit card theft and the reputational damage resulting from a major data breach.
Earlier in the mobile revolution, threats that are considered imminent today – malware, phishing and criminal device misuse - were often theoretical, and carried a low probability of ever impacting an enterprise. Even though these threats are becoming more “real,” quantifying the risk and justifying the expenditure to protect against them is a challenge.
As a result, most mobile security software is still sold as insurance against a single event that could have catastrophic impact on the business, and is considered part of the cost of doing business.
Contrary to this thinking, mobile fraud is not one “big bad event”, but a continuous stream of smaller, ongoing breaches or attempted breaches that are often hard to detect. When left unaddressed, these multiple attacks could have a serious aggregate impact on a business.
What are organizations overlooking by using traditional mobile enterprise security under the big, bad event approach? I see three key critical areas of concern:
First, fraud starts on systems you can’t control.
Enterprise security assumes some level of control over devices allowed to access a company’s systems. BYOD programs utilize tools such as mobile device management (MDM) solutions to control the device security posture. This level of control is much harder, and sometimes impossible, when dealing with the customer’s “unmanaged devices” in a B2C environment.
While IT security is proficient in protecting corporate assets like endpoints, servers and databases, it is challenged with protecting non-corporate controlled assets, specifically customer devices. In a way, that is the original “BYOD” problem – protecting users’ access and transactions without controlling the underlying device.
Efforts to educate users about protecting themselves have had limited success: human nature is susceptible to social engineering schemes and temporary lapses of judgment. Users sometimes jailbreak or root a mobile device to install rogue applications. A jailbroken or rooted device is susceptible to malware that can take over critical device functions such as SMS; can be used for strong authentication; and can lead to credentials theft and monetary losses. And because mobile devices have limited screen real estate, it’s often harder for users to identify bogus phishing URLs embedded in email.
Second, fraud management is a high frequency/high friction activity.
Merchants in the U.S. lose approximately $190B each year to credit card fraud. When fraudulent transactions enter enterprise systems it triggers a series of actions needed to deal with the affected party (customer, partner or supplier). The support team gets involved to manage the interaction with the fraud victim. Analysts and investigators need to review forensics data to figure out what happened, where the money was moved to and attempt to recover the funds before they are gone. Restoring “business as usual” often requires the victim to invest time and effort in verifying their systems are safe. When you factor in that these fraud cases are occurring at a high frequency, this adds up to extremely repetitive, intense engagement.
By contrast, when we’re talking about security within an enterprise’s own system, only actual breaches that lead to data loss – which are relatively rare occurrences – require heavy lifting. For example, according to the Ponemon Institute, only 22 percent of data breaches involve at least 10,000 records.
Third, fraud is visible to the world.
Customers experiencing fraud will lose trust in the mobile channel or the business overall. If the losses are not automatically covered by the enterprise (as is the case when corporate bank accounts are compromised) litigation can follow, creating negative brand impact. Even at a smaller scale, fraud incidents may be shared by unhappy customers on social networks and can ultimately lead to customer churn. And, fraudulent activity invites deeper regulatory scrutiny of processes and procedures that further distracts line of business and IT resources. Some enterprise security breaches may not become public unless lost data needs to be disclosed as part of a regulatory or compliance requirement. Many are, therefore, left undisclosed.
Mobile enterprise security and mobile fraud prevention share the common goal of protecting sensitive business assets and confidential customer information. Unfortunately, many security teams and organizations are still viewing mobile security and mobile fraud prevention as one, singular entity, and don't realize that their current strategy may not be protecting them as well as they think. Rather, it’s imperative that companies implement a strategy that protects its customers from malicious activity, as well as protecting data within a company's network of devices.
Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio