10:30 AM
Subbu Sthanu
Subbu Sthanu
Connect Directly
E-Mail vvv

Deconstructing Mobile Fraud Risk

Today's enterprise security solutions don't do enough to manage BYOD risk, credit card theft and the reputational damage resulting from a major data breach.

Earlier in the mobile revolution, threats that are considered imminent today – malware, phishing and criminal device misuse - were often theoretical, and carried a low probability of ever impacting an enterprise. Even though these threats are becoming more “real,” quantifying the risk and justifying the expenditure to protect against them is a challenge.

As a result, most mobile security software is still sold as insurance against a single event that could have catastrophic impact on the business, and is considered part of the cost of doing business.

Contrary to this thinking, mobile fraud is not one “big bad event”, but a continuous stream of smaller, ongoing breaches or attempted breaches that are often hard to detect. When left unaddressed, these multiple attacks could have a serious aggregate impact on a business.

What are organizations overlooking by using traditional mobile enterprise security under the big, bad event approach? I see three key critical areas of concern:

First, fraud starts on systems you can’t control.
Enterprise security assumes some level of control over devices allowed to access a company’s systems. BYOD programs utilize tools such as mobile device management (MDM) solutions to control the device security posture. This level of control is much harder, and sometimes impossible, when dealing with the customer’s “unmanaged devices” in a B2C environment.

While IT security is proficient in protecting corporate assets like endpoints, servers and databases, it is challenged with protecting non-corporate controlled assets, specifically customer devices. In a way, that is the original “BYOD” problem – protecting users’ access and transactions without controlling the underlying device.

Efforts to educate users about protecting themselves have had limited success: human nature is susceptible to social engineering schemes and temporary lapses of judgment. Users sometimes jailbreak or root a mobile device to install rogue applications. A jailbroken or rooted device is susceptible to malware that can take over critical device functions such as SMS; can be used for strong authentication; and can lead to credentials theft and monetary losses. And because mobile devices have limited screen real estate, it’s often harder for users to identify bogus phishing URLs embedded in email.

Second, fraud management is a high frequency/high friction activity.
Merchants in the U.S. lose approximately $190B each year to credit card fraud. When fraudulent transactions enter enterprise systems it triggers a series of actions needed to deal with the affected party (customer, partner or supplier). The support team gets involved to manage the interaction with the fraud victim. Analysts and investigators need to review forensics data to figure out what happened, where the money was moved to and attempt to recover the funds before they are gone. Restoring “business as usual” often requires the victim to invest time and effort in verifying their systems are safe. When you factor in that these fraud cases are occurring at a high frequency, this adds up to extremely repetitive, intense engagement.

By contrast, when we’re talking about security within an enterprise’s own system, only actual breaches that lead to data loss – which are relatively rare occurrences – require heavy lifting. For example, according to the Ponemon Institute, only 22 percent of data breaches involve at least 10,000 records.

Third, fraud is visible to the world.
Customers experiencing fraud will lose trust in the mobile channel or the business overall. If the losses are not automatically covered by the enterprise (as is the case when corporate bank accounts are compromised) litigation can follow, creating negative brand impact. Even at a smaller scale, fraud incidents may be shared by unhappy customers on social networks and can ultimately lead to customer churn. And, fraudulent activity invites deeper regulatory scrutiny of processes and procedures that further distracts line of business and IT resources. Some enterprise security breaches may not become public unless lost data needs to be disclosed as part of a regulatory or compliance requirement. Many are, therefore, left undisclosed.

Mobile enterprise security and mobile fraud prevention share the common goal of protecting sensitive business assets and confidential customer information. Unfortunately, many security teams and organizations are still viewing mobile security and mobile fraud prevention as one, singular entity, and don't realize that their current strategy may not be protecting them as well as they think. Rather, it’s imperative that companies implement a strategy that protects its customers from malicious activity, as well as protecting data within a company's network of devices.

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
Christian Bryant,
User Rank: Ninja
5/5/2015 | 3:46:17 PM
Needed: Tighter Regulations, Harsher Penalties
* First, fraud starts on systems you can't control.

I maintain that an organization serious about protecting its data will have a firm policy against BYOD. This is an organization approach to security that established the importance of the company and its assets over your personal preferences for computing and managing your life. While EMM applications may seem like a fair compromise, when users BYOD they often uninstall EMM apps when things go wrong.

No BYOD means improved security right out the gate.

* Second, fraud management is a high frequency/high friction activity.

I would argue that $190B/year loss to American merchants represents a disaster at a national level. To know that this continues to happen year after year is unacceptable. Here I go again, I know, but to not have tighter regulations and fine-related targets of evaluation (TOE) that must be met by companies to be even _allowed_ to connect financially to the Internet means we as a country are not taking cybersecurity seriously. The US bleeds money yearly (war, international loans/debt, etc) and one of the elements of our economy that allows us to recover from this is our capitalist system. To not protect that system with everything we've got points to a deep lack of understanding of what security, mobile or otherwise, truly is from a data ecosystem standpoint.

* Third, fraud is visible to the world.

I couldn't agree more. From the 22% of high-grade data breeches and the $190B/year loss, this is highly depressing. And when you read exploit and root cause analysis reports on many of these incidents, the initial point-of-entry was one that could have been prevented had the scope of the security strategy been expanded, and the specializations acquired in terms of talent been more varied. Again and again, we see the multitude of security applications making various claims and seemingly presenting an easy all-in-one solution that business often fall for in place of architecture, design and strategy. Perhaps some of this is due to cost-cutting but in doing that, a business might be risking their very existence if they are hit hard by mobile fraud.
8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.