Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Subbu Sthanu
Subbu Sthanu
Connect Directly
E-Mail vvv

Deconstructing Mobile Fraud Risk

Today's enterprise security solutions don't do enough to manage BYOD risk, credit card theft and the reputational damage resulting from a major data breach.

Earlier in the mobile revolution, threats that are considered imminent today – malware, phishing and criminal device misuse - were often theoretical, and carried a low probability of ever impacting an enterprise. Even though these threats are becoming more “real,” quantifying the risk and justifying the expenditure to protect against them is a challenge.

As a result, most mobile security software is still sold as insurance against a single event that could have catastrophic impact on the business, and is considered part of the cost of doing business.

Contrary to this thinking, mobile fraud is not one “big bad event”, but a continuous stream of smaller, ongoing breaches or attempted breaches that are often hard to detect. When left unaddressed, these multiple attacks could have a serious aggregate impact on a business.

What are organizations overlooking by using traditional mobile enterprise security under the big, bad event approach? I see three key critical areas of concern:

First, fraud starts on systems you can’t control.
Enterprise security assumes some level of control over devices allowed to access a company’s systems. BYOD programs utilize tools such as mobile device management (MDM) solutions to control the device security posture. This level of control is much harder, and sometimes impossible, when dealing with the customer’s “unmanaged devices” in a B2C environment.

While IT security is proficient in protecting corporate assets like endpoints, servers and databases, it is challenged with protecting non-corporate controlled assets, specifically customer devices. In a way, that is the original “BYOD” problem – protecting users’ access and transactions without controlling the underlying device.

Efforts to educate users about protecting themselves have had limited success: human nature is susceptible to social engineering schemes and temporary lapses of judgment. Users sometimes jailbreak or root a mobile device to install rogue applications. A jailbroken or rooted device is susceptible to malware that can take over critical device functions such as SMS; can be used for strong authentication; and can lead to credentials theft and monetary losses. And because mobile devices have limited screen real estate, it’s often harder for users to identify bogus phishing URLs embedded in email.

Second, fraud management is a high frequency/high friction activity.
Merchants in the U.S. lose approximately $190B each year to credit card fraud. When fraudulent transactions enter enterprise systems it triggers a series of actions needed to deal with the affected party (customer, partner or supplier). The support team gets involved to manage the interaction with the fraud victim. Analysts and investigators need to review forensics data to figure out what happened, where the money was moved to and attempt to recover the funds before they are gone. Restoring “business as usual” often requires the victim to invest time and effort in verifying their systems are safe. When you factor in that these fraud cases are occurring at a high frequency, this adds up to extremely repetitive, intense engagement.

By contrast, when we’re talking about security within an enterprise’s own system, only actual breaches that lead to data loss – which are relatively rare occurrences – require heavy lifting. For example, according to the Ponemon Institute, only 22 percent of data breaches involve at least 10,000 records.

Third, fraud is visible to the world.
Customers experiencing fraud will lose trust in the mobile channel or the business overall. If the losses are not automatically covered by the enterprise (as is the case when corporate bank accounts are compromised) litigation can follow, creating negative brand impact. Even at a smaller scale, fraud incidents may be shared by unhappy customers on social networks and can ultimately lead to customer churn. And, fraudulent activity invites deeper regulatory scrutiny of processes and procedures that further distracts line of business and IT resources. Some enterprise security breaches may not become public unless lost data needs to be disclosed as part of a regulatory or compliance requirement. Many are, therefore, left undisclosed.

Mobile enterprise security and mobile fraud prevention share the common goal of protecting sensitive business assets and confidential customer information. Unfortunately, many security teams and organizations are still viewing mobile security and mobile fraud prevention as one, singular entity, and don't realize that their current strategy may not be protecting them as well as they think. Rather, it’s imperative that companies implement a strategy that protects its customers from malicious activity, as well as protecting data within a company's network of devices.

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
5/5/2015 | 3:46:17 PM
Needed: Tighter Regulations, Harsher Penalties
* First, fraud starts on systems you can't control.

I maintain that an organization serious about protecting its data will have a firm policy against BYOD. This is an organization approach to security that established the importance of the company and its assets over your personal preferences for computing and managing your life. While EMM applications may seem like a fair compromise, when users BYOD they often uninstall EMM apps when things go wrong.

No BYOD means improved security right out the gate.

* Second, fraud management is a high frequency/high friction activity.

I would argue that $190B/year loss to American merchants represents a disaster at a national level. To know that this continues to happen year after year is unacceptable. Here I go again, I know, but to not have tighter regulations and fine-related targets of evaluation (TOE) that must be met by companies to be even _allowed_ to connect financially to the Internet means we as a country are not taking cybersecurity seriously. The US bleeds money yearly (war, international loans/debt, etc) and one of the elements of our economy that allows us to recover from this is our capitalist system. To not protect that system with everything we've got points to a deep lack of understanding of what security, mobile or otherwise, truly is from a data ecosystem standpoint.

* Third, fraud is visible to the world.

I couldn't agree more. From the 22% of high-grade data breeches and the $190B/year loss, this is highly depressing. And when you read exploit and root cause analysis reports on many of these incidents, the initial point-of-entry was one that could have been prevented had the scope of the security strategy been expanded, and the specializations acquired in terms of talent been more varied. Again and again, we see the multitude of security applications making various claims and seemingly presenting an easy all-in-one solution that business often fall for in place of architecture, design and strategy. Perhaps some of this is due to cost-cutting but in doing that, a business might be risking their very existence if they are hit hard by mobile fraud.
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...