The stage is set ready for a record-setting mobile shopping holiday season with Black Friday, Cyber Monday and the run-up to Christmas. The global mobile-payment market is expected to reach $10.07 trillion by 2026, according to market-research firm Reports and Data. Accompanying that rise in mobile payments is also mobile biometrics that is projected to be used to authenticate 2 trillion sales by 2023, according to Juniper Research. However, the increase of mobile shopping during the holidays has led to a record number of cybercriminals committing fraud.
Convenience for consumers is driving the trend towards mobile payments and biometrics, but this sector is also mobilising cybercriminals who are using a variety of techniques to trick users out of their credentials to gain access to online accounts through phishing scams, man-in-the-middle attacks, account takeovers and flat out identity theft. With over two billion people worldwide expected to buy goods and services online by 2021, cybercriminals are literally shopping for victims this holiday season. A study from Salesforce confirmed that 60% of eCommerce traffic was by mobile consumers, making it a prime target for cybercriminals.
As mobile shopping adoption continues this upward trend, more purchases will take place on mobile than on desktop, making the pocket device more attractive to attack. In fact, researchers at NuData Security found that this last August, out of all the mobile traffic, 49% was fraudulent.
There should not have to be a trade-off between security and mobile usage, and mobile transactions shouldn’t need to increase friction to catch bad guys. Higher accuracy and fewer false positives are possible with existing technologies: passive biometrics and behavioural analytics are some of them.
Unlike brick and mortar stores, where the clerk can see the customer, selling goods and services online can feel like being in a blackout. The information from the user is there on the screen, but the question remains: are you really who you say you are?
To differentiate holiday shoppers from holiday fraudsters, some major eCommerce companies are using passive biometrics and behavioural analytics – technologies that monitor hundreds of online identifiers like how hard a person hits the keys on the keyboard, how they swipe from page to page or how they hold their device – to create the profile of a legitimate customer. With these technologies, companies detect suspicious behaviour on new accounts.
Using these technologies, merchants can remove friction and only trigger application speed bumps like SMS, email validation, or captchas for suspicious traffic. This weeds out imposters and allows merchants to offer rewards and other bonuses to key customers while stopping fraud before it hits the checkout.
Here are some tips to help eCommerce sites remain secure as the busiest shopping season of the year approaches.
Go mobile or go home
The world transacts on the go – tune defences to identify mobile-specific attacks, such as network spoofing and data leakage. Fraudsters use sophisticated ploys to target iOS and Android software that go unnoticed by consumers and companies need to step up the game to protect their customers. Make sure to always check the apps that you download. Even if they are from recognised app stores, they could still pose a serious threat.
Riaan Badenhorst, the General Manager for Kaspersky in Africa warned that “apps pose a real problem for mobile users, who give them sweeping permissions, but don’t always check security”. “These are typically free apps found in official app stores that perform as advertised, but also send personal – and potentially corporate – data to a remote server, where it is mined by advertisers or even cybercriminals. Data leakage can also happen through hostile enterprise-signed mobile apps. Here, mobile malware uses distribution code native to popular mobile operating systems like iOS and Android to spread valuable data across corporate networks without raising red flags.”
Prepare for the unexpected
Know what the system can handle as well as what it can’t handle. Be prepared for unexpected events and contingencies; they will happen and having a contingency plan will save the company additional costs and headaches. The probability of your company falling victim to a mobile cyberattack is directly correlated to the ever-increasing frequency of cybercriminals targeting mobile devices. It is essential and imperative that you have a contingency plan in place in order to prevent panic.
When a Distributed Denial of Service (DDoS) attack occurs, the company without a plan suffers. The most valuable advice that we can provide is that companies should ensure that online website security is in place, and test for security loopholes and account protection gaps regularly. In the fast-paced world of mobile payments it is essential to stay ahead of any potential security breach by anticipating where your security weaknesses may be and to employ most importantly, employ a DDoS protection service before you need it.
Online Merchants will be attacked
65% of a company’s accounts are attacked at least once every month, based on NuData analytics. As tempting as it seems during high-traffic periods, don’t lower security barriers to increase conversions. Some businesses soften some rules like reduce the fraud threshold to avoid false declines. However, this significantly increases the threat of an account takeover (ATO), as Forter’s 2019 Fraud Attack Index found that merchants without proper safeguards increased the risk of ATO by up to 200%.
The threat of ATOs are becoming a more realistic threat every day as organised cybercriminals have contributed to an increase of 45% in 2018 compared to 2017. In order to protect your assets against ATO, companies should continuously look for anomalous traffic such as unusually high purchasing volumes or dollar amounts. Keep an eye out for multiple failed login attempts on the same account, for new accounts with immediate high-ticket item purchases, and for high volumes of account testing across multiple IPs and device ID’s.
Online companies should be prepared and proactive. Become acquainted with traffic over the network and where it comes from. This will help to isolate any unusual or fraudulent activities. Once IT teams understand where the most suspicious content comes from, they can tailor the organization’s security to plug these specific gaps. Remember, fraudsters never take a holiday. Organisations must start by taking a step back and gaining a holistic view of their security infrastructure. By looking at inbound traffic, companies can observe any unusual activity and make proactive changes rather than reactive fixes to security gaps.
About the Author
Robert Capps is a recognized technologist, thought leader, and advisor with over twenty years of experience in the design, management, and protection of complex information systems – leveraging people, process, and technology to counter cyber risks. His previous roles include senior manager of Global Trust and Safety at StubHub, where Robert was responsible of global anti-fraud, cyber-security and payment strategy. Prior to StubHub, Robert was chief technologist at Golden West Financial, where he was responsible for building strategy and operations around consumer facing cyber-security for the bank’s digital channels.