Text Size:

DT, March 2017

Spoofed IDs Help Darken the Security Picture
March 1, 2017

Security jitters have hit the payments industry, and it’s no wonder. The arrival of new and sophisticated ways to spoof identities, coupled with the rapid rise of mobile usage for banking and payments, has created a minefield for security professionals charged with guarding accounts and the money they hold.

The cause for alarm shows up in recent statistics. A quarterly report from ThreatMetrix Inc., a San Jose, Calif.-based security-technology firm, shows pilfered or fake credentials figured in fully 80 million cyberattacks last year. Indeed, 4.3% of financial-service transactions monitored by the company in 2016’s fourth quarter were detected as fraudulent because of identity spoofing, up from 3.5% in the first quarter, the report shows.

Criminals are increasingly relying on a devil’s brew of breaches, phishing, bot attacks, and outright fakery to piece together convincing identities they can use to loot accounts. “There’s a lot of [personally identifiable information] in the wild and fraudsters have access to it,” says Vanita Pandey, product management and payments executive at ThreatMetrix. “It’s easier than ever to commit crime.”

The situation with so-called device spoofing is even worse. Cases where fraudsters had taken over a device previously thought to be legitimate figured in 6.5% of transactions in the fourth quarter, up from 5.6% in the first.

Underscoring results like this was a report released earlier this year by Javelin Strategy & Research that calculated that identity fraud hit a record high in 2016, affecting 15.4 million U.S. consumers, a nearly 18% increase over 2015.

Further complicating matters is the fast adoption by consumers of mobile devices for payments and banking activity. While the devices enable a smoother and more convenient way to access account data and perform transactions, that same convenience suits fraudsters when they are able to fake passwords, intercept one-time pass codes, or otherwise exploit the mobile trend.

Of all financial-service transactions passing through ThreatMetrix’s system in the fourth quarter, some 55% originated from a mobile device. That’s up from 47% in the first quarter and from just 18% in the first quarter of 2015.

Much of this is driven by the proliferation of mobile-banking applications that allow customers to perform increasingly sophisticated transactions, including account transfers and person-to-person payments, company officials say.

Now that they’ve gone beyond just checking a balance, “customers are getting more comfortable using mobile,” says Pandey. “It’s a primary channel of access. Fraudsters are looking to attack that.”

This “primary channel” is showing up in multiple ways. Account log-in transactions from mobile devices shot up 254% last year, according to ThreatMetrix numbers. Similarly, account-creation transactions grew 125%. Such growth in mobile usage surprised even the ThreatMetrix experts. Pandey calls it a “massive” increase just in 2016.

With security fears on the rise, cybersecurity startups are cashing in. Financing activity for startups in the business reached a record 404 deals last year, according to numbers compiled by CBInsights, a New York City-based research firm that follows technology investment.

Total dollars invested dipped somewhat to $3.84 billion from $3.93 billion in 2015, but the funding level is still well above the $1.43 billion seen as recently as 2012.

There are now eight cybersecurity unicorns, or private companies with valuations equal to or greater than $1 billion, according to CBInsights. At the top of the list is Tanium Inc., an Emeryville, Calif.-based endpoint-security specialist, at $3.5 billion.

—John Stewart

Share |


Read Digital Transactions Online
read more