Text Size:


Surging Attacks Driven by Spoofed IDs And Mobile Devices Darken the Security Picture
February 9, 2017

By John Stewart

Security jitters have hit the payments industry, and it’s no wonder. The arrival of new and sophisticated ways to spoof identities, coupled with the rapid rise of mobile usage for banking and payments, has created a minefield for security professionals charged with guarding accounts and the money they hold.

The cause for alarm shows up in recent statistics. This week, a quarterly report from ThreatMetrix Inc., a San Jose, Calif.-based security-technology firm, shows pilfered or fake credentials figured in fully 80 million cyberattacks last year. Indeed, 4.3% of financial-service transactions monitored by the company in the fourth quarter were detected as fraudulent because of identity spoofing, up from 3.5% in the first quarter, the report shows.

Criminals are increasingly relying on a devil’s brew of breaches, phishing, bot attacks, and outright fakery to piece together convincing identities they can use to loot accounts. “There’s a lot of [personally identifiable information] in the wild and fraudsters have access to it,” Vanita Pandey, product management and payments executive at ThreatMetrix, tells Digital Transactions News. “It’s easier than ever to commit crime.”

The situation with so-called device spoofing is even worse, Cases where fraudsters had taken over a device previously thought to be legitimate figured in 6.5% of transactions in the fourth quarter, up from 5.6% in the first.

Underscoring results like this was a report released last week by Javelin Strategy & Research that calculated that identity fraud hit a record high in 2016, affecting 15.4 million U.S. consumers, a nearly 18% increase over 2015.

Further complicating matters is the fast adoption by consumers of mobile devices for payments and banking activity. While the devices enable a smoother and more convenient way to access account data and perform transactions, that same convenience suits fraudsters when they are able to fake passwords, intercept one-time pass codes, or otherwise exploit the mobile trend.

Of all financial-service transactions passing through ThreatMetrix’s system in the fourth quarter, some 55% originated from a mobile device. That’s up from 47% in the first quarter and from just 18% in the first quarter of 2015. Much of this is driven by the proliferation of mobile-banking applications that allow customers to perform increasingly sophisticated transactions, including account transfers and person-to-person payments, company officials say.

Now that they’ve gone beyond just checking a balance, “customers are getting more comfortable using mobile,” says Pandey. “It’s a primary channel of access. Fraudsters are looking to attack that.”

This “primary channel” is showing up in multiple ways. Account log-in transactions from mobile devices shot up 254% last year, according to ThreatMetrix numbers. Similarly, account-creation transactions grew 125%. Such growth in mobile usage surprised even the ThreatMetrix experts. Pandey calls it a “massive” increase just in 2016.

With security fears on the rise, cybersecurity startups are cashing in. Financing activity for startups in the business reached a record 404 deals last year, according to numbers released Thursday by CBInsights, a New York City-based research firm that follows technology investment. Total dollars invested dipped somewhat to $3.84 billion from $3.93 billion in 2015, but the funding level is still well above the $1.43 billion seen as recently as 2012.

There are now eight cybersecurity unicorns, or private companies with valuations equal to or greater than $1 billion, according to CBInsights. At the top of the list is Tanium Inc., an Emeryville, Calif.-based endpoint-security specialist, at $3.5 billion.

Share |


Read Digital Transactions Online
read more