Cybercrime Goes Mobile
Top tips on how to protect mobile transactions from fraud and make visitors feel confident about buying from a mobile device
Mobile devices are outselling PCs and currently over 40% of all online traffic is coming from the mobile channel, so selling to this audience is big business.
However, the boom in mobile connectivity has brought an equally big surge in cybercriminal activity. In 2013 there were 350,000 examples of malicious android apps, up from nearer 1,000 in 2011.
Cybercrime attacks are:
- Targeted — Malware is typically not generic, so traditional anti-virus detection no longer handles these attacks effectively, and more dynamic detection is needed.
- Adaptive — Malware can now be adapted to re-infect compromised devices. Attackers can constantly change attacks, repurpose compromised devices and avoid detection.
- Effective — Hackers develop malware using professional software development techniques and have access to public online scan engines that run attack code against most anti-virus products on the market to ensure the efficacy of their attacks.
- Hidden — Attackers are better at obscuring communications between the device and the command and control (C&C) networks. This makes it harder to isolate compromised devices, detect data breaches and identify the root cause of the malware.
What can mobile shoppers do?
You can give your mobile customers this advice, maybe in a newsletter or on your site (a credit to 4D Hosting would be appreciated if you do!):
- Only download apps from reputable channels, e.g. Google Play Store, Amazon Appstore and iTunes app store. Google implements a rudimentary ‘bouncer’ to ward off malware, and the rest is taken care of by the very active Android user community.
- Keep installation of apps from ‘Unknown Sources’ at ‘Off’ in the device’s settings. This will help ensure that nothing enters the system except through official channels.
- Read app reviews and see ratings. If the app is from a decent developer you’re less likely to run into trouble, as opposed to an app with hardly any downloads and just 2-3 reviews.
- Examine the permissions that an app is asking for, and use your own judgment to decide whether you want that app or not. A puzzle game asking to access your contacts is never a good idea, and neither is a torch app seeking internet permission.
- Never access links embedded in mass-broadcast messages/emails on your phone. You never know what’s hidden underneath a URL, and it’s harder to check that on a smartphone as opposed to a desktop.
- While not exactly a malware protection measure, it’s still a good idea to keep your phone locked so no-one can install unwanted software.
- Have a security app installed. A lot of capable contenders are available such as Lookout Mobile Security and Norton Mobile Security.
What can ecommerce traders do?
Fraud checks: Fraud checks are not just about a dodgy postal address, they also include looking at your customer’s buying behaviour and knowing when it changes. For example your products may be used regularly and have an approximate repeat order timeframe. If you see a customer purchase five times in an hour or 10 times as much product as normal, this should alert you to a possible fraudulent transaction.
In addition, consider paying for the Datacash anti-fraud service which checks more than 20 million online transactions each month, and says it detects 97% of bogus orders.
Watch out for:
- Very high value/volume order from a customer who you have never had contact with before
- Several orders within a short period of time from a known customer
- Unusual volume order from a known customer
- A transaction which has been declined several times before going through
- Orders for the dearest items on your site with priority shipping.
Check each time:
- A name that is suspicious, e.g. Mr IT Contact
- A contact number that doesn’t exist, e.g. 9876 54321
- An incomplete billing address
- Unconfirmed credit/debit card and billing address details
- A delivery address that does not match the billing address for first transactions
- A temporary address such as a hotel or boarding house
- Deliveries to airports, or other unlikely addresses if it’s a B2C transaction.
Card security: Offer various ways of ensuring that customers’ cards are secure online, e.g. Address Verification Services (AVS), CV2 (the 3-digit code on the back of a card) and 3D Secure (provided by all main banks). Enabling these features on your site will ensure added protection to your customers transaction.
App security: If your company has the budget, consider creating an app. Commission a reputable author to create it and make it hard for criminals to alter the code and insert malware. If you design the software so that your customers know they need a unique customer number to get the app then this allows your customers to detect/protect themselves against malware, but it will also protect you against cybercriminals downloading the app to alter the code.
Email security: Do not embed links in emails; use full URLs in the body text to make sure they know where they are going to.
Also inform customers (ideally by phone or letter) that you will only send emails about their account from specific email addresses and that they will never be asked for login details over the phone or by email.
The use of mobile will only increase with time and m-commerce revenue is set to take over from traditional internet sales within the next five years. With this trend it is best to prepare, protect and inform your customers how best to interact and buy from you. With fraud from the mobile channel also set to increase, can you afford not to?
Jack Bedell-Pearce is the Managing Director of 4D Hosting.