5 security threats to watch in 2019

As more banks rely on mobile devices as a second factor of authentication, fraudsters have shifted their sights to the cell phone providers that control that channel.

SIM-jacking and SIM swap fraud — which allow scammers to take over a phone number and/or intercept text messages sent to it — will increase in 2019 as crooks figure out new techniques. It’s still a relatively heavy-handed exploit, but anyone in possession of something hackers want will be a target, according to Adam Levin, co-founder of Credit.com, who was previously a director of the New Jersey Division of Consumer Affairs.

The South African Banking Risk Information Centre in October 2018 said the number of SIM-swap fraud incidents more than doubled in South Africa over the past year, and other global regions are seeing rising incidents. Also known as Port-Out scams, or SIM splitting, this technique targets the weakness in two-factor authentication where the second step triggers a call or text message to a mobile phone. In doing so, fraudsters can approve high-risk transfers long before the bank or customer is aware.

Further undermining device security is runaway spam call volume, which is expected to soar in 2019 to about half of all calls. Spam calls undermine consumers’ discipline in checking suspicious activity on their phones, and hurt payment providers’ ability to police and block fraud. Solutions requiring collaboration between financial services providers, device makers and wireless carriers — such as the carriers' own Project Verify — could gain traction this year.

Major data breaches have been a threat to the payments industry for more than 13 years, according to credit bureau Experian's recent risk forecast.

The data breach of a rival credit bureau, Equifax, was said to be one of the biggest in history, but even bigger events could be ahead in 2019, Experian warns. A major wireless carrier, for example, could be attacked with devastating effect on iPhone and Android devices loaded with payments and financial data, possibly disabling wireless communications.

It’s also a matter of when, not if, a top vendor of cloud data storage will be hacked, Experian predicts.

Biometrics are a big area of innovation to make payments more secure, but it's not without its own unique risk factors.“Biometric data is considered the most secure method of authentication but it can be stolen or altered, and sensors can be manipulated and spoofed or deteriorate,” Experian said in its report.

In online gaming forums, fraudsters can pose as gamers and gain access to the computers and personal data of trusting players, the company said. “Some regulation and oversight are necessary to strip away the total anonymity of players,” Experian said.

The search for a better way to manage digital IDs to authenticate payments is on.

As identity theft has become rampant and passwords have become virtually useless in blocking fraud, companies across the technology spectrum in financial services, healthcare and government are working on streamlined, consumer-friendly approaches to verify their identities.

Mastercard and Microsoft’s recent announcement about plans to collaborate on a decentralized digital ID approach is the first of a wave of cross-industry partnerships for identity verification and payment authentication that will take different forms.

But the biggest risk is one of incentives — the companies best positioned to control digital ID are the ones least motivated to benefit from it. Collaboration will be vital to making a digital ID system that is both trusted and secure.

One possible approach is designing a way for federations to work as a mechanism for transferring a consumer’s ID credentials from one point to another, suggests Sunil Madhu, co-founder and chief strategy officer of Socure, which offers a digital ID verification solution to protect against payment fraud.

“ID requirements should be contextual, so there would be no need for 100 percent of everyone’s ID information for 100 percent of all actions, which is the approach some organizations are heading for now,” Madhu said.

But don’t expect a single digital ID solution to appease all users. “It’s unlikely, and there’s no need for one solution to rule them all,” Madhu said.