Data: The new causes of mobile payments fraud

August 22, 2018 12:02 PM

Account takeover (ATO) fraud currently drives the largest fraud losses at North American financial institutions within digital channels, according to a new report from Aite Group and Early Warning, the bank organization that operates the Zelle payment network brand. And according to data from RSA, phishing remains a vital part of this scam.

ATO fraud occurs when a scammer impersonates a consumer to steal from an account. The tactic is on the rise following widespread data breaches exposing personally identifiable information, combined with weak customer authentication methods, and the rise of mobile devices used for payments and e-commerce.

Despite rising ATO via online banking channels, Early Warning this month said it has not yet seen any measurable ATO fraud on the Zelle mobile app P2P service since its launch in September 2017.

“We haven’t seen where someone is stealing a Zelle user’s credentials and taking money,” said Jamey Boone, vice president of Zelle Fraud Risk Prevention at Early Warning. One reason is the mobile authentication tools Zelle applies at account login to recognize bank customers’ devices. So far these mechanisms are deterring fraudsters from downloading the app to their own device and attempting to log in as someone else, Boone said.

Early Warning’s report warns financial institutions of the need to step up their overall customer authentication processes and device identification methods to prevent ATO from escalating to other digital payment channels, including P2P. Aite surveyed 26 executives at 19 of the continent’s largest banks beginning in the fall of 2017.

Chart: Top global fraud types in Q2 2018

Phishing—which often plays a role in account takeover—remains the leading type of fraud attack globally through the second quarter of 2018 at 41%, down from 48% during the first quarter, according to new data RSA measured across broad attack vectors and digital channels. Financial phishing occurs when fraudsters intercept or steal personal information or pry it directly from consumers under false pretenses using email, phone or texts.

Fraud originating from trojan horses, or financial malware fraud, accounts for 16% of attacks, down from 25% during the previous quarter, RSA said. Rogue mobile app fraud was up sharply during the recent quarter to 28% from 13%. RSA identified 9,185 different rogue mobile apps used for fraud attacks during the second quarter.

Malware in the mobile channel is increasing at a rapid clip, as fraudsters use ransomware and keyloggers for man-in-the-middle attacks. Examples include intercepting one-time passwords sent by financial institutions to consumers’ mobile phones. Fraud from mobile browsers represented 71% of total fraud transactions during the second quarter, RSA said.

“Brand abuse,” or fraud that misleads consumers, stayed about the same at 15% this quarter over last.

To guard against mobile payment fraud, accurate device identification is critical. The largest proportion of online payment fraud occurs with “new devices” that financial institutions are unfamiliar with, according to RSA.

For example, during the second quarter of 2018, only 0.4% of legitimate payments were attempted from a new account using a new device, but that combination accounted for 27% of total fraud values, up from 22% during the first quarter of the year. Trusted devices used together with trusted accounts generated the largest percentage of legitimate transactions, but the fact that 28% of total fraud came from that combination suggests a high likelihood of financial malware capable of spoofing phones for ATO attacks, RSA said.

Fraudsters using devices to interfere with accounts usually leave lots of clues, according to Aite’s Inscoe.

“Typically, there are obvious signals of a problem when a fraudster is manipulating an account with a phone, such as jailbreaking a phone or using developer tools to manipulate geolocation or identification data,” she said. Mobile network operators also possess useful data about device activity that banks can access through third-party services, and many fraud-prevention solutions are available for financial institutions to block these types of attacks, Inscoe added.

The slight downward trend in phishing attacks during the second quarter suggests financial institutions are seeing some success from deploying a growing array of weapons to defeat fraud, RSA said in its report. The most common tools to spot phishing fraud include device fingerprinting that recognizes a specific piece of hardware, along with one-time passwords sent to customers to confirm transactions and behavioral analytics that compares a prospective transaction with a consumer’s typical patterns. Unusually high transactions are often fraudulent, RSA said.

But many banks are still too trusting of low-security knowledge-based authentication (KBA) tools that use static questions the financial institution keeps on file to verify a customer’s identity, experts say.

“The use of KBA has been badly breached, and it’s one reason we’re going to see a lot of continued account-takeover activity,” said Aite’s Inscoe. While many banks Aite surveyed said they have plans to reduce their reliance on KBA to authenticate consumers for fraud prevention, too many are still relying on it, she said.

Inscoe recommends financial institutions use a layered approach of tools to detect and filter out fraud at the hardware, software and end-user level, deploying new biometric tools as they become available. Currently fewer than half of financial institutions use any biometric tools to authenticate consumers, and typically it’s a method similar to Apple's Touch ID.

Canada and the U.S. continue to be the biggest targets for fraudsters on phishing expeditions looking to steal consumers’ account details, and both countries also rank in the top three as host locations for phishing crimes. India and several European countries also perennially rank as top phishing targets and host locations, according to RSA.

During the second quarter, Russia continued to rank high as a hosting location for many phishing attacks, and the Netherlands suddenly became a top phishing target—and host location.

Recent headlines provide some context: In July, a 25-year-old man from the Netherlands was arrested and charged with more than 1,000 counts of hacking, phishing and identity fraud. Many of his crimes were perpetrated by an automated fake banking website he leveraged to steal money directly from e-commerce companies or by intercepting funds from counterfeit transactions.