Consumers using mobile wallets or mobile banking apps are generally more engaged with their banks or retailers, creating a richer behavioral profile — and fraudsters are looking to exploit this by taking over these users' devices and, by extension, their bank accounts.
Fraudsters continue to engage in mass identity testing sessions through botnets infiltrating existing accounts or by creating new ones, according to the 2016 first quarter cybercrime report from ThreatMetrix.
"One interesting development we found is testing stolen credit card credentials through charitable donations," said Vanita Pandey, vice president of product for San Jose, Calif.-based ThreatMetrix.
Fraudsters will make numerous $5 donations on their own fake charitable sites with stolen credentials, using this method to determine which accounts are still capable of completing transactions, Pandey said.
"If they don't work or somehow get caught, they throw those credentials aside," she added. "If they do work, they use those credentials to go on with mass shopping."
In the same manner, when fraudsters are ready to unleash sets of stolen credentials it can result in as many as a million bot attacks a day on a retailer site or network.
The ThreatMetrix report for the first quarter included data from cybercrime attacks from January through March that the company detected through the real-time analysis of the ThreatMetrix Digital Identity Network.
During that period, ThreatMetrix analyzed billions of transactions and more than 100 million attacks were detected and stopped in real time, a 52% increase over the previous period. In addition, 311 million bot attacks were identified and stopped, the report said.
The report data shows a rise in cybercrime attempts, a trend ThreatMetrix noted in the
A major challenge remains for retailers and financial institutions that have found success with "digital first" strategies because they must develop ways to ensure loyal consumers connecting through various channels are not stalled by fraud-detection systems, the report said.
But this is not an easy task, considering how fraudsters are seeking ways to infiltrate mobile accounts or create their own accounts with stolen credentials, Pandey said.
"Spoofing or stealing a mobile device is on the rise in developed countries, because they can buy a new phone and load stolen credentials onto it," Pandey added. "Biometrics and backup passwords are good security measures for a mobile wallet, but nothing stops someone from taking a stolen card and adding it to another device."
In that regard, fingerprint biometrics used with Apple Pay or Android wallets become the identifier for that device, not necessarily for the card or the customer using that card, Pandey said.
Attacks on mobile devices are growing steadily and on pace with the 200% growth in mobile transactions over the previous year, the report said.
Because digital consumers tend to have a close relationship with a handful of favorite retailers and trust them with payment and personal information, fraudsters are turning to stealing identity rather than payment card credentials in many cases, thus account logins are becoming a prime target.
"In fintech, there are a lot of attacks on new accounts, or fraudsters presenting themselves as someone else," Pandey said.
Creating a new account is easy with a wallet provider or a merchant, and then the fraudster lets the account age for a period of time before unleashing it to start making transactions, Pandey added.
"Most people don't change their passwords," Pandey said. "Fraudsters steal one password and start using it over many sites, and then maybe use that password to create fraudulent mobile wallet accounts."
ThreatMetrix reported that it stopped more than 20 million attempts to create fraudulent new accounts and payments, at a time when fraudulent new account registrations increased 175% over the previous year.
Attempts to steal identity remain high in continents such as Africa, Asia and South America, which lack organized identity verification tools in many cases, while mobile device spoofing was more prevalent in the North America, Australia and Europe, the report said.
Hacks of payment credentials, mobile accounts or social media accounts are becoming so prevalent, consumers are starting to taking them in stride, which can be dangerous, Pandey said.
“Everyone used to roll their eyes when someone sent a note that they had been hacked and had to provide new credentials,” Pandey said. “Now it happens so often, but consumers should realize they have to change their passwords.”
In the same manner that people in war-torn regions still go out and try to lead normal lives despite dangerous threats, consumers reluctant to use mobile and digital accounts during threatening times have to realize they still have to go online for certain tasks, Pandey added.
“They may be worried about leaking data every time they go online, but it is a way of life that they are still going to have to do,” she said.
