Horror Stories of Mobile Money Fraud

Nick Holland has spent the last decade covering the intersection of the mobile and payments industries. He currently covers all things mobile transaction related at Yankee Group.

With the mobile phone on the cusp of becoming a device for performing financial transactions, are we also on the cusp of a corresponding tsunami of criminal attacks on the mobile channel? Not to be alarmist, but yes. And there are already horror stories. In cyberspace, no one can hear you scream.

We're coming to an inflection point that will have some scary repercussions for the mobile industry. Until recently, criminals have had very little incentive to attack the mobile channel. But this is changing, and fast. Three reasons for this shift:

  • Fragmentation. Back in those prehistoric times before the app store, there were many different types of phones running many different types of software—BREW, Java, Symbian, Windows and so on. For a criminal, there were far too many variables in terms of device standards to perpetrate an attack of any magnitude. With the rise of smartphones, however, the mobile platform landscape is less fragmented. Within a few years we can expect Android, iPhone and Blackberry operating systems to cover most devices on the market. As such, a criminal attack aimed at one of these platforms will effectively reach a large proportion of mobile subscribers.
  • Reach. Just a few years ago, mobile voice and data communications were constrained to country-level barriers. It was costly and difficult to call someone overseas using a mobile network, let alone to send data traffic. Nowadays, however, with Voice over IP and mobile devices commonly accessing not just mobile networks but the Internet over Wi-Fi, the modern mobile phone is globally enabled. This fact is a double-edged sword. For today’s connected criminal, this freedom of access works two ways: An attack can be launched from anywhere to anywhere.
  • Payload. The previous two reasons provide the ubiquity and connectivity for criminals to get to your phone. The third reason provides an incentive. The nature of mobile transactions thus far has been limited to small value transactions for digital content such as ringtones, music and applications with little or no resale value. Transactions have occurred in a closed-loop environment, with the subscriber divulging no payment information at any point. Take mobile banking, for example. These apps have provided little more valuable information than your current balance and last five transactions. Think of an ATM without any cash withdrawal capability. However, the mobile phone is bridging the physical world. With that change comes the capability to perform financial transactions for physical goods and services. The mobile device is shifting from an informational device to a transactional device.

This emerging opportunity has not been lost on the criminal community. In fact, criminals are already actively probing new forms of attacks in the mobile domain. For example:

  • Fraudsters are operating "call centers." For around $10, you can have a fraudster impersonate a living person and have him/her call the victim's bank or credit card issuer to have a lost card rerouted to a fraudster's address. These call centers go as far as spoofing caller ID to appear as if they are the legitimate cardholder calling in.
  • More than 300 virus variants currently target mobile devices. Although most are similar to malware found in the online space, viruses have been found that spread locally via Bluetooth in much the same way as a natural virus would spread via airborne contamination, literally infecting other open Bluetooth devices in their proximity. Other viruses have been found that dial expensive international numbers surreptitiously while the subscriber is sleeping.
  • Variants of the online "phishing" attack have reached mobile—"SMiShing" and "Vishing." The former reaches the subscriber via text (SMS) messaging, the latter via fake voice calls. The intended result is the same: a social engineering attack that tricks the victim into calling or clicking in response to what they believe to be a message from their bank but is in fact a fraudster collecting valuable data for identity theft purposes.
  • Similarly, social engineering has also reached the app store. The Android app store has already been subjected to rogue applications that have attempted to collect and disseminate users' banking credentials. Professionals in the security field consider other app stores to be more stringent. However, they are still concerned that malware is slipping through, given the sheer quantity of applications being published.

Bear in mind that all of these forms of attack are finding their way around non-physical world transactions. With developments in contactless technology, we are viably only a couple of years from a mobile phone becoming a real analog to the wallet in your pocket. Once this happens, the bait for fraudsters significantly increases.

For every horror story, however, there is a feisty heroine prepared to take on the rabid psychopath. Companies in the online protection space are already offering solutions for mobile devices. However, bringing these offerings to market is a fine line between providing reassurance and comfort to mobile users that their mobile transactions are safe and scaring the bejeezus out of them and effectively killing mobile payments before they start.

For now, at least, ignorance is bliss for mobile subscribers. But, as we know from the movies, the monsters never actually go away. And, they always come back. Please reach out to Nick and share your thoughts.