Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/5/2015
10:30 AM
Subbu Sthanu
Subbu Sthanu
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Deconstructing Mobile Fraud Risk

Today's enterprise security solutions don't do enough to manage BYOD risk, credit card theft and the reputational damage resulting from a major data breach.

Earlier in the mobile revolution, threats that are considered imminent today – malware, phishing and criminal device misuse - were often theoretical, and carried a low probability of ever impacting an enterprise. Even though these threats are becoming more “real,” quantifying the risk and justifying the expenditure to protect against them is a challenge.

As a result, most mobile security software is still sold as insurance against a single event that could have catastrophic impact on the business, and is considered part of the cost of doing business.

Contrary to this thinking, mobile fraud is not one “big bad event”, but a continuous stream of smaller, ongoing breaches or attempted breaches that are often hard to detect. When left unaddressed, these multiple attacks could have a serious aggregate impact on a business.

What are organizations overlooking by using traditional mobile enterprise security under the big, bad event approach? I see three key critical areas of concern:

First, fraud starts on systems you can’t control.
Enterprise security assumes some level of control over devices allowed to access a company’s systems. BYOD programs utilize tools such as mobile device management (MDM) solutions to control the device security posture. This level of control is much harder, and sometimes impossible, when dealing with the customer’s “unmanaged devices” in a B2C environment.

While IT security is proficient in protecting corporate assets like endpoints, servers and databases, it is challenged with protecting non-corporate controlled assets, specifically customer devices. In a way, that is the original “BYOD” problem – protecting users’ access and transactions without controlling the underlying device.

Efforts to educate users about protecting themselves have had limited success: human nature is susceptible to social engineering schemes and temporary lapses of judgment. Users sometimes jailbreak or root a mobile device to install rogue applications. A jailbroken or rooted device is susceptible to malware that can take over critical device functions such as SMS; can be used for strong authentication; and can lead to credentials theft and monetary losses. And because mobile devices have limited screen real estate, it’s often harder for users to identify bogus phishing URLs embedded in email.

Second, fraud management is a high frequency/high friction activity.
Merchants in the U.S. lose approximately $190B each year to credit card fraud. When fraudulent transactions enter enterprise systems it triggers a series of actions needed to deal with the affected party (customer, partner or supplier). The support team gets involved to manage the interaction with the fraud victim. Analysts and investigators need to review forensics data to figure out what happened, where the money was moved to and attempt to recover the funds before they are gone. Restoring “business as usual” often requires the victim to invest time and effort in verifying their systems are safe. When you factor in that these fraud cases are occurring at a high frequency, this adds up to extremely repetitive, intense engagement.

By contrast, when we’re talking about security within an enterprise’s own system, only actual breaches that lead to data loss – which are relatively rare occurrences – require heavy lifting. For example, according to the Ponemon Institute, only 22 percent of data breaches involve at least 10,000 records.

Third, fraud is visible to the world.
Customers experiencing fraud will lose trust in the mobile channel or the business overall. If the losses are not automatically covered by the enterprise (as is the case when corporate bank accounts are compromised) litigation can follow, creating negative brand impact. Even at a smaller scale, fraud incidents may be shared by unhappy customers on social networks and can ultimately lead to customer churn. And, fraudulent activity invites deeper regulatory scrutiny of processes and procedures that further distracts line of business and IT resources. Some enterprise security breaches may not become public unless lost data needs to be disclosed as part of a regulatory or compliance requirement. Many are, therefore, left undisclosed.

Mobile enterprise security and mobile fraud prevention share the common goal of protecting sensitive business assets and confidential customer information. Unfortunately, many security teams and organizations are still viewing mobile security and mobile fraud prevention as one, singular entity, and don't realize that their current strategy may not be protecting them as well as they think. Rather, it’s imperative that companies implement a strategy that protects its customers from malicious activity, as well as protecting data within a company's network of devices.

Subbu Sthanu is the Director of Mobile Security and Application Security at IBM. Prior to IBM, Subbu served on the leadership teams of security software vendors like Novell, NetIQ, Trustwave and BeyondTrust, heading up product management, marketing, corporate development and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
5/5/2015 | 3:46:17 PM
Needed: Tighter Regulations, Harsher Penalties
* First, fraud starts on systems you can't control.

I maintain that an organization serious about protecting its data will have a firm policy against BYOD. This is an organization approach to security that established the importance of the company and its assets over your personal preferences for computing and managing your life. While EMM applications may seem like a fair compromise, when users BYOD they often uninstall EMM apps when things go wrong.

No BYOD means improved security right out the gate.

* Second, fraud management is a high frequency/high friction activity.

I would argue that $190B/year loss to American merchants represents a disaster at a national level. To know that this continues to happen year after year is unacceptable. Here I go again, I know, but to not have tighter regulations and fine-related targets of evaluation (TOE) that must be met by companies to be even _allowed_ to connect financially to the Internet means we as a country are not taking cybersecurity seriously. The US bleeds money yearly (war, international loans/debt, etc) and one of the elements of our economy that allows us to recover from this is our capitalist system. To not protect that system with everything we've got points to a deep lack of understanding of what security, mobile or otherwise, truly is from a data ecosystem standpoint.

* Third, fraud is visible to the world.

I couldn't agree more. From the 22% of high-grade data breeches and the $190B/year loss, this is highly depressing. And when you read exploit and root cause analysis reports on many of these incidents, the initial point-of-entry was one that could have been prevented had the scope of the security strategy been expanded, and the specializations acquired in terms of talent been more varied. Again and again, we see the multitude of security applications making various claims and seemingly presenting an easy all-in-one solution that business often fall for in place of architecture, design and strategy. Perhaps some of this is due to cost-cutting but in doing that, a business might be risking their very existence if they are hit hard by mobile fraud.
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.