Horror Stories of Mobile Money Fraud

Written by Nick Holland
October 28th, 2010

Nick Holland has spent the last decade covering the intersection of the mobile and payments industries. He currently covers all things mobile transaction related at Yankee Group.

With the mobile phone on the cusp of becoming a device for performing financial transactions, are we also on the cusp of a corresponding tsunami of criminal attacks on the mobile channel? Not to be alarmist, but yes. And there are already horror stories. In cyberspace, no one can hear you scream.

We’re coming to an inflection point that will have some scary repercussions for the mobile industry. Until recently, criminals have had very little incentive to attack the mobile channel. But this is changing, and fast. Three reasons for this shift:

  • Fragmentation. Back in those prehistoric times before the app store, there were many different types of phones running many different types of software—BREW, Java, Symbian, Windows and so on. For a criminal, there were far too many variables in terms of device standards to perpetrate an attack of any magnitude. With the rise of smartphones, however, the mobile platform landscape is less fragmented. Within a few years we can expect Android, iPhone and Blackberry operating systems to cover most devices on the market. As such, a criminal attack aimed at one of these platforms will effectively reach a large proportion of mobile subscribers.
  • Reach. Just a few years ago, mobile voice and data communications were constrained to country-level barriers. It was costly and difficult to call someone overseas using a mobile network, let alone to send data traffic. Nowadays, however, with Voice over IP and mobile devices commonly accessing not just mobile networks but the Internet over Wi-Fi, the modern mobile phone is globally enabled. This fact is a double-edged sword. For today’s connected criminal, this freedom of access works two ways: An attack can be launched from anywhere to anywhere.
  • Payload. The previous two reasons provide the ubiquity and connectivity for criminals to get to your phone. The third reason provides an incentive. The nature of mobile transactions thus far has been limited to small value transactions for digital content such as ringtones, music and applications with little or no resale value. Transactions have occurred in a closed-loop environment, with the subscriber divulging no payment information at any point. Take mobile banking, for example. These apps have provided little more valuable information than your current balance and last five transactions. Think of an ATM without any cash withdrawal capability. However, the mobile phone is bridging the physical world. With that change comes the capability to perform financial transactions for physical goods and services. The mobile device is shifting from an informational device to a transactional device.

This emerging opportunity has not been lost on the criminal community. In fact, criminals are already actively probing new forms of attacks in the mobile domain. For example:

  • Fraudsters are operating “call centers.” For around $10, you can have a fraudster impersonate a living person and have him/her call the victim’s bank or credit card issuer to have a lost card rerouted to a fraudster’s address. These call centers go as far as spoofing caller ID to appear as if they are the legitimate cardholder calling in.
  • More than 300 virus variants currently target mobile devices. Although most are similar to malware found in the online space, viruses have been found that spread locally via Bluetooth in much the same way as a natural virus would spread via airborne contamination, literally infecting other open Bluetooth devices in their proximity. Other viruses have been found that dial expensive international numbers surreptitiously while the subscriber is sleeping.
  • Variants of the online “phishing” attack have reached mobile—”SMiShing” and “Vishing.” The former reaches the subscriber via text (SMS) messaging, the latter via fake voice calls. The intended result is the same: a social engineering attack that tricks the victim into calling or clicking in response to what they believe to be a message from their bank but is in fact a fraudster collecting valuable data for identity theft purposes.
  • Similarly, social engineering has also reached the app store. The Android app store has already been subjected to rogue applications that have attempted to collect and disseminate users’ banking credentials. Professionals in the security field consider other app stores to be more stringent. However, they are still concerned that malware is slipping through, given the sheer quantity of applications being published.

Bear in mind that all of these forms of attack are finding their way around non-physical world transactions. With developments in contactless technology, we are viably only a couple of years from a mobile phone becoming a real analog to the wallet in your pocket. Once this happens, the bait for fraudsters significantly increases.

For every horror story, however, there is a feisty heroine prepared to take on the rabid psychopath. Companies in the online protection space are already offering solutions for mobile devices. However, bringing these offerings to market is a fine line between providing reassurance and comfort to mobile users that their mobile transactions are safe and scaring the bejeezus out of them and effectively killing mobile payments before they start.

For now, at least, ignorance is bliss for mobile subscribers. But, as we know from the movies, the monsters never actually go away. And, they always come back. Please reach out to Nick and share your thoughts.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.