Avoiding mobile fraud: What small businesses need to know

Our insatiable love affair with the mobile device shows no signs of abating. According to a recent report there will be more mobile subscriptions on earth than people by the end of 2014. With one in seven European smartphone users having recently completed a retail transaction on their mobile phone, the opportunity is ripe for organisations to get on board.

However, engaging with consumers through mobile devices is very different to traditional eCommerce, and requires a different approach. This is especially true when it comes to mobile payments. So, what can organisations do to make sure they get their mobile payment strategy right?

Understand the radical shift in consumer behaviour

eCommerce orders have historically been placed during core business hours. However, the widespread use of tablets and smartphones has seen a radical shift in consumer buying patterns. The peak buying time for these types of devices now occurs between 8pm and 9pm. Understanding this shift in consumer behaviour is key – for instance, applying rigid fraud rules for anyone shopping outside of normal business hours will impede sales.

Businesses should also appreciate that consumers now use multiple devices at home, often switching between smartphones, tablets and PCs when purchasing goods. This can cause challenges when it comes to validating a device. That’s because historically, the more changes in the data, the riskier the transaction. If a consumer places an order on three or four laptops, for example, further investigation would need to be carried out. Now, households use many devices in one home, so organisations must ensure their fraud protection accommodates changing consumer habits.

Mobile devices add even more complexity to retailers’ infrastructure. Be prepared to accommodate the plethora of devices available within your fraud screening plans. Once you understand your customer, you can then adapt your rules to take into account new personal habits and behaviours.

Evaluate reliability of traditional data points

Technologies such as IP geolocation have traditionally worked well to track a consumer’s physical location at the time of a purchase. Unfortunately they can become completely redundant when a mobile device is not connected to a Wi-Fi network. In this instance, the device’s location would show as the mobile operator’s which isn’t sufficiently precise if you are attempting to confirm the owner’s location.

Given the nomadic nature of mobile devices, it can be difficult to pinpoint exactly where a purchase originates. Capturing the GPS location will certainly help when it comes to comparing details such as billing and shipping address proximities. Wherever possible try to collect GPS data – it can strengthen your fraud-screening rules.

Don’t rely on device fingerprint data alone

Device fingerprinting is a hugely useful way of identifying the PC or laptop used to make a purchase. It collects a range of information that can help to determine whether the customer is legitimate: installed applications, software updates, the time zone of the device and whether things such as JavaScript are turned on for the device. This all makes up a PC’s unique fingerprint.

Unlike PCs and laptops, very limited information can be collected from smartphones and tablets. This makes it difficult to collect the most valuable data. Ensure that you amend and adapt your fraud rules accordingly to account for this.

If possible, capture the IMEI and UUID numbers of the mobile device (the phone’s unique identity number). This can be another useful tracking element to compare against addresses or credit card numbers. And if you have a device that has made multiple purchases with the same card, then this can represent much lower risk. However, a device that has attempted to use six cards to conduct a purchase will raise suspicion and certainly need further investigation.

Embed mobile into your overall cross-channel strategy

Orders or bookings placed via through mobile devices provide a goldmine of useful information. The real value lies in the ability to compare these transactions alongside those from your call centre or website. It can help you to more quickly spot fraudsters migrating between different channels.

Take all the data available and create a set of rules specific to mobile transactions. Your mobile fraud screening should then feed into the other orders being placed across the business. This will help you to compare mobile purchasing information against other known data (such as the website or call centre) to detect further discrepancies.

How do you know if you are rejecting too many orders? You can’t manage what you can’t measure. You need to be able to collect and analyse your data to make sure your rules are performing to the best of their ability. For instance, are the majority of your rejected transactions coming from mobile devices or call centre transactions? If they are from mobile devices, then perhaps your current rule set needs tweaking.

James Hunt is an associate principal in CyberSource‘s managed risk services team

Sponsored content

This content has been sponsored by BIS, whose brand it displays. All content is editorially independent.

Sign up to become a member of the Guardian Small Business Network here for more advice, insight and best practice direct to your inbox.

The cyber risks facing UK retailers – lessons from the US

Rarely has security vulnerability gained worldwide notoriety as quickly as that achieved by Heartbleed, a programming flaw in a critical part of the technology used to encrypt communication between secure servers on the internet. More than anything it has reinforced the importance of security awareness and the speed of response to such incidents.

Behind the omnipresent warnings over Heartbleed are the ongoing risks facing Britain’s retailers. Experts are now raising concerns over the growing risk of cyber criminals gaining access to sensitive information held by such businesses. The sector is a prime target as incidents elsewhere have clearly shown, with research by US insurer Willis Group (pdf) suggesting that retailers are more likely to rate cyber incidents as having “significant, serious, material or critical” impact on their business, compared to other sectors.

Moves to improve cyber security at retailers in the US are likely to increase pressure on UK retailers. While their US counterparts have been in the crosshairs of hackers for some time, British merchants are not immune and it would be naive to believe that cyber-crime is a particular US phenomenon. Such risks are very much present here in the UK. Data breaches have already happened to UK retailers, both as a result of data theft from within a retailer’s own organisation and hacking by criminal gangs.

The seriousness of the issue is further underscored by the British Retail Consortium’s Retail Crime Survey (pdf), which found that the majority of retailers see cyber attacks as a critical threat to their business, with nearly two thirds targeted by hackers in the last 12 months.

Technology has a key role to play in today’s retail environment and there are countless examples of innovation, for example in the development of sophisticated inventory loss systems. However, retailers are also data companies – in some cases more valuable than the merchandise – and there is a growing and significant black market for solid information.

So what can retailers do? For starters, they must pay greater attention to the security of the data they hold about their customers that can be used by criminals to make money. Retailers are custodians of large volumes of credit card and account information and should conduct regular reviews of both their security policies and the storage and maintenance of data. This must focus on establishing who has and should have access to such sensitive information, whether data is encrypted and what stage the encryption takes place.

The data “lifecycle” should also be looked at, so there’s a clear understanding of what happens to all information, from the moment somebody swipes their card right up until the retailer no longer has the data. Similarly, companies must review other types of sensitive information – such as employment, staff and supplier records – the loss of which can be costly and embarrassing.

Most importantly, each potential incident requires a thorough investigation, and not just a superficial check to close down a known vulnerability. Many retailers and others have found that incidents that at first seemed minor were in fact incidents of a much more significant infiltration.

Without a clear commitment to addressing such emerging risks, which must go hand-in-hand with a focus on developing a broader strategy to improve cyber resilience, all businesses will be exposed to significant risks. Moves by the European Union could also add to such pressures, with the proposed General Data Protection Regulation proposing substantial fines in the event of a data breach, capped at 5% of global turnover or €100m.

However, the impact of a cyber security incident goes beyond the harsh financial realities. In today’s world, as many victims have found to their cost, the reputational and organisational harm could also be significant. Cyber resilience is a matter of organisational management, not just an IT issue.

Significant cyber incidents like Heartbleed will continue to happen. Criminals are looking for the weakest link, within a retailer’s own organisation or elsewhere in the supply chain. Advances in online technology has allowed the sector to get closer to customers and suppliers and such advancements have created new platforms for growth, but they have also created new risks.

Seth Berman is executive MD and UK head of Stroz Friedberg

To get weekly news analysis, job alerts and event notifications direct to your inbox, sign up free for Media Network membership.

All Guardian Media Network content is editorially independent except for pieces labelled ‘Advertisement feature’. Find out more here.

Twitter Challenge: Your tips on cyber security

Cyber security can be a tricky issue for small businesses to get to grips with due to its complexity. So last month we launched a Twitter Challenge asking you to share your tips on how SMEs can keep their information safe online. We asked you to summarise your top piece of advice in a tweet using the hashtag #smallbizsecurity. Here’s a selection of your tweets

— BCRC (@BCRC_News)
March 19, 2014

Always think before you click on a link or file of unknown origin. Check the source of the message #smallbizsecurity http://t.co/Ku7DeLPm2N

— BSP – Bytes SP (@spukltd)
April 30, 2014

@GdnSmallBiz Focus on your critical IT data – identify your “crown jewels” in terms of #ITSecurity & take expert advice on protecting them

— Linda Ockwell-Jenner (@LindaOJ)
April 29, 2014

@GdnSmallBiz #smallbizsecurity Awareness comes first, knowing the risks and staying informed.

— Linda Ockwell-Jenner (@LindaOJ)
April 29, 2014

@GdnSmallBiz #smallbizsecurity last but not least, Early Detection,the earlier a breach or some such challenge is discovered may limit them

— SENTRONEX (@sentronexnews)
April 30, 2014

@GdnSmallBiz SMEs often lack the infrastructure to protect against cyber attacks – addressing this will help you fight #smallbizsecurity

— Next Level BD (@NextLevelBD)
April 9, 2014

@GdnSmallBiz For clients we find running scans on websites and inputting captcha on contact forms can help as well as SSL #smallbizsecurity

— Jon Norris (@Jn_Norris)
April 14, 2014

@GdnSmallBiz If you use WordPress, restrict access to /wp-admin/ to your own IP address. Common entry point for hackers. #smallbizsecurity

Sign up to become a member of the Guardian Small Business Network here for more advice, insight and best practice direct to your inbox.

Sponsored content

This content has been sponsored by BIS, whose brand it displays. All content is editorially independent.

Will Self-Imposed Smartphone Kill Switches Survive Despite Lack of Federal Legislation?

With the number of smartphone thefts in the U.S. reaching dangerous levels, there is a renewed push for mobile device manufacturers and telecom carriers to include a “kill switch” on all mobile devices. These kill switches would essentially allow a user to turn off the functionality of a device in the event it was lost or stolen, and in turn, reduce the value and demand for these stolen goods. Nearly 50% of all robberies in San Francisco alone involve smartphones, so this is going to continue to be a hot-button issue until a solution is reached.

I’ve discussed the kill switch issue previously, looking first at the SB962 initiative that would require these kill switches on all mobile devices. Unfortunately, the possibility of a federal kill switch law has hit a snag in the time since my last post—or at least, it was dealt a powerful blow after it failed to pass the Senate last week. Despite backing from law enforcement agencies and San Francisco District Attorney George Gascón, the bill fell two votes short of going forward.

However, in the wake of this hiccup, a number of groups have arisen who share strong opinions on both sides of the kill switch debate. For instance, many cellular service providers, lobbied for by their industry trade group, the Cellular Telecommunications Industry Association (CTIA), continue to argue against requiring a kill switch, saying that it could potentially give hackers the chance to remotely destroy smartphones and prevent customers from making emergency calls.

Smartphone manufacturers, on the other hand, are coming round to implementing kills switches on their own terms. For example, both Apple and Samsung introduced their own variations of advanced phone tracking and locking software. Apple’s “Find My iPhone” app allows consumers to lockdown their device if it goes missing, and the phone can only be used after the device owner enters in their username and password. Samsung phones also offer a similar functionality.

Most recently, in lieu of an actual law requiring kill switches, leading phone manufacturers are getting behind the “Smartphone Anti-Theft Voluntary Commitment.” The commitment states that new smartphones made after July 2015 will come with “preloaded or downloadable” anti-theft programs. As outlined, the proposed program would let consumers remotely wipe their data, render the phone inoperable to unauthorized users, and preserve lockdown status after a factory reset, while still allowing it to make emergency calls, as well as offer a restore option in event the device was recovered.

While this voluntary commitment is a step in the right direction, its ability to decrease device theft is uncertain. Because these anti-theft features would not be turned on by default, it would still be up to the user to make sure the options are enabled. As it stands now, 34% of consumers don’t use any security on their smartphones, meaning that the potential adoption rate of opt-in kill switches may not be high enough to de-incentivize device theft.

So what’s the safety-conscious consumer to do? Well, here are a few tips you can use to minimize the damage in the event your device is lost or stolen in the meantime:

  • Be aware of your surroundings. Smartphone theft is a crime of opportunity. The best way to prevent that opportunity is to be aware of where you are and your smartphone usage habits. Know who’s around you, keep a tight grip on your device and avoid using your smartphone in crowded areas where crooks can grab and run. Additionally, don’t leave your devices unattended in plain sight. A café table is an easy place for a fast-thinking thief to snatch your smartphone.
  • Enable phone-tracking software and mobile security. McAfee® Mobile Security, free on both Android and iOS, can track your phone as it moves, remotely wipe contacts, as well as keep photos and videos in a secure vault to keep them protected even if a device gets lost or stolen.
  • Disable auto-logins on your mobile device. Automatically logging into your favorite apps is convenient, but dangerous. Thieves can easily gain access to financial information if the app is linked to a credit card or bank account. They can also record personal information for possible identity theft. By disabling automatic logins, you put a speed bump in the rapid road of theft.
  • Always secure your devices with a PIN or passcode. Protect your phone or tablet, as well as the information stored on it from prying eyes. While it may not prevent devices from being stolen, it will certainly make it more difficult for thieves to get access to anything on it. In the event your device is just misplaced temporarily, a PIN code will also keep out any potential snoopers.

To keep up with the latest security threats, make sure to follow @McAfeeConsumer on Twitter and like us on Facebook.

The post Will Self-Imposed Smartphone Kill Switches Survive Despite Lack of Federal Legislation? appeared first on McAfee Blogs.

Tinder Not So Tender

Tinder is a kind of modern day ‘Hot or Not’ mobile dating app. It finds matches based on location, then lets you scroll through pictures (no lengthy profiles here), picking those that catch your eye – and vetoing the ones that don’t. The app works by accessing users’ Facebook accounts to pull pictures and other relevant profile information about their age, interests, status, and more. However, despite the app’s growing popularity, many users have been plagued by a mobile scam using bots to impersonate eligible singles.

Because spammers notoriously target large, susceptible groups of people, it is no surprise that they have turned their sights on love-seeking Tinder app users. Recently, there has been a rise in fake accounts controlled by bots (malware infected computers or devices controlled by third-party) that masquerades as real users, complete with names, interests and photos. The bots not only lead users on with the false hope of a potential match, but also spam them with messages advertising a video game link. Screenshots posted to Twitter confirm the consistent pattern of this con.

The latest Tinder scam takes advantage of the app’s interface, where users scan potential matches in their area and then “swipe right” for those that interest them. Once a victim “swipes right” and contacts the fake account, it reacts with the generic message “hey :)”. Subsequently, it asks what the user is doing and then responds with “I’m still recovering from last night 🙂 Relaxing with a game on my phone, Castle Clash. Have you heard about it?” No matter what the victim’s response is, the bot responds with a URL to a mobile game app called Castle Clash. In order to make the URL appear trustworthy, the party behind Castle Clash disguised the link as “Tinderverified.com.” But don’t let the seemingly legitimate link or others like it fool you; clicking on them can expose you and your private information.

It appears that this particular scam is more annoying than dangerous, and most likely just a ploy by the Castle Clash creator to boost app downloads. After the incident was reported, Tinder quickly took the necessary steps to remove these phony accounts. However, this is not the first time that the company has had issues with fake profiles, and while Tinder allows matched users to block each other, it does not prevent past victims from being targeted again. Despite the fact that Tinder users must have a Facebook account to register, it is frighteningly easy for spammers and cybercriminals to create dummy accounts using fake information.

In order to avoid email junk folders, spam has become much more sophisticated today, and communities of like-minded people like those on Tinder are perfect targets. Now that social profiles are linked to apps, mobile devices, desktop computers, and more, the risk of a potential infection spreading from one to all of them is exponentially higher. As the app maker, Tinder bears the brunt of the responsibility when it comes to protecting its users from spammers, but in the end, only you can protect yourself from malicious activity. Some best practices include:

  • Always use caution when clicking on links from a mobile device—or any internet-connected gadget for that matter.
  • Be selective about which friend requests you accept on social networks, as you never know when it might be a fake profile.
  • Never reveal personal or sensitive information online or via social media apps, especially to people you do not know.

With the free McAfee Mobile Security app, not only can you browse social networks safely and connect with people confidently, but you can also protect yourself from risky links that could reveal your sensitive information with the Android version. It also scans your apps to find out if any are dangerous, and provides you with a privacy risk rating based on app category and expected behavior. Check out and download McAfee Mobile Security for Android and iOS to protect your phone or tablet with award-winning antivirus, privacy, and security software.

To stay up to date on the latest in mobile privacy and security, follow us on Twitter at @McAfeeConsumer and Like us on Facebook and share your thoughts with us!


The post Tinder Not So Tender appeared first on McAfee Blogs.