Survey: Average company losing $US90 million to mobile fraud

The average revenues of the companies in the survey was $US2.5 billion

The average company loses $US92.3 million a year to mobile fraud, according to a new survey of 250 companies from across a wide spectrum of industry verticals.

The average revenues of the companies in the survey was $US2.5 billion, meaning that the mobile losses accounted for more than 3 per cent of revenues.

In addition, some organizations reported that they lost as much as 25 per cent of revenues to mobile fraud.

Retailers were the single biggest group of companies surveyed, followed by computer software firms, banking and financial services, computer services, healthcare, and other industry verticals.

The fraud typically came in such forms as purchases made with stolen credit cards, theft of money from online banking accounts, redeeming frequent flier miles for gift cards on hospitality and travel sites, and fake prescriptions ordered through health websites, said Angel Grant, senior manager of fraud risk and intelligence at RSA, the security division of EMC and one of the sponsors of the study.

RSA has also seen the growth of mobile fraud through its own channels, she added.

The company sells a risk-based authentication solutions for online banks, retailers, and medical record portals.

"When we monitor the transactions that are going through our system, we noticed a dramatic increase in 2014 of transactions moving from web to mobile," she said.

But as users did more shopping and banking on smartphones and tablets, the criminals moved over as well, she said.

"Last year, 32 per cent of all transactions processed through adaptive authentication came through the mobile channel," she said. "And 40 per cent of the transactions marked fraudulent, came through the mobile channel."

Many companies have a false sense of security when it comes to mobile devices, she said, and don't have the same security mechanisms in place for their mobile apps as they do for their websites.

"There's a false sense of the security in the market," she said.

But RSA is seeing both device-level fraud, such as when unprotected phones and tablets are stolen, and application-level attacks.

The latter are more dangerous, she said.

These include mobile phishing -- or smishing -- where, for example, a customer gets an SMS supposedly from their bank that asks them to go to a site and enter their information.

The survey also asked companies about what kind of authentication mechanisms they were currently using.

The vast-majority - 77 per cent - relied on user names and passwords, and 52 per cent also looked at device IDs.

Challenge-based questions were used by 44 per cent, followed by IP recognition at 41 per cent and phone-based authentication such as SMS and voice at 28 per cent.

Only 20 per cent used soft tokens, and fewer still - 17 per cent - used biometrics.

But this is likely to change.

"Most respondents said that they are looking to add more authentication measures," said Grant. "Most realise that a user name and password isn't enough anymore."

The top authenticaion measure on companies' to-do list is biometrics, which 47 per cent of respondents said they were planning to require in the future, followed by phone-based authentication at 38 per cent and soft tokens at 32 per cent.

The most likely biometric measures used are facial, fingerprint and voice recognition, Grant said.

"Most consumers are becoming more comfortable with those types of biometric technologies than they were three to five years ago, because the devices they're using have that baked right in," she said.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile securityemc

More about RSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts