Australia's mobile-wielding Christmas shoppers posing new security threats to themselves, employers

Consumers' increasing reliance on mobile apps during the holiday shopping period has brought a new round of warnings for companies with bring your own device (BYOD) policies that face increased risk of data exfiltration through the use of unscrupulous apps designed to be overly familiar with users' personal information.

New research from B2B International and Kaspersky Labs suggested that online consumers were growing increasingly concerned about making financial transactions online, with 65 percent concerned about online financial fraud – up from 62 percent last year – and 54 percent (up from 49 percent last year) saying they felt vulnerable when buying products or making financial transactions online.

Some 43 percent of the Kaspersky respondents said they had abandoned an online payment transaction in the past because it didn't seem secure enough; that figure was 37 percent in 2014.

Ross Hogan, global head of the Kaspersky Lab Fraud Prevention Division, said in a statement that it was “understandable that people are increasingly concerned about the risk of online fraud” and said banks should be taking the lead in giving customers security tools to support their online work.

“Banking customers shouldn’t be letting their fears get in the way of enjoying the benefits of making financial transactions online,” Hogan said. “By using an appropriate Internet security solution, they can take their own steps to protect their money from fraud.”

Growing use of mobiles for shopping has made them increasingly significant as overall online shopping figures continue to surge. Recent Roy Morgan figures suggest that 4 in 10 Australians and half of New Zealanders are now buying something online in any given month. Australians alone spent $37.8 billion online during fiscal 2014/15, according to the Roy Morgan figures.

A growing proportion of these transactions are being conducted through mobiles: recent research by IPSOS and PayPal Australia, for example, found that mobile-commerce usage had grown by 204 percent since 203 and that 2.2 million Australian were planning on using their smartphones to buy Christmas gifts this year.

Mobile shoppers should exercise a range of cautions including screenshotting their proof of purchase rather than waiting for merchants to email a copy of the purchase confirmation; being careful about phishing emails and entering sensitive details into mobiles while other people are nearby; and using official shopping apps for a more seamless shopping experience.

Yet even those official apps can cause headaches for IT managers by taking liberties with the personal information of BYOD users, according to recent research by software-management firm Flexera Software. That company ran an analysis of 26 popular iOS based shopping apps and found that the majority were capable of accessing a range of personal information, often without users knowing.

Some 69 percent of the apps – including big-name brands such as Amazon, Disney, eBay, Groupon, Macy's, Nordstrom, REI, Shutterfly, Starbucks and Target – were able to access the social-media apps on the user's phone, while 65 percent of the tested apps could access address book and calendar information. Some 58 percent of the apps could access the device's SMS messaging features, while all of the 26 apps save two were able to access the device's GPS location tracking information.

Twenty of the apps were integrated with third-party ad networks that have been recognised as an increasingly dangerous threat: 'malvertising' reached record levels in June, while in late July security firm Cyphort warned that more than 10 million people may have been expose to malware transmitted through advertisements.

The granting of app permissions may seem innocuous to bargain-minded holiday shoppers, but they can present real issues in BYOD situations where users' phones are filled with company contact, calendar and other information.

“Giving apps access to this data may create unwanted security risk depending on the organisation and its BYOD policies,” the firm warned. “It is therefore incumbent upon IT teams to understand what popular mobile apps their employees are letting onto corporate and BYOD devices, and understand what risks those apps might pose.”

Even the government is warning mobile users to be careful this year, with the Australian Communications and Media Authority (ACMA) echoing warnings about mobile app usage over the holidays – and, in particular, customers' often wanton use of free mobile apps that frequently bury data-siphoning habits in complex terms of use that many users barely consider.

ACMA recently released primers for mobile users warning them about how to manage their app purchases, security, and other areas.

Recent ACMA research found that 4.3 million Australians downloaded banking and finance apps onto their mobiles in the previous year, while 2.9 million downloaded shopping apps.

Security ALERT!

Need help making the right choice for you business? Need to update your system but don't know where to start? CSO can help, check out our security hub today.

Gigamon Transform Security Zone

Read more: Territoriality, denial confounding chances at IT-security improvement, risk expert warns

Join the CSO newsletter!

Error: Please check your email address.

Tags security threatsRoy MorganNew ZealandIPSOSshoppingB2B InternationalChristmasCSO Australiakaspersky labsBYODretailsecurity

More about Australian Communications and Media AuthorityCSOeBayFlexeraGigamonKasperskymobilesMorganNordstromPayPalRoy MorganShutterflyStarbucks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts