|© 2016 Black Swan Telecom Journal||•||protecting and growing a robust communications business||• a service of|
|Email a colleague|
Could you live without your mobile device? In 2016, admitting that you can’t is hardly a cause for shame.
Used continually for navigation, mobile purchases, downloading video, browsing news sites, exchanging WhatsApp messages — and even the occasional phone call — our devices are now part of us. And this use extends to storing sensitive information such as personal contacts, business and private emails, social media profiles, personal videos and photos, and so on.
What’s more, all major over-the-top (OTT) providers are competing with each other to sell us an array of storage solutions, such as Google Cloud Storage, Microsoft Azure and Amazon Web Services, to further encourage us to store almost every aspect of our lives on our mobile devices.
But there is another, sinister side to this revolution. Accompanying the upside are many new threats and risks — both known and unknown. And as digital technology continues to evolve at a frantic rate, keeping pace with the increased risks presents an enormous challenge.
To understand how the technology is fast being exploited for illicit gain, let’s look at Account Take Over (ATO) fraud, which while having been around for years, is now taking on a new life, thanks to digital technology.
ATO fraud occurs when a fraudster, posing as a genuine customer, succeeds in gaining control of a mobile user’s account and performs unauthorized transactions with their service provider (for example, switching SIM cards, posing as the user to order services and goods and so on).
In the past, most breaches were attributed to socially engineering1, where users would unwittingly provide sensitive data to fraudsters — in email messages and the like — to obtain private information and credentials.
But today, fraudsters have evolved. They no longer need to directly solicit our information. Instead they purchase private information such as credit card details from the darknet or “underground Internet” for as little as $15.
The spread of mobile malware2 is another modern-day example of ATO fraud. Since mobile users are generally unaware of what constitutes a risk, it’s fairly easy for an attacker to infect a device. Since we are constantly being pushed information from a variety of sources (messages, links, social media info, etc.), sometimes our curiosity is stronger than our sense of caution, and the mobile users clicks an illicit hyperlink.
Once a device is infected, the attacker gains free access to control the device from any location without the owner’s knowledge. They can generally access all information on the device, including passwords, which the attacker can then use to launch a take-over attack of the user’s financial accounts. The attacker may also operate other device features, such as the camera and video recorder, to capture even more sensitive information and in the most intimate of situations.
The problem is caused by the failure of mobile users to appreciate their devices for what they effectively are — powerful computers — and to protect them accordingly. Even traditional security-related threats, such as phishing, viruses and Trojan horses, which are typically associated with PCs and larger IT systems, remain equally applicable to mobiles. While some of these risks can be mitigated by downloading one of the many free mobile apps from major security vendors, ignorance of the risks means users often don’t take advantage of these apps to ensure even the most basic level of security.
As a result, we can now understand how the worlds of cyber security and fraud are merging into one, where any security breach can potentially serve as a fraud enabler. And while most of these threats are not new, they are becoming increasingly apparent as the world becomes more digital.
While the impact of fraud on the individual is clear, there is also a wider issue at stake: the effect on larger organizations, institutions and governments. Today, the need to adapt to the digital world has become almost universal. On one hand, this is due to considerations such as improving customer experience, efficiency and reducing operational costs. And at the same time, Internet of Things (IoT) technology has become an enabler to expand digital capabilities into new, more industrial spheres. The result is they can gain the ability to remotely manage large operations conveniently and accurately, over wide geographical areas in the fields of transportation, agriculture, communication, construction, utilities and more.
But accompanying the benefits are huge security risks — far greater than has been the case until now. That is why for these organizations, the enthusiasm to embrace the potential benefits of the digital world is often tempered by the inherent complexities and dangers. Complicating matters, while they know they must approach digital transformation in a manner that is rational and responsible, in some cases, they do not know how to even start doing so.
There’s good reason for such caution. Imagine the implications of a successful cyber-attack on a smart grid belonging to a national utility company or transportation infrastructure such as SIM-equipped traffic lights. Worse still, consider the implications of a cyber-attack on one of the more than 1,100 operational satellites that provide communication services to populations worldwide. The result would cause chaos and almost certain loss of life.
To combat the increasing threat of cyber-fraud, awareness and smart strategies are key.
As individuals, we need to be constantly aware of potential cyber-attacks that can cause us damage, either financially, privacy-related, or otherwise. As such, we must ensure that we act responsibly when it comes to our “digital behavior”. This includes installing security apps on our smart devices, only opening media that originates from trusted parties and staying aware of potential phishing attempts.
For commercial entities and national institutions whose mission is to provide greater virtualization and digitalization, expert advisory services need to be a part of the transformation process. Only such an approach will ensure that risks are minimized and systems are adequately secured to protect both the organization and its customers.
As vendors, we are at the forefront of the battle. Fighting it requires an intelligent mix of cyber-security, traditional fraud methodologies and domain expertise. We must continuously develop new detection and prevention techniques that enabling organizations to respond in real time to any security breach. At Amdocs, we are playing our part by employing advanced and sophisticated real-time correlation techniques, as well as powerful machine-learning capabilities to create solutions that can proactively predict and prevent the next fraud event.
1 Social engineering is an attack vector that relies heavily on human interaction and often involves
tricking people into breaking normal security procedures.
2 Mobile malware is designed specifically to target a mobile device system, such as a tablet or smartphone to damage or disrupt the device. Most mobile malware tries to disable a mobile device, allow a malicious user to remotely control the device, and/or steal personal information stored on the device.
Copyright 2016 Black Swan Telecom Journal