On data breaches and forms of attack: resistance is futile

In 2012, we have seen an increasing number of sophisticated attacks made on a range of organisations in an attempt to capture consumer information.  In 2013 we should not only expect such attacks to escalate in terms of frequency and significance, but for traditional defence technologies to provide little resistance

Against this background, the solution lies in preventing the hackers from being able to use or take advantage of such stolen data. That way, increasingly deadly techniques that we have seen grow into successful global problems in the last year, can be prevented. At the moment I believe there is an over-reliance on PINs and the like, as well as the use of SMS as an Out-of-Band means of authorising a transaction; this makes it all too easy for sophisticated fraud techniques to take their toll. A good example of this is SIM Swap fraud, whereby fraudsters can maliciously redirect One-Time-Passcodes delivered via SMS in order to defeat authentication systems and verify transactions that they have carried out using stolen account information. We have also recently read about the European losses attributed to the Eurograbber virus, yet another mobile-based SMS redirection Trojan that has been around for some time.

In Australia, the Mobile Network Operators have released a statement warning banks not to use SMS for transmitting One-time-passcodes; a common technique in that country. It is these very attacks that are the reason for such warnings. I believe that in the UK we will see an increase in losses attributable to hijacked SMS messages if banks continue to use the medium as a supposedly secure transport mechanism without the appropriate defence mechanisms in place.

Using the customer’s mobile phone as an authentication and transaction verification device is entirely sound, but what’s needed is a layered approach based on voice rather than SMS,and combining visible and invisible security checks such as Call-forward and SIM Swap detection. I believe the message is getting out there but 2013 will still see increased losses due to SMS vulnerability.

On all things mobile

2012 has been the year of the mobile wallet and 2013 will see some actual merchant adoption of the many wallets that have already been announced, no doubt with many more to come before the inevitable consolidation will occur. Picking the winners and losers, though, is far harder in what is fast becoming a saturated market. Merchant adoption is of course key. 2013 will also be the year of mobile payments. I personally believe that 2013 will herald a faster transition to mobile payments than analysts are currently predicting. Traditional transaction methods remain woefully inadequate to meet the needs of both the world’s large under-banked population and those who are demanding even greater convenience from their banks. Mobile opens up a host of possibilities to address both needs.

However, throughout 2012 the mobile payments industry has been preoccupied with the race for market share and no single technical standard has emerged. As long as there remains opportunity to be had and competition remains high, I think we’ll see this trend continue. I wouldn’t be surprised if along the way some of the fundamentals fail to be addressed (we have already seen one high-profile case in the UK in 2012) and we see a significant fraud attack that puts users at risk, causing significant reputational damage for this new channel.

That’s why, as we move into 2013, we’re fully in support of the Electronic Transaction Association’s Mobile Payments Committee, as it looks to become a unifying body helping to shape the standards for the merchant acquiring industry in this area.