• No results found

Mobile Security: a Review of New Advanced Technologies to Detect and Prevent E-Payment Mobile Frauds

N/A
N/A
Protected

Academic year: 2020

Share "Mobile Security: a Review of New Advanced Technologies to Detect and Prevent E-Payment Mobile Frauds"

Copied!
11
0
0

Loading.... (view fulltext now)

Full text

(1)

Available at http://www.ijcsonline.com/

Mobile Security: a Review of New Advanced Technologies to Detect and Prevent

E-Payment Mobile Frauds

Golan Carmi Ȧ and Shay Yehuda Segal Ȧ

Ȧ

Department of Accounting & Information Systems, Faculty of Management,

Jerusalem College of Technology, 21 Havaad Haleumi St., P.O Box 16031, Jerusalem 9116001, Israel

Abstract

In recent years, mobile devices have increasingly been more used for web browsing, social networking and online shopping also known as e-commerce. The emergence of contactless technologies such as near field technology (NFC) allowed mobile devices to step up even further to a cashless society. While e-commerce and its technologies have huge potential on business revenue, they are also more prone for fraud. Cybercriminals have become progressively more sophisticated using malware, spear-phishing, denied of service and others. Security measures especially against fraud and identity theft have thus become an imperative issue in e-commerce and mobile devices. Businesses using mobile devices for e-commerce sites need to find a way to secure their e-payments processes and online transactions. This article reviews different fraudulent acts that target mobile e-payments and the technologies available to detect and manage these frauds.

Keywords: Mobile Security, Mobile Frauds, Mobile payments, Mobile device.

I. INTRODUCTION

Financial frauds have been long part of the human history and can be dated back to 300 B.C where a Greek merchant was trying to escape with a large insurance policy known as bottomry. Ever since then, monetary scandals, reckless decisions and a poor handling of money have led to financial crises over the centuries [1] The more sophisticated the fraud became the harder it was to detect and manage forcing the government to tighten up the regulation over monetary transactions. In that aspect, the Sarbanes-Oxley Act for instance (also known as the SOX law) was instituted in 2002 due to major fraud scandals throughout the U.S [2]. Managers became responsible for ensuring the presence of adequate internal controls and improving the accuracy and reliability of financial reporting and disclosures, which would reduce the likelihood of and assign accountability to those committing fraud [3, 4]. Nonetheless, external auditors are also required to report on the effectiveness of these internal controls and evaluate management’s assessments of the controls.

The financial sector has been traditionally on the lookout for suspicious behavior and enforced the anti-laundering regime. In recent years, the phase of the Internet and digital life, not exclusively to electronic banking, has been more available enabling also new payment mechanisms are increasingly being used particularly stored value prepaid cards and mobile money transfer systems.

Figure 1. Statistics on mobile usage (comScore report, 2015).

According to comScore latest report1, 2014 was the tipping point in which mobile users have surpassed desktop users. This data will help business developers to analyze how consumers behave when using different types of mobile devices and what their preferences are.

1

(2)

Figure 2. Percentage of consumers using mobile devices (comScore report, 2015)

In addition the majority of consumers are "multiscreening" which means using different electronic devices to access the Internet. This means that retail sites should deploy their retail sites applicable for different device, thus ensuring consistent web surfing experiences across the different devices.

Figure 3. Using the mobile phone for banking [5]

According to the 2014 Federal Reserve Board reports [5], the number of customers using their mobile phone transaction activity is very high. Figure 3 represents the

number of people using their mobile device to conduct any type of a transaction activity in their bank's accounts. For example the majority of the customers (93%) reported checking their account balance, 57% use their mobile device to transfer money between the same banks and for instance a smaller fraction (38%) is using the device to deposit a check. (Taken from [5], Figure 3 p.10). This increasing use of mobile devices for online transactions and the high fraudulent potential should warrant more attention by the banks, retailers as well as IT- security companies to secure E-payment and online transaction.

Fighting financial frauds and cybercrimes requires a multidisciplinary collaboration between both the privet and public sectors, and in order to best address these issues, one must understand the type of fraud that is being attempted.

II. FRAUDS AND CYBER-SECURITY OF CURRENT BUSINESS SECURITIES PROBLEMS

In the past several decades, electronic resources have become increasingly more available. While these technologies have many advantages such as increased productivity, faster communication and advanced e-commerce convenience, they also open the door for increasingly sophisticated cybercrimes [6]. As e-businesses and e-wallets have high rate of acceptance in the developing countries, businesses are struggling to ensure a tight security on their e-transactions and a better transaction platform is on the search.

(3)

Table 1: Levi's Typology of Fraud by Victim [9]

According to Javelin Strategy and Research [10], overall fraud amounts in the US increased from $18 billion in 2011 to $20.9 billion in 2012, a 10-fold higher number (~$220 billions) is estimated worldwide for businesses loss by identity theft. This increase in fraud amounts was driven by dramatic jumps in the two most severe fraud types: New account fraud (NAF) and account takeover fraud (ATF). Therefore, on-line shoppers, rather they use the web via a computer or the

smartphone, should be extremely worried as the leave sensitive information (personal info, credit card number etc) on their device.

Examples of fraud Victim subsector

Victim sector

Cheque fraud

Counterfeit intellectual property and products sold as genuine Counterfeit money Data-compromise fraud Embezzlement

Insider dealing/ market abuse Insurance fraud Lending fraud Payment card fraud Procurement fraud Financial services

Privet

Cheque fraud

Counterfeit intellectual property and products sold as genuine Counterfeit money Data-compromise fraud Embezzlement

Gaming fraud Lending fraud Payment card fraud Procurement frau Non-financial

Charity fraud Consumer fraud Counterfeit intellectual property and products sold as genuine Counterfeit money Investment fraud Pension-type fraud Individuals

Benefit fraud Embezzlement Procurement fraud Tax fraud

National bodies Public

Embezzlement

Frauds on Council taxes Procurement fraud Local bodies

Procurement fraud (– mainly but not always

foreign – companies to obtain foreign contracts) EU funds fraud

(4)

Figure 4a. represents Overall Identity Fraud incidence rate and total fraud amount by year [10].

Figure 4b. Distribution of most commonly attacked-websites, SecureList- Kaspersky lab [28].

Though Figure 4a represents only one subset of fraud in the US, i.e identity theft, these numbers are alarming as more and more customers uses their mobile device to enter financial services to either check bank records to make a transaction. Figure 4b represents the distribution of attacks by- website. According to the Kaspersky lab analysis [28]., 25% of the attacks occur when people shop online, though security attacks and theft of personal information can also occur when people visit gaming sites (20%), bank accounts (13%), social media (8%) etc.

It's therefore imperative to understand that identity theft and fraud can start without the necessity of accessing a bank account or by shopping online. It can easily start by surfing online via social media such as Facebook, Twitter, Instagram etc, which hackers can steel personal data for malicious purposes. It is highly important to take extra precaution is crucial for preventing cyber identity theft.

In order for businesses to properly address their market, they first need to learn their customer needs and behavior. One aspect of understanding the target-market is to conduct market segmentation by choice of use: Basically which is the most favorable device for accessing information, rather its personal bank account, social media or for shopping online. This segmentation by "choice-of-device" will elicit the business to develop more adapted security software for that device. It is known that most

people protect their PC's via security software but their mobile devices either because they simply don't see the need for it, or rather because there aren't that many adapted security software.

According to the 2014 Nielsen Global Report [11], though mobile phones are often considered the first-choice for access to the web, computers remain the favored device for online shopping worldwide (80%), whereas mobile devices came in second (44%). Tablets, which only recently became available, (beginning of 2010), are used by nearly 31% of global online shoppers as can be seen in Figure 5.

Figure 5. represents choice- of –device for online shopping by regions [11].

Online browsing through social media (Facebook, Twitter etc.) and online shopping regardless of whether it's through a computer or an electronic device (smartphones and tablets) opens the door for sophisticated cybercriminal to retrieve personal information and commit a fraud. It is therefore imperative for both the businesses and the individuals to protect personal information as best they can and thus prevent frauds.

Accumulating data shows that fraud and its subtype identity theft have been increasing with the use of e-commerce. In the U.S. alone, it has been estimated that Identity theft victims may spend on average 1,500$ and almost 200 hours in order to resolve the abounded problems caused by such identity thieves. Organizations and companies that employ e-commerce as a large part of their business need to protect their customers as well as themselves against these crimes.

(5)

customers should take to avoid identity theft [12].This research shows that people in general don't take measures to protect their personal information and more focus should be made on this alarming issue. One of the major reasons for the increase in identity theft in the e-commerce world is the increased ability to purchase items and goods using mobile phones. Fraudsters also use a wide range of techniques to avoid detection. They often operate in jurisdictions where they are unlikely to be bothered by law enforcement. They move locations regularly to avoid detection as well as operating in a legal hinterland and seeking small sums of money [7].

III. E-PAYMENT ON MOBILE DEVICES-NFC FACTOR Several platforms allow retailers and their customers to accept mobile payments: Digital wallet such as that used by PayPal, in which users link their account (bank, debit and/or credit card) to an online account and from which they can pay directly. Mobile wallets (also known as E-wallets) are based on the same principle as digital wallets only once the account was set, the customer download the corresponding application provided by the source. A third less-frequently used payment method allows for direct mobile credit card payments by a special reader attached directly to the smartphone [13]. The technologies that support and facilitate E-wallets, the type of frauds committed via E-wallets and the different technologies available to prevent fraud are much discussed in the business and government forums as well.

In the current market place, there are quite a lot of payment methods and providers. Most of them have a banking background as they can offer transaction platform, networks and hands-on service. Credit cards are the most popular payment method which has suffered from many identity thefts and in order to tackle fraudulent transactions a three-digit number was introduced on the back of the card just below the magnetic stripe which provide both the retailer and the cardholder additional protection by ensuring the right person hold the card in their hands [14]. Advanced technologies such as Radio Frequency Identification (RFID) attempted to further increase payment security by avoiding the physical use of a card but rather wave the card near a reader. This technology is comprises high standard and specifications and is being used by the smart card sector in security sensitive systems. Contactless technology is currently being used in credit card payments, e-ID and e-passport systems transport ticketing and access control systems [15].

Near Field Communication (NFC) technology is a short-range radio based frequency (RFID) technology which enables smartphones and other devices to communicate when bringing them into proximity. This technology becomes more and more popular especially in smartphones enabling customers to make purchases using mobile phones. This transaction system facilitates transaction at the NFC point of sale (POS) [14]. The

latest Juniper's research report (2012) indicated that NFC payment are set reach over $721 billion worldwide by 2017 [16]. With the high growth pace and as several attack scenarios on NFC devices and/or platforms have been discovered, companies are prompt to offer a secure payment system that meets customer and business needs [17]. While NFC technology emerged in the early 80's, only in 2011 it became much more prominent in smart phone's architecture such as Nokia C7, RIM Blackberry 9900/9930 and Google Nexsus S. Furthermore, this technology enabled the release of the Google e-Wallet and the Orange Quick Tap in the US and UK respectively, enabling customers to make payments. The concept on which the Google e-Wallet is based for example is a system that allows a person to sign into his online account where credit card details are stored in a cloud [18]. However, this payment system had major breaches in its security and information was easily accessed using a simple bypass. .

One of the main issues with contactless payment cards is the relay attack. Contactless systems operate on the implicit assumptions that a successful communication with a token proves its close proximity to a reader and once authentication is achieved; the transactions will be approved by the reader Relay attack exploits this exact assumption by placing another proxy-token within the communication range of the reader and with close proximity to the legitimate token. "For the duration of the relay attack, the proxy-token exhibits the same "properties" as a legitimate token from the reader’s perspective and therefore may be recognized as the legitimate source" [15]. This relay attack effectively breaches the security mechanism of the NFC system.

Caldwell [18] refers to Zvelo, a Web categorization company, which found the Linux susceptibility and vulnerability in Android –based devices reports that the attacker can access to the source on the devic{e without affecting any information and that it's sufficient to get to the Google Wallet PIN data for further use.

(6)

IV. THE MAJOR PAYMENT THREATS ON MOBILE DEVICES

In general, cyber-attacks are created to facilitate access to personal information and intellectual properties of businesses for future use. In order to gain access, on both PC and mobile devices, cybercriminals use 5 main ways to hack the information:

1) Spear-Phishing and Spoofing

2) Malware (Trojan horses, viruses and worms) 3) Spyware

4) Denial of service

5) POS Malware on mobile devices

1) Spear-phishing and Spoofing

Spear-phishing and Spoofing are two types of targeted attack that are always part of a bigger fraud operation, usually being the first step before an Advanced Persistent Threat (APT) attack. Phishing is described as a bogus email or message that imitates very accurately a legitimate company or an organization and asks the user to share personal information (passwords, credit card number etc). Spoofing, on the other end, asks the email receiver to confirm personal information by clinking on specific link. This links takes the end user a company-lookalike webpage, that essentially is phony, but help the hackers retrieve personal information. Phishing attacks exist because users become accustomed to entering their passwords in familiar, repeated settings. If users frequently encounter legitimate links whose targets prompt them for private data, then users will become conditioned to reflexively supply the requested data ( [19].

Approximately 40% of smartphone users enter passwords into their phones at least once a day. Porter [20] found that web sites and mobile applications commonly link the user to password-protected social network and payment applications, thus conditioning users to reflexively enter their credentials after following links [20]. Based on their analysis of common behavior, [20] identify a number of new phishing attacks against mobile platforms. They demonstrate that, on Android and iOS, it is possible to build phishing attacks that convincingly mimic the types of inter-application links that our study found to be common. They categorize the attacks according to whether the sender and target are mobile applications or web sites: mobile-to- mobile, mobile-to-web, web-to-mobile, and web-to-web.

2) Malwares (Trojans, viruses and worms)

Malware is a variety of hostile software including viruses, worms and Trojan horses deployed in phishing and spoofing attacks. In many cases both spear-phishing and spoofing uses emails or messages that usually contain a link to a bogus website in which the email receiver (end user) is required to enter sensitive personal information [21]. While both of these scams can operate without the use of malicious software, most of them do use a certain type of malware. The malware

that is most commonly used in APT-attacks is known as Remote Access Trojans (RAT) that is inserted in doc, zip files or spreadsheets. The reason spear-phishing or spoofing are so successful is due to the fact that the email or message looks like standard business communication. As example, figure 6 represent top most used files by spear-phishing.

Spear-phishing emails can have attachments of varying file types the most common ones are rich text format files (RTF) (38%), Excel files (15%) and zip file (13%).

Figure 6. Distribution of top spear-phishing email attachment file types (Trend Micro , 2012).

Once the document is opened the malware (in many cases a Trojan) is unleased and exploit the vulnerability of a software, a system etc, thus enabling accessibility to important and secured data. Trend MicroTM released a report compiling the top APT-related targeted organizations to be government, activist organizations, heavy metal industry, the financial business etc [21]. Cybercriminals are using a selected set of banking Trojans which seems to be very effective. As online banking and e-Wallet usage are on the rise, money transactions might be highly more susceptible for hacking.

(7)

3) POS Malware on mobile devices

Point-of-Sale (POS) Malware is spiteful software which steals customers' payment data from retail checkout system, through insecure remote access point. Mobile phones and other wireless devices are becoming more and more susceptible for hacking due to the use of Bluetooth and air-gapped networks which interconnected to each other or the internet, i.e DNS resolution, smartphone charging. Additional malware that have been seen recently is known as the POS Malware, in which data is intercepted before encryption happens. This is of major importance as POS systems play a major role in any retail environment and are therefore very prominent targets for cybercriminals. As the business world expanded beyond cash registers, a modern POS system plays a crucial role in the payment processes, inventory logs, and other management functions.

4) Spyware

According to Constantin [23], Kingsight Security Lab shows that approximately a third of the most common mobile malwares are considered spyware programs. Theses spyware are downloaded and installed with mobile apps or shared from peer-to-peer. While the first mobile spywares were for personal use such as to follow and track peoples nowadays it is also used for corporate espionage when an employee's phone is being used on corporate facilities. Of the many available devices, the Android is the most susceptible one.

5) Denial of Service Attack (DDoS)

Denial of service attack (DDoS) is malicious attack which attempts to make a server or a network unavailable to the users. This is usually being done by temporarily interrupting the service from the internet. DDoS is less commonly used on mobile devices but is known to occur when a high number of Flash SMS messages are sent to a mobile device making it vulnerable [24]. These messages are extremely short and dim very fast. When the phone receives a many as 30 messages like that in a short period of time, the device will not be able to connect to an internet even after rebooting it and in many cases will crash. This is a diversion technique – while the phone is busy with many phone calls or text messages, the hacker will use this window of opportunity to hack personal information and bank accounts [25].

DDOS can create fake user Jam on targeted website and it will prevent the real users from entering into website. This flood of fake user keeps busy the database and that’s why, real users can’t get enough response from the server to get in to the effected website. This is call DDOS attack (distribute of denial service). Your website got unwanted and a huge number of traffic within few hours. Which may cause of get down server or network and you might be losing all important data2.

2

http://www.ittechnos.com/ddos-attack-prevention-methods/

V. ADVANCED TOOLS FOR DETECTION AND PREVENTION OF FRAUD

With the increasing use of e-commerce in business transactions and the increase attempt of cybercriminals to interfere with money transactions, companies are keen to secure their systems. Interestingly it should be must keep in mind “that the tool used to detect illegal activities is the same tool used to commit many of the crimes [26].

In the following section we will examine the most advanced technologies tools used by different known companies that could provide the appropriate solution for each fraud category. Many of the top known companies (such as IBM) offer security services for both the computer as well as for mobile device (smartphones and tablets). While some of the security services offered for mobiles are free, they are usually more simplified and less comprehensive. These innovative technological security solutions are divided to five main categories:

A. New account frauds and account takeover. B. Mobile banking fraud.

C. Malware and phishing.

D. Credit card frauds focus on mobile and E-wallet.

A. Prevention of Fraud in New Account and Account takeover

A.1. IBM Security Trusteer customer protection3: This technology appropriate to a Scenario when a customer opens a new account it creates a trust relationship between the business and its customer. This is exactly where cybercriminals insert a malware and phishing to steal personal information also known as "personally identifiable information (PII)" to create false accounts.

Detecting new account fraud requires a comprehensive view of device risks associated with the new account opening. Trusteer tracks devices that access multiple accounts within the same organization and across. Most traditional ID device systems lack the full ability to defend cross channel and multi-vector attacks. In contrast, Trusteer uses multiple technologies to determine if account access is authentic by examining the device signature, the proxy server, geo-location, and previous device-usage behavior. By taking advantages of huge international database of suspicious devices it can flag devices that represent a high risk at account opening.

This security software further extends new account fraud detection with a holistic view of the fraud life cycle. In addition to device reputation and risk factors, it detects account authenticity and credential, to accurately flag high risk account creation. Trusteers' software have broad visibility, from identity theft to account creation, enables organizations to mitigate new account fraud risk and protect their customers’ funds and personal information.

(8)

A.2. Threatmetrix–A Real-Time Account Takeover Defense4: Mitigating account takeover involves combining several techniques both to prevent hijacking and to deny access, in real time, to any accounts already compromised. Discover suspicious patterns of login requests or unauthorized password sharing. The major attributes of this technology are:

 Detect access attempts from risky or compromised devices and users.

 Find logins coming from the wrong places, including devices connecting from known botnets or from behind hidden proxies or VPNs.

 Look for suspicious computer configurations, including oddly-configured.

 Mobile devices or devices disguising their geo-location.

 Discover malware that has infiltrated a legitimate user’s device.

 Detect and prevent activity from bots, botnets and other scripted mechanisms.

 Require additional, out-of-band authentication for suspicious logins.

 Detect account takeover attempts coming from mobile channels.

Conclusion: We can see by the above that "Account takeover" is one of the more dominant forms of fraud used by identity thieves. Often the customer's information comes from data cracks. This threat effect on companies' customers and can be both costly and embarrassing for organization to recover from.Protection against variety of account takeover attacks. The damage of the threat occurs when a fraudster obtains an individual's personal information such as an account number, password, username or social security number and changes the official contact information or adds another user to an existing account. The solution for this threat should combine some crucial attributes that both IBM and Threatmetrix can handle. It is seems that Threatmetrix turns to medium-sized business market, while IBM addressing their solution to the big firms.

B. Mobile banking fraud

B.1. Guardian Analytics - FraudMAP Mobile5: Guardian Analytics attempting to be the leader in behavioral analytics solutions, that prevent information loss, banking fraud, and identity theft. FraudMAP Mobile can use for:

4 http://www.threatmetrix.com/solutions/account-takeover/ 5

http://www.guardiananalytics.com/products/fraudMAP-mobile-banking-fraud.php

 Automatically monitors every mobile banking session from login to logout, comparing activity to each account holder's established patterns of normal mobile banking behavior.

 Develops an overall behavioral fingerprint that takes channel use and preferences into account (mobile vs. online).

 Proactively identifies multiple mobile accounts under simultaneous attack

 For integrated online/mobile platforms, delivers a combined view of online and mobile banking sessions plus ability to search report and filter on just the mobile channel.

B.2. Hermetic – LynxGuard6: LynxGuard’s technology allows consumers to access their online accounts without login screens and with unprecedented level of resistance to identity theft. The user’s mobile device and a single short passcode replace multiple passwords and second authentication factors. Besides strong authentication, the technology facilitates highly secure, digitally signed banking transactions and payments. Our multi- party key-protection (MPKP) technology ensures that users’ private signature keys remain secret under all circumstances, including server-hacking attacks and attacks on mobile devices. The combination of MPKP and signature based authentication guarantees strong protection against unauthorized transactions at exceptionally low cost. The technology also allows users to smoothly and securely migrate to a new device following device theft or loss. The unique combination of strong security, high usability and low cost allows banks, payment providers and merchants to secure their services and at the same time attract more customers towards the digital channels. LynxGuard’s technology consists of three main parts:

1. Secure mobile client and SDK for integration with service providers’ mobile applications.

2. Server side SDK for integration with service providers’ application servers.

3. Distributed key protection system.

A key protection system comprises a collection of key protection servers. In order to ensure both high availability and high resistance to attacks, the servers have to be located at different sites. LynxGuard, in that aspect, offers key-protection as-a-service to its customers. Considering that the servers are never exposed to sensitive consumer information, this model should appeal to most service providers

B.3. KASPERSKY Fraud Prevention SDK: The Kaspersky Fraud Prevention platform is a dedicated solution which protect against online and Mobile bank frauds. This platform is unique by protecting both the bank

(9)

and the customers by tailoring up their customized solution for mobile devices. It works regardless of whether they (Bank or customers) use mobile devices or traditional computers.

SDK technology works like a set of building blocks, enabling to construct the right solution to secure your mobile banking application. Each of these blocks provides a different set of technologies which protect against different issues enabling the build of a solution perfectly tailored to the bank needs. Some of the SDK technology includes: 1] Web & Network Protection - technologies that ensure: use of genuine online banking site, security safety of customer information, users are working in a protected environment and lack of threats lurking on a mobile device.

The main advantages of SDK solution include: Multi-layered security for mobile transactions, mobile anti-virus technology to protect the customer's mobile, develop personalized protection and mobile banking solution tailored to the to the organization’s specific requirements. It also benefits from a dynamic and real-time protection service which automatic cloud updates continuously distribute the most.

Conclusion: Because online and mobile banking is never 100 per cent safe. There are many fraudsters that make efforts to fool users into sharing their financial information by using sophisticated tools that look real to most users. Internet banking is also a very safe and comfortable access to bank's services. Still, users should be Cautious of cheaters trying to gain access to their accounts. Review of bank fraud prevention technologies presented in this document indicates the need for a solution that combines multiple features (some of which have appeared in other sections of this document), such as: phishing and fraudulent e-mails, malware and viruses, mobile fraud and smishing (SMS phishing). It's seems like LynxGuard represent a new technology that allows consumers to access their online accounts without login screens and with unprecedented level of resistance to identity theft. The technology facilitates highly secure, digitally signed banking transactions and payments. The unique combination of strong security, high usability and low cost allows banks, payment providers and merchants to secure their services and at the same time attract more customers towards the digital channels.

C. Prevent Malware and Phishing Fraud

C.1. IBM Security Trusteer endpoint7: protection solutions eliminate malware from the endpoint and alert users before they submit their credentials to phishing sites. IBM also offers a clientless solution to accurately detect malware infections and phishing incidents in real-time. This detection capability enables customers to take

7Malware and Phishing Fraud – An IBM product.

http://www-01.ibm.com/software/security/trusteer/

automated fraud mitigation actions and streamline their fraud prevention processes by focusing on truly high risk transactions and account access. IBM's holistic fraud prevention incorporates account compromise history based on malware and phishing attack data with device reputation and risk factors to accurately detect complex, multi-vector attacks. IBM’s unique visibility to the entire fraud life cycle enables organizations to mitigate fraud risk from the online and mobile channels and eliminate the overhead of forensic investigations and recovery of funds. By eliminating fraud risk, organizations protect their customers’ assets, maximize adoption of online channels, and protect their brand and the overall customer experience.Other solutions: most of the products for these treats are as a part of operation systems (Such Microsoft windows), and by Anti-virus products.

Conclusion: IBM – Trusteer is the dominant in this section, but their solution is better suited for companies and corporations than in the SMB market, which can found many solutions on the market, including those offered for various operating systems.

D. Credit card fraud in Financial Transaction

D.1. FICO- Falcon – Fraud Manager Platform7 – This solution enables financial institutions to leverage self-learning behavioral analytics to detect and prevent electronic payment fraud in real time. By taking advantage of FICO Falcon Fraud Manager's advanced behavioral analytics, card issuers, processors and retail banks can improve the customer experience and operational efficiency by accurately and efficiently detecting suspicious out-of-pattern payments as well as automating real-time decisions on genuine payments. Financial institutions can also meet regulatory requirements by integrating sophisticated behavioral analytics for remote banking as well as leveraging a single transaction monitoring, investigation and decision-enabling solution within their enterprise fraud defense framework8.

D.2. Nice –Actimize - DIGITAL WALLET FRAUD SOLUTION9: Fraudsters use digital wallets for account takeover, provisioning stolen and skimmed card data, and depositing and circulating stolen funds. Fraudsters leverage social media to manipulate call center employees, customers, and traditional and emerging financial services. New breeds of malware target mobile devices, while SMS and instant messaging are the new vehicles for phishing attacks. These threats damage customer confidence and obstruct the adoption of digital wallets.

8 FICO falcon fraud manager 6.3 prevents electronic

payments fraud on demand Deposit/Current accounts. (2012, Oct 31). PR Newswire. Retrieved from: http://150.254.220.12/han/ProQuestnowy/docview/112387 2524?accountid=48546

9http://www.niceactimize.com/Lists/Brochures/Fraud_Dat

(10)

The digital wallet solution of Nice-Actimize protects customers from digital account takeover, and protects company from fraud liability and negative brand reputation. The solution monitors and protects a full range of wallet activity, including login from an app or a browser, card provisioning, card present and not present purchases, person-to-person transfers, bill payments, and account-service events. The solution leverages cross-channel data, multi-dimensional entity profiles, and complex analytic models to accurately predict legitimate and fraudulent wallet activity in real time. Actimize provides industry-leading end-to-end fraud management tools to drive successful interdiction and operation strategies for digital wallet business.

D.3. Merchant Guard - By Volance10: Merchant Guard is an automated platform designed to integrate with any online commerce shopping cart or order form system and website to help identify and prevent identity theft and credit card fraud using six specially made modules. Designed to work for businesses of all sizes, this software features multiple integration techniques and an extensive API for remote development and integration. This software includes the following modules: User data validation; IP detection; Computer history reports; Velocity detection; Web hosting module; and

Social Network validation.

Conclusion: With the number of credit card fraud occurrences rising sharply all the time, today’s financial institutions are facing serious challenges. Credit card fraud is a extensive term for theft and fraud committed using or involving a payment card, such as a credit card or debit card, as a fraudulent source of funds in a transaction. For this type of treat the solution should be a very strong tool that covered all kind of risk that is mentioned above, such as: stolen cards, Identity theft, Application fraud etc. As reflected in the solutions in this document it appears that the leading technological response to this threat is the solution that is provided by the company "FICO" - Falcon Fraud Manager" that is considered to be one of the most accurate and comprehensive solutions for detecting payment card fraud, reducing losses by up to 50%. This software is helping to manage fraud related to multiple products from a single platform, and take a customer-level view of fraud cases.

VI. SUMMARY

This article indicates that fraud in financial transactions, have long been a major issue in the business world and the more electronic-based businesses (e-Commerce) became, the more cybercriminals attempted to interfere with the transactions. Detecting and preventing frauds is not an easy task and requires highly sophisticated technologies. In recent years, mobile devices became exceedingly popular as they became much more than just phones. They are pocket-sized computers which offer high accessibility to internet browsing, games, and social media. It is not surprising that mobile devices are also

10 http://www.volance.com/

progressively being used for online shopping. E-payments have the opportunity to significantly increase the volume of transactions on mobile devices as they have a very high adoption rate, and though they have the potential to increase business revenue. They also open the door for fraudulent acts such as identity and intellectual property theft.

Mobile devices are becoming more and more popular for e-wallets rendering their personal and credit card information at risk for hijacking by cybercriminals. As we described, the most common ways of major payment threats on mobile device are: Spear-Phishing, Malware, Spyware and more. We have presented in this document contemporary technology that provides a solution to the phenomenon of fraud. This development required organizations to address new set of risks created by the mobile channel.

As we reviewed, several IT-security companies, such as IBM, [27] and Trusteer have developed security-platforms for mobile devices with multiple layers of protection, identification and authorization processes. While some security apps made major improvements, some providers are still struggling to provide the security needed for their end-users. As known, in the information security practice there is no existing technology that provides a solution to all various threats that were presented; using those technologies is critical to the security threat information and cannot be without them in mobile payments.

With the increasing volumes of mobile use in the e-commerce world, cybercriminals now have many more potential targets in their hands. The challenge of ensuring security may well affect how far the e-wallet becomes part of all our daily lives. It is important to emphasize that "user education" is another major factor which may assist in combating e-commerce frauds. Use of strong passwords and avoiding suspicious emails may play an important role in the fight against fraud. It must be understood that securing e-wallets and electronic transactions should be addressed by both retailers and customers. While retailers should provide the most optimal secured website for browsing and online shopping with secured platform for monetary transactions, customers must install smartphone-security apps and be more wise and vigilant when they enter personal information and secure their protected password. Mobile users must change their behavioral pattern when they are entering an app and typing their PINs (such as passwords) without thinking about the future hazardous and potential consequences.

REFERENCES

[1] Nieweler, A. (2014). A look back at fraud in the workplace. WhistleBlower Security Blog. Retrieved from: http://blog.whistleblowersecurity.com/blog/bid/338541/A-look-back-at-fraud-in-the-workplace

(11)

[3] Keila, P.S. & Skillicorn, D.B. (2005). Structure in the enron email database. Computational and Mathematical Organization Theory - Comput Math Organs Theory , vol. 11, no. 3, p. 183-199. [4] Kotsiantis, S., Koumanakos, E., Tzelepis, D. & Tampakas, V.

(2006). Forecasting fraudulent financial statements using data mining. Int. J. Computational Intell, 3, p.104-110.

[5] Federal Reserve Board reports (2014). Customers and Mobile Financial Services. Publications Fulfillmen. p.1-70

[6] Kunz, M. & Wilson, P. (2004) University of Maryland Department of Criminology and Criminal Justice, Computer Crime and Computer Fraud.

[7] Button, M. (2009). National Fraud Authority. Fraud Typologies and victims of fraud. Literature review.

[8] Lewis, C. and Tapley, J. (2009) Fraud Typologies and the Victims of Fraud Literature Review. London: National Fraud Authority. [9] Levi, M. (2008). Organized Frauds and Organizing Frauds:

Unpacking the Research on Networks and Organization. Criminology and Criminal Justice 8, p. 389-419.

[10] Javelin Strategy and Research’s (2013). How Consumers can Protect Against Identity Fraudsters.

[11] Nielsen Global Report (2014). E-commerce: Evolution or revolution in the fast-moving customer goods world? .The Neilson

Company. Retrieved from:

http://ir.nielsen.com/files/doc_financials/Nielsen-Global-E-commerce-Report-August-2014.pdf

[12] Smith, R.G. (2007). Consumer Scams in Australia: An Overview. Trends and Issues in Crime and Criminal Justice, No. 331, Australian Institute of Criminology, Canberra.

[13] Palermo, E. (2013). Mobile payments options. 3 types explained.

Retrieved from:

http://www.businessnewsdaily.com/4469-mobile-payment-types-explained.html

[14] MacLeod, C. (2012). Contactless payment: curse or blessing?. Computer fraud and security. December. p. 10-12

[15] Francis, L., Hancke G., Mayes K & Markantonakis, K. (2011). Practical relay attack on contactless transactions by using NFC mobile phones. Information security group, smart card center. p. 1-16.

[16] Rivera, S. (2013). Gartner Says Worldwide Mobile Payment Transaction Value to Surpass $235 Billion in 2013. Retrieved from: http://www.gartner.com/newsroom/id/2504915

[17] Roland, M., Langer, J. & Scharinger, J. (2013). Applying Rely Attacks to Google wallet. Proceedings of the 5th International Workshop on Near Field Communication (NFC), p. 1–6.

[18] Caldwell, T. (2012). Locking down the e-Wallet. Computer and Security. Vol. 4, p. 5-8

[19] Karlof, C., Tygar, J. D. & Wagner, D. (2009). Conditioned-safe Ceremonies and a User Study of an Application to Web Authentication. In NDSS.

[20] Porter, A. & Wagner D. (2011). Phishing on Mobile Devices. Workshop on Web Security and Privacy (W2SP).

[21] Caldwell, T. (2013). Spear-Phishing: how to spot and mitigate the means. Computer fraud and Security, p.11-16.

[22] Thompson, C. (2005). The perfect worm. Retrieved from: http://www.slate.com/articles/technology/webhead/2005/03/the_per fect_worm.html

[23] Constantin, L. (2013). Android spyware infections on the rise: report. PC world. Retrieved from: http://www.pcworld.idg.com.au/article/521739/android_spyware_in fections_rise_report_/

[24] Brook, C. (2014). Google Nexus Phones Vulnerable to SMS Denial-of-Service Attack. Threat post. Retrieved from: http://threatpost.com/google-nexus-phones-vulnerable-to-sms-denial-of-service-attack/103066#sthash.XKJhyfQs.dpuf

[25] Swift, C. (2012). Denial-of-Service Attacks: Harassment or Fraud?. Banking Strategies. Retrieved from: https://www.bai.org/bankingstrategies/article.aspx?Id=B64C645B-1D65-4318-BBCC-9E893B66AF20

[26] Byington, J.R. & Christensen, J.A. (2003). Don't be a victim of international fraud. Journal of corporate accounting and Finance. Vol. 14(6) p.51-54.

[27] FICO Fraud Manager for Credit and debit cards. Retrieved from:

http://www.fico.com/en/wp-content/secure_upload/Falcon_Debit_Credit_2909PS.pdf

Figure

Figure 1. Statistics on mobile usage (comScore report, 2015).
Figure 2. Percentage of consumers using mobile devices (comScore report, 2015)
Figure 4b. Distribution of most commonly attacked-websites, SecureList- Kaspersky lab [28]
Figure 6. Distribution of top spear-phishing email attachment file types (Trend Micro , 2012)

References

Related documents

Observation protocols that have been developed more recently, including the Teaching Dimensions Observation Protocol (TDOP; Hora et  al., 2013 ) and the Classroom Observation

3 Filling this gap in the empirical data and asymmetry in the public discourse serves two purposes: for scholars, to "improve the accuracy and pertinence of

The Federal Regulations regarding National Direct/Federal Perkins Student Loans are strictly adhered to so that loan advances, payment processing, delinquent account

UPnP Control Point (DLNA) Device Discovery HTTP Server (DLNA, Chormecast, AirPlay Photo/Video) RTSP Server (AirPlay Audio) Streaming Server.. Figure 11: Simplified

Results of the survey are categorized into the following four areas: primary method used to conduct student evaluations, Internet collection of student evaluation data,

c+c%+c'ccc#c c Œou shouldn¶t go to India without visiting the ajMahal.c Oo deberías ir a la India sin visitar el TajGahal.c I¶minterested in studyingpsychology.c!c@stoy interesado

For the poorest farmers in eastern India, then, the benefits of groundwater irrigation have come through three routes: in large part, through purchased pump irrigation and, in a

14 When black, Latina, and white women like Sandy and June organized wedding ceremonies, they “imagine[d] a world ordered by love, by a radical embrace of difference.”