Survey: Average company losing $90 million to mobile fraud

The average company loses $92.3 million a year to mobile fraud

mobile smartphone user hand

The average company loses $92.3 million a year to mobile fraud, according to a new survey of 250 companies from across a wide spectrum of industry verticals.

The average revenues of the companies in the survey was $2.5 billion, meaning that the mobile losses accounted for more than 3 percent of revenues.

In addition, some organizations reported that they lost as much as 25 percent of revenues to mobile fraud.

Retailers were the single biggest group of companies surveyed, followed by computer software firms, banking and financial services, computer services, healthcare, and other industry verticals.

The fraud typically came in such forms as purchases made with stolen credit cards, theft of money from online banking accounts, redeeming frequent flier miles for gift cards on hospitality and travel sites, and fake prescriptions ordered through health websites, said Angel Grant, senior manager of fraud risk and intelligence at RSA, the security division of EMC and one of the sponsors of the study.

RSA has also seen the growth of mobile fraud through its own channels, she added.

The company sells a risk-based authentication solutions for online banks, retailers, and medical record portals.

"When we monitor the transactions that are going through our system, we noticed a dramatic increase in 2014 of transactions moving from web to mobile," she said.

But as users did more shopping and banking on smartphones and tablets, the criminals moved over as well, she said.

"Last year, 32 percent of all transactions processed through adaptive authentication came through the mobile channel," she said. "And 40 percent of the transactions marked fraudulent, came through the mobile channel."

Many companies have a false sense of security when it comes to mobile devices, she said, and don't have the same security mechanisms in place for their mobile apps as they do for their websites.

"There's a false sense of the security in the market," she said.

But RSA is seeing both device-level fraud, such as when unprotected phones and tablets are stolen, and application-level attacks.

The latter are more dangerous, she said.

These include mobile phishing -- or smishing -- where, for example, a customer gets an SMS supposedly from their bank that asks them to go to a site and enter their information.

The survey also asked companies about what kind of authentication mechanisms they were currently using.

The vast-majority -- 77 percent -- relied on user names and passwords, and 52 percent also looked at device IDs.

Challenge-based questions were used by 44 percent, followed by IP recognition at 41 percent and phone-based authentication such as SMS and voice at 28 percent.

Only 20 percent used soft tokens, and fewer still -- 17 percent -- used biometrics.

But this is likely to change.

"Most respondents said that they are looking to add more authentication measures," said Grant. "Most realize that a user name and password isn't enough anymore."

The top authenticaion measure on companies' to-do list is biometrics, which 47 percent of respondents said they were planning to require in the future, followed by phone-based authentication at 38 percent and soft tokens at 32 percent.

The most likely biometric measures used are facial, fingerprint and voice recognition, Grant said.

"Most consumers are becoming more comfortable with those types of biometric technologies than they were three to five years ago, because the devices they're using have that baked right in," she said.


Copyright © 2015 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline