Smartphones, Tablets and Fraud

Consumers rely on their mobile devices on an ever-growing basis to keep them connected. Smartphones and tablets provide them with access to each other through email, messaging, and social media while also putting financial services and shopping in the palm of their hands. And each and every one of these activities holds value for criminals in search of account credentials and PII to sell or misuse. Unfortunately, for all of the potential that mobile devices represent, the apathy of every mobile stakeholder is undermining the security of mobile devices and the accounts of their users. Protecting Android, iOS, and Windows mobile device users from fraud will require a concerted effort by all stakeholders to eliminate vulnerabilities, encourage security-minded behaviors, and to leverage all the security benefits that mobile devices have to offer.

The study, conducted by Javelin Strategy & Research and sponsored by online authentication solutions firm Nok Nok Labs, polled more than 5.600 U.S. adults in 2013 to determine their mobile habits on Android, iOS and Windows devices.

Key Findings

Android, iOS, and Windows mobile users are undermining their security by reusing passwords more often than the average consumer. These mobile users are about 25% more likely than all consumers to use the same password to access more than one online account. This motivates criminals to target them and their devices to secure credentials with the expectation that they will facilitate access to a variety of the victim’s valuable accounts and services.

Heavy reliance on one-time passwords is placing Android users’ financial accounts at risk. 41% of Android users take advantage of one‐time passwords (OTPs) with their financial accounts. The prevalence of mobile malware for Android capable of intercepting OTPs sent by text (i.e., Short Message Service or SMS) is contributing to the rate of fraud these users experience. Mobile users prefer fingerprint authentication, which bodes well for Apple and Samsung. Fingerprint scanning is preferred by Android, iOS, and Windows mobile users among the prevailing biometric modalities. Recent moves by Apple and Samsung to expand fingerprint-based authentication is likely to be well received and will subsequently bolster the preference for this modality. One in five or fewer Android, iOS, or Windows mobile device users are truly protecting their data from a physical intrusion. While using a password, or better yet a fingerprint, to protect the lock screen can effectively deter some attempts to physically access a mobile device, more safeguards are needed to dissuade professional criminals. Unfortunately the use rates of remote wipe software and disk

Mobile users desperately want to protect their devices from vulnerabilities in outdated OSs, but updates are not always convenient or available. Updating the OS can be hampered by limited availability from carriers and manufacturers in the case of Android or because of how an update has the potential to undermine performance after installation in the case of iOS.

Android and iOS users face a significantly higher rate of fraud than the average consumer, but the reasons differ. Users in both camps display similarly poor password and security habits, which are contributing to their risk of being victimized. More specifically, it is mobile malware that is spurring the fraud experienced by Android users, while the attractiveness of iOS users’ income has placed them in the crosshairs of fraudsters.

Passwords are the typical first line of defense for online accounts, and in some cases they are the only means by which an account is secured from unauthorized access. Given the= breadth of available apps and services that mobile users have at their fingertips that require a password, it is unsurprising that convenience has taken a back seat to security. Mobile users have fallen into the “password trap,” reusing the same passwords for multiple sites and services. As a result, they are exposing their online accounts to a greater risk of compromise and eventual misuse.

Ultimately, the multitude of threats facing mobile devices and the habits of their users are conspiring to create an environment where fraud can flourish. Not every device owner experiences fraud at similar rates, though:

• Among Windows mobile device users, 4.8% experienced identity fraud in 2013, which is 10% below the rate at which all consumers were victimized (5.4%).13 This can partially be attributed to the smaller share of the mobile device market they represent, which makes them less attractive targets, but could also be the result of other factors such as the use of non-SMS-based two-factor authentication common to Microsoft services, such as Outlook.
• Android users face the most serious threat from malware and are placing their financial accounts at risk when relying on SMS-based OTPs for authentication, both of which contribute to a rate of identity fraud that is 31% higher than what all consumers experienced last year (7.1% vs. 5.4%, respectively).
• Despite owning devices far less prone to malware infection than Android, 7.3% of iOS users experience identity fraud that is 36% higher than average (5.4%). This is because of their substantial market share, which makes them higher profile targets, the use of Apple services, which rely heavily on a single set of credentials, and users that have higher-than-average incomes, which make them more attractive to fraudsters.

For more details read the full Javelin report titled SMARTPHONES, TABLETS, AND FRAUD: When Apathy Meets Security