This repost of a blog post, originally published on April 8, 2013, is in memory of our beloved colleague and friend, Michelle Castell. Michelle died earlier this month after a long and courageous battle against cancer. The blog summarizes a white paper Michelle wrote earlier this year concerning online account takeovers, a topic that is still timely. Michelle was new to the world of payments when she joined the Retail Payments Risk Forum in mid-2012. In her enthusiasm to learn about payments, she experimented with different payment types and channels to gain a personal understanding of how they work and the risks they pose. Michelle was immediately intrigued and concerned by the account takeover risks posed to consumers and businesses from the alarming growth of malware on mobile phones. It was through her personal and enthusiastic approach to her work that Michelle became an advocate for improved consumer education when it comes to payments security—which is the conclusion of this post and her account takeover white paper. You can find a link to the white paper at the end of the post.
Today's news is loaded with stories of account takeovers of both businesses and individuals. With an alarming frequency, accounts are hacked, identities are stolen, and money disappears. Have the availability of smartphones and their increased use for conducting social, financial, and personal business sparked this increase? With a 78 percent penetration rate in the United States alone, mobile phones are not going away, and smartphone growth is catching up.
Currently, there are 6 billion mobile subscribers worldwide, with more than 1.2 billion of them accessing the web at any given time. These individuals are shopping, banking, watching videos, playing interactive games with other players, texting, or e-mailing on their devices. Smartphone users are actually three times more likely to provide their log-in information when prompted than those accessing the Internet from a personal computer, according to the computer and network security company RSA. Given these trends, fraudsters are once again taking advantage of the weak spot and using technology to spread malware onto mobile phones.
While the number of individuals accessing the web is staggering, perhaps even more amazing is the increased usage of mobile devices for sending text messages. In 2011 alone, more than eight trillion text messages were sent. As such, text messaging fraud—or “smishing,” a term created from the abbreviation for short message service SMS—is now becoming a tool of choice for fraudsters.
Is your phone protected? Studies conducted in the United States and abroad show that only 4 to 10 percent of all phones have antivirus software, compared to over 80 percent for personal computers. It's just as easy for a cybercriminal to gain access to your financial institution through a mobile text or a mobile e-mail account as it would be on a computer. Could protection and education about mobile security be the ticket to reducing account takeovers? I believe it can. Taking a bite out of that 90-percent statistic for unprotected smartphones most certainly will deflect attacks that could penetrate through to the financial environment. T-Mobile recently announced it was teaming up with Lookout virus protection to begin shipping most Android models with out-of-the-box protection against malware and viruses. This move could be a significant first step in virus protection, especially if other phone manufactures were to follow suit.
What can you do? Well, there are a few things, including:
- Install a certified virus application on all family devices and set them to run weekly (many good options are free).
- Don't change the default security restrictions by jail breaking your device. Only download applications from a reputable vendor application marketplace (Google Play store or iTunes, for example).
- Review and make sure you understand any pop-ups, e-mails, or texts before you click.
For more information related to account takeovers, check out the Risk Forum's recent survey paper, "Mitigating Online Account Takeovers: The Case for Education."
By Michelle Castell, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed