The Daily Item, Sunbury, PA

March 21, 2014

When it comes to cybercrime, retailers are two steps behind the hackers

By Hayley Tsukayama
The Washington Post

WASHINGTON, D.C. — WASHINGTON — The massive cyberattack on Target last year unleashed efforts to protect consumers from crooks swiping credit card data from in-store transactions. But as retailers and regulators scramble to develop a solution, hackers have already moved on.

Most hackers are focusing their efforts on online transactions - increasingly with an eye on those conducted over smartphones or other mobile devices.

In other words, retailers are two steps behind the criminals.

While cyberattacks on physical systems, such as registers, card readers and gas pumps, have garnered a lot of attention lately, shoppers’ online transactions are much more likely to fall victim to hackers, security experts say.

Mobile malware accounts for a small part of data breaches — Cisco estimates that malicious software targeted at mobile devices comprise only 1.2 percent of all Web malware — but security experts say it is growing at a frightening pace. MacAfee recently reported that the number of malware targeting Google’s Android operating system nearly tripled between 2012 and 2013, to 3.7 million.

“Although not a significant percentage, it is still worth noting because mobile malware is clearly an emerging-and logical-area of exploration for malware developers,” Cisco researchers wrote in the firm’s latest annual report outlining major security threats.

For retailers, that trend is particularly troubling. Shoppers have embraced mobile transactions, and retailers are happy to accommodate them, adding easy ways to buy goods with just a few taps on a smartphone or tablet. IBM Analytics reported that, on Cyber Monday 2013, mobile shopping accounted for 17 percent of all online sales — an increase of 55.4 percent year over year.

When big companies start paying attention, however, so do fraudsters. Mobile malware started in the early 2000s as a way to scam users by tricking them into dialing pay-per-call numbers or responding to messages that tacked on service charges to their bills. But now, the mobile channel can turn over real money, and at a time when security measures are still in early stages of development.

In 2012, Visa e-commerce company CyberSource estimated that around 1.4 percent of all mobile commerce revenue was lost to fraud — between $300 million and $400 million — as compared to the 1 percent lost to online fraud.

Much of the problem is that average consumers aren’t attuned to figuring out when they’re being targeted by malware on their phones, experts said. Links are often truncated for small screens, for example, keeping people from noticing that the address they’re trying to go to isn’t what it says it is. Similarly, a text message from a friend telling you about a new app or a cool website may seem genuine but turn out to take you somewhere you don’t want to be.

And then there are apps.

“With computers, you mostly get malware through exploits — you browse the website, and you get infected,” said Mikko Hypponen, chief research officer for the security firm F-Secure. “That never happens on phones.”

On phones, he said, attacks happen because customers actively download a program that looks legitimate but has hidden features that tap into phones to collect information. This kind of mobile malware is mostly a problem for Android phones; Cisco reported that 99 percent of the malware it discovered for smartphones in 2013 targeted Google’s mobile operating system.

But other users aren’t completely safe from attack either, as consumers can also get attacked by clicking on errant links in social media or having their information intercepted if they use unsecured WiFi networks to shop.

One solution, security experts say, is to quickly educate shoppers about mobile security risks and to build in strong mobile security protocols in store apps and other mobile commerce platforms, such as biometric solutions.

Paul Donfried, chief technology officer of the security technology firm LaserLock, said that building secure solutions through voice recognition or fingerprint scanning could help cut down on fraudulent or even accidental purchases — especially for parents who hand their devices over to their kids. The only trick is making sure it’s easy enough for shoppers to verify their identities without having to jump through too many hoops to prove who they are.

“If authentication technology can be simple enough to use and noninvasive, our customers see this as a good thing...because it makes it clear to them that someone’s looking out to protect their identity,” he said.