From “Apple-picking” to “iFraud”: The evolution of smartphone theft into smartphone fraud

In June of this year, law enforcement officials and smartphone manufactures met in New York at the “Smartphone Summit” to discuss the alarming increase in smartphone thefts. The Federal Communications Commission (FCC) reports that almost 33 percent of robberies include the theft of a mobile phone – ignoring, for the moment, whether the theft of the phone was the primary intent or just a fortuitous (for the thief) by-product in the robbery.  This month, Security Research Labs in Berlin reported a smartphone SIM card attack vulnerability – more to the point, raising issues of encryption vulnerability.

Predicting the future of fraud attacks and fraud vulnerabilities is always a tricky process fraught with error.  But, in this case, the history of fraud behavior on other access devices tells us it is not much of a stretch to conceive that fraudsters will purchase stolen smartphones from thieves to harvest the personal identifying, bank account, and password information stored in them.  Stealing a $350-$700 smartphone to resell for pennies on the dollar, or even to use personally, has limited value when compared to accessing banking relationships with a potential value ten times greater than the price of the phone itself.  This scenario will not take long for fraudsters to figure out, if it isn’t abundantly clear already.

There are a number of vulnerabilities that make smartphones the ideal access point for theft and illicit activity, including:

1. Openness: In the true spirit of ease of use and robust functionality, the physical devices are not tamper proof, are not tamper evident, and are not even tamper resistant.  However, some newer devices are water resistant (commit fraudulent transfers in the pool?). But, that is another topic. Anyway…

2. Credibility: Are we to assume that the person possessing the phone is the owner of the phone?  Historically, we assumed if a cardholder was in possession of their card, and did not lend it to anyone with their PIN, that the transactions were theirs!  But for cards, skimming along with other attacks showed this presumption of security not only to be false, but based upon flawed logic. Does the phone possess “tap and go” Near field Communications (NFC) capability?  If so, does it matter who is holding the phone making the purchase?

3. Integrity: Given the expense and reliance on smartphones, how could the person who returns our lost phone do anything other than restore our faith in humanity? Some food for thought on a “Good Samaritan” potential vulnerability.

• Good Samaritan:  “Hey I found your phone, this is the new model — it’s pricey.  I figured you would want it back.”
• Consumer: “Wow thank you!  I didn’t even notice it was gone.  What a relief — thank you again.”
• Good Samaritan: “No worries. Ah, and don’t mind the new app I installed for you.  It is just a little Trojan, it will only text me your account numbers, access credentials and device id the next time you log into the bank’s mobile banking application.  Have a great day.”

4. Consumer Enablement: Another potential vulnerability – when the consumer simply stores their access credentials in the contacts application on the phone, so they don’t have to remember them.  Farfetched you say? Remember, hardly anyone uses the device security features and remember that nearly 20 percent of the PINs consumers select are 1234 and other easily guessable PINs.  And, of course, don’t forget the significant portion of cardholders who write their PIN on the signature panel of their card. This history makes it abundantly clear that the mobile device, while a wonderful new enabling technology, will be vulnerable to old attack vectors with new tweaks and twists.

Since fraud and the fraudsters are here to stay, take a proactive approach  to fraud as a method to manage this risk.

• Mitigate as much fraudulent activity as practical by “designing against crime,” and engineer in the “Kill Switch” that San Francisco District Attorney George Gascon has asked for
• Ensure fast detection by monitoring transactional behavior for anomalous activity
• Analyze fraud events with thorough root-cause analysis including device evaluation

You can’t manage what you don’t measure.

And lastly, Good Hunting,…… for fraudsters that is.