March 14, 2014
Kentucky Fraud Kickin’.
The Internet and mobile devices and related gadgetry have brought so much incredibly useful stuff into our lives that sometimes it’s hard to imagine how on earth anyone managed without it before. You know, purchasing airline tickets and checking in, online shopping and banking, multi-device data sharing, keeping the kids occupied on the backseat of the car with a film on their tablets (in my youth you just sat there or played I Spy). But I digress, and so early on in this post…
Alas, along with all the good and helpful stuff to make life easier, the Internet’s brought us other stuff – bad stuff that’s harmful and dangerous. Malware, spam, hard-to-trace cybercrims, cyberweapons, etc., etc. There’s also Internet fraud, which is what I’ll be writing about in this post, or – more to the point – how to combat it.
But let’s start with the basics: who suffers from Internet fraud?
Consumers? Well, yes, but not much compared with businesses: the brunt of the cost of online fraud is taken by banks, retailers, and in fact any online operators.
A few figures to illustrate the scope of Internet fraud:
- In 2012 in the United States alone, direct losses from online fraud came to $ 3.5 billion;
- Those losses were made up of about 24 million fraudulent online orders;
- Almost 70 million orders were cancelled due to suspicion of foul play.
All rather alarming.
In the meantime, are online operators generally taking any measures against fraud?
Of course they are. Plenty!
They all have a large budget to cover ‘risks’, they have special teams dedicated to manually checking operations, and employ different protection technologies. But risk budgets aren’t bottomless, those teams don’t come cheap – and can make mistakes, and automated analysis systems are far from ideal. Even cool inventions in the field of two-factor authentication don’t guarantee security. For example chipTAN, popular in Germany, took cybercrooks all of two months to crack; while intercepting text messages with codes for transactions has been around for several years already. Clearly, offense has the upper hand over defense: new technologies get released rarely and are quickly gotten around.
What is needed is a fresh approach to protection and quick reaction times to new security challenges.
Can the anti-malware industry help make things better here? Of course it can!
We’ve been playing the seek-and-destroy game with cybercrime for decades and know perfectly well how to identify and patch security problems. However, to apply our experience to the real world and fight Internet fraud we need cooperation from banks and online retailers and anyone else who does business on the Internet – only with their input can we make a difference. The challenge is daunting, and the average consumer can hardly hope to cope with it. On the other hand, online operators have everything at their fingertips – knowledge, technology and direct contact with their customers (and their computers and devices). What’s more, consumers tend to perceive online operators as able to and indeed obliged to provide security. The only thing that was missing here were the right tools.
A logical question you might ask at this juncture is, ‘isn’t it the task of antivirus to protect consumers’ online transactions?’
Well, first of all, not everyone has antivirus. Especially on mobile devices. Secondly, even if it is installed, by far not every AV is able to keep up with the inventive greed of cybercrime: the loss figures above clearly demonstrate that the general level of mobile protection is not much of a hindrance for the baddies. Finally, there are additional protection technologies not present in traditional desktop antivirus that can be used against specifically Internet fraud (and in a very specific, separate way).
So that’s why we recently came up with KFP (Kaspersky Fraud Prevention) – a dedicated solution for banks, online retailers and any other online businesses to reduce financial losses caused by Internet fraud.
Specifically, KFP protects against: the theft of access details for online banking, transaction interception, multi-factor authentication bypassing, and many other types of sophisticated Internet disgrace.
KFP consists of three modules:
- A lightweight agent for either a workstation (Windows and Mac) or a mobile platform (Android and iOS), which is compatible with other antivirus applications, is unobtrusive, fast, and stays on top of the epidemiological situation and punishes attempts at online fraud. The details are here.
- An anti-fraud server that uncovers suspicious activity in online banking transactions or online payment processing based on a number of parameters (user behavior, device ID and the device’s rating in our cloud-based KSN, compromised sessions, the presence of malicious code, etc.). It also integrates with existing banking anti-fraud systems and provides them with valuable analytical data. The details are here.
- A management console for: monitoring agents and servers, situation analysis, attack tracking, reporting, and lots of other stuff that such consoles normally never do. More details are here.
KFP relies on technologies used in our endpoint products that have certificates and awards that prove their ability to deal with most attacks on online transactions and to do it better than the competition.
Here’s another practical example (with a few elements of product placement thrown in for good measure):
About 10% of online orders come from mobile devices. However, the monitoring of fraud in this segment is performed by only 30% of companies. Which is daft really as the level of mobile fraud is 50% higher than non-mobile. Then there’s the problem from the other side of the fence – not many users understand that smartphones and tablets need to be protected just like ordinary computers. In the meantime the diversity and functionality of malware on these devices is rapidly catching up with Windows.
Banks and large retailers are however developing their own mobile applications and doing what they can to keep them as best protected as possible. But for smaller online retailers without experience or expertise in security, organizing protection from scratch takes a long time, is expensive, and doesn’t always have the intended result.
To address this challenge we decided KFP should also come as an SDK, i.e., banks and other online operators can create their own apps for Android and iOS with our security features already implemented! And there are more than plenty of functions in there: multilayered protection from malware, behavioral analysis of apps, certificate verification, URL reputation checking, protection from phishing attacks, secure data storage, SMS encryption, Wi-Fi connection reliability checking, anti-keylogger, anti-screengrabber, rooting/jailbreaking blocking, auto software version updating, and much, much more.
And all that’s not from some startup with beautiful presentations and questionable implementation, but from experienced experts who’ve created one of the best security solutions for mobile devices, and who in a couple of months will be celebrating their 10-year anniversary fighting mobile parasites.
Of course, online operators could get by for now without some of the features mentioned. But longer term, the level of online fraud would only grow proportionally, reputations would be damaged, regulatory bodies would get nervy, and there’d be an increase in the cost of additional processing of orders. So you could say it’s worth Nike-ing it if you’re serious about the long-term. Just do it.