About


Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.

Take On Payments

« Identity thieves still using low-tech tactics to get into your wallet | Main | Soccer balls and payment cards: A push for global standards »

July 12, 2010


The confluence of payments, social networks, and malware: Elements of a perfect storm?

Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?

More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.


Fastest-growing-content-categories-via-application-access-on-mobile-devices
ENLARGE

Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.


Impressions-for-each-type-of-phishing-site
ENLARGE

Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.

Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.

Conclusion
Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.

By Cindy Merritt, assistant director of the Retail Payments Risk Forum

July 12, 2010 in fraud , identity theft , malware , mobile banking , mobile payments , risk , social networks | Permalink

Comments

Post a comment

Comments are moderated and will not appear until the moderator has approved them.

If you have a TypeKey or TypePad account, please Sign in

Google Search



Recent Posts


Archives


Categories


Powered by TypePad