TeleSign & RSA Webinar - Mobile E-Commerce: Friend or Foe?

J.GoldJ.GoldAssociatesAssociates


www.jgoldassociates.com

Mobile E-Commerce: Friend or Foe? Jack Gold

Principal Analyst

J.Gold Associates, LLC.

February 12, 2015

Follow me: @jckgld

© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates

J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com

Coping with Fraudulent Transactions

Many consumers now interact with the Internet primarily through mobile

Traditional PC devices and browsers don’t fit into their always connected, on-the-move lifestyles.

For organizations with an on-line presence, this shift has a profound impact

• Including an impact on website security, loss prevention and fraud.

Assessing the impact of this shift on an organization’s cyber security is the focus of this study.

TREND: In the next 2-3 years, we expect e-

commerce interactions attributable to mobile

devices and mobile apps to surpass those from

standard browsers. As a result, companies not

properly securing their mobile transactions face a significant risk of fraud incidents overwhelming

their businesses

J.Gold Associates LLC.



Some Study Statistics

Survey consisted of 250 NA organizations

44% Large ($1B+), 25% Medium ($500M-$1B), 24% Small ($100M-$500M), 7% Very Small ($100M)

Average Total Revenues of $2.54B

Weighted average across all organizations

Internet and Mobile Revenues

One third generated revenues from the Internet in the 26%-50% range.

25% indicated that 11%-25% of that revenue came from a mobile app.



The Friend

Mobile revenue is important and growing.

> 50% of organizations believe mobile revenues will grow 11%-50% over the next 3 years,

30% believe it will grow 51%-100%.

Growth in mobile app revenues reflects market reality of more mobile users

To remain competitive, companies must offer mobile apps on smartphones and tablets

But there is a significant security risk in potential fraud.

Can this be eliminated or at least controlled?

Do organizations even understand the risks?



The Foe

The dark side.

Only 8% of companies indicated no losses due to fraudulent activity in the past 12 months.

34% indicated they had lost as much as 5% of revenues, 14% indicated as much as 10%, and 15% indicated much as 25%.

This is a staggering level of fraud induced losses.

Indicates a very serious problem exists not being adequately addressed by current systems and processes.

Many organizations living in denial!

About 2/3 of respondents believe that they can quickly detect and remediate Internet and Mobile fraud on their sites. Yet a large number of fraud incidents causing significant revenue losses are nevertheless occurring.



Protecting Against Fraud

About 2/3 believe that they can quickly detect and remediate Internet and Mobile fraud on their sites.

Yet a large number of fraud incidents causing significant revenue losses are occurring.

Many companies believe they are adequately protected, but level of security is lacking.

We expect growth of mobile interactions to significantly increase percentage of mobile incidents

19% of companies already indicating that 25%-49% of their fraud incidents are due to mobile.

We expect these rates to at least double over the next 2-3 years unless significant remedial actions are implemented quickly!



Is Better Authentication the Key?

Significant shift in required Mobile login credentials taking place over next 2-3 yrs

Primary focus shifts from user name and password to more advanced mechanisms • Biometric, phone based authentication, soft tokens for two

factor authentication.

Upgrading of login techniques will improve the security of transactions

More positively determine who and what device being used

Significantly reduce threat levels and consequent fraud on mobile transactions.

Organizations must implement in next 1-2 yrs



Improving Analytics is Needed

Use of advanced analytical tools will increase by approximately 50% in the next few years

Companies searching for compelling ways to fight increasing level of fraud.

• Advanced analytics tools to track behavior and mitigate fraud

This is a direct result of the maturity of tools

• Ability to use with less required resources, including cloud based service offerings, and reduced cost of employing the technology.

This trend will gain momentum over next 2-3 yrs.

Companies seeing benefits and realizing payback

Organizations MUST increase investments here



Mobile Losses by Company Size

Lost revenues as percentage of total revenue in past 12 months due to Mobile Fraud

By Company size (Average Percentage Ranges)

• Very Small ($100M), Small ($100M-$500M), Medium ($500M-$1B), Large ($1B+).

Total losses across all size organizations are large and will only grow!

Very Small Small Medium Large

% 1%-9% 10%-24% 10%-24% 10%-24%

$ $150K-$450K $150K-$6M $1.3M-$24M $15M-$240M

Copyright 2014 J.Gold Associates, LLC.



By The Numbers

Average Total Revenue

Average % of Total Revenue Due to Mobile

Average % of Total Rev Lost Due to Mobile

Average $ Loss per year due to Mobile

Average 5 Year Mobile Growth Rate

$2.54B 4.53% 3.04% $92.3M 47%

A compound view of revenues, losses, and growth rates

Total losses present large potential revenue if fraud eliminated.

Given these losses, companies are not spending enough on security.

Companies must increase level of expenditure on remediation of losses.

Investing as little as 10%-20% of the yearly losses in enhanced security would provide significant boost to organization’s ability to limit or eliminate the losses resulting from fraud.

Copyright 2014 J.Gold Associates, LLC.



Are You Investing Enough?

All organizations with a mobile presence are experiencing loss due to inadequate security!

It is imperative organizations invest in technology solutions that limit and/or eliminate Mobile induced fraud in an increasingly competitive marketplace.

Mobile security has a huge potential payback

Likely returning 10-20 times or more of the investment.

Security is long term challenge, needs continuous intervention.

It must be on high priority list for the next 1-2 years as challenge will only grow in the future with increased reliance on mobile commerce.

Waiting is not in the best interest of the organization and will make remediation even more difficult.

Not making required investment now in enhanced mobile security will mean sharply reduced revenue, much higher costs of operations, and a dissatisfied customer base driven to competitor’s more secure sites.



Conclusions

Mobile interactions are increasing

But major disconnect exists with protection of interactions.

Many companies believe they are protected

But current level of investment in security not up to the task.

It is imperative organizations reassess mobile strategies in light of growth in fraud and losses.

Mobile security has a huge potential payback, likely returning 10-20 times or more of the investment.

Must be on every organization’s high priority list for coming 1-2 years

Companies not making required investment in enhanced mobile security will have sharply reduced revenue, much higher costs of operations, and a dissatisfied customer base.



Questions?

How to contact me:

Jack E. Gold

President and Principal Analyst

[email protected]

Twitter: @jckgld

J.Gold Associates, LLC

6 Valentine Rd

Northborough, MA 01532

508-393-5294

www.jgoldassociates.com



mailto:[email protected]

mailto:[email protected]

http://www.jgoldassociates.com/

THE MOBILE IDENTITY COMPANY @TELESIGN | CONFIDENTIAL

Primary Colors (RGB)

0 / 112 / 204

0 / 126 / 230

204 / 204 / 204

68 / 68 / 68

0 / 140 / 255

Highlight Colors (RGB)

0 / 184 / 114

255 / 199 / 64

255 / 49 / 0

0 / 214 / 132

Font Type = Calibri

255 / 255 / 255

Company Overview

14

About Us What We do

Who We Serve Rapid Growth: Last 4 Years

• Founded 2005

• Based in Marina del Rey

• Backed by Summit Partners, Adams Street, March Capital, Telstra Ventures

• LA, SCV, Seattle, London, Belgrade, Singapore, Sydney, Sao Paulo, Mumbai

• Security as a service

• Mobile Identity

• Two-Factor Authentication

• Intelligent Data for Authentication

• US: 9 of the top 10 largest web properties

• Global: 19 of the 25 largest web properties

• Global footprint: 200+ countries & territories

• Localized for 87 languages

• 12 to 240 employees

• Increased revenue >750%

• Complete global operation

• Proven team with deep security experience

Leader 2014



0 / 112 / 204

0 / 126 / 230

204 / 204 / 204

68 / 68 / 68

0 / 140 / 255


0 / 184 / 114

255 / 199 / 64

255 / 49 / 0

0 / 214 / 132

Font Type = Calibri

255 / 255 / 255

• Various methods used to obtain user credentials, card numbers, etc: – Phishing

– Smishing

– Malware

– Fake apps

– Rogue wireless networks

– Data breaches

– Etc.

The Bad Guys are Harvesting Info on Hundreds of Millions of Users Every Year

15



0 / 112 / 204

0 / 126 / 230

204 / 204 / 204

68 / 68 / 68

0 / 140 / 255


0 / 184 / 114

255 / 199 / 64

255 / 49 / 0

0 / 214 / 132

Font Type = Calibri

255 / 255 / 255

Massive Rise in Data Breaches Year over Year

16

Almost 15 breaches per week in 2014 - 25% increase from 2013

419 470

614

768

-

100

200

300

400

500

600

700

800

900

2011 2012 2013 Projected 2014

Data Breaches – 2011-2014

145M 4.6M Massive Reach Cultural

Awareness 56M



0 / 112 / 204

0 / 126 / 230

204 / 204 / 204

68 / 68 / 68

0 / 140 / 255


0 / 184 / 114

255 / 199 / 64

255 / 49 / 0

0 / 214 / 132

Font Type = Calibri

255 / 255 / 255

Carder Forum: BlackStuff.Net

17



0 / 112 / 204

0 / 126 / 230

204 / 204 / 204

68 / 68 / 68

0 / 140 / 255


0 / 184 / 114

255 / 199 / 64

255 / 49 / 0

0 / 214 / 132

Font Type = Calibri

255 / 255 / 255

Mobile Fraud Examples

18

• Fraudsters use stolen credentials on mobile devices to:

– Purchase goods with the victim’s debit/credit cards

– Gather more info about the victim to be used/sold for fraud purposes

Name, address, phone, email, order history, address book, etc.

– Send money via BillPay service, etc.

– Access sensitive information (i.e. bank account records)

– Lock real user out of account

• Fraudsters create thousands of accounts they control to:

– Test and use stolen credit/debit card numbers

– Spam/phish other users



0 / 112 / 204

0 / 126 / 230

204 / 204 / 204

68 / 68 / 68

0 / 140 / 255


0 / 184 / 114

255 / 199 / 64

255 / 49 / 0

0 / 214 / 132

Font Type = Calibri

255 / 255 / 255

• Identifying and stopping fraud on mobile is very different from web – IP address pool is small on many carriers

– Device fingerprinting is less effective

– Cookie tracking is limited

• Solutions that work for web fraud are far less effective for mobile fraud

• Visible in the $240m/year loss

Why the Disconnect in Perception?

19



0 / 112 / 204

0 / 126 / 230

204 / 204 / 204

68 / 68 / 68

0 / 140 / 255


0 / 184 / 114

255 / 199 / 64

255 / 49 / 0

0 / 214 / 132

Font Type = Calibri

255 / 255 / 255

How TeleSign Can Help

20

• Fraud prevention for internet and mobile-based companies

– Mobile phone as main form of identity Global & ubiquitous Real-time communication channel for authentication, alerting, etc. Difficult/expensive to acquire in volume

– Verify phone numbers by sending SMS or call with one-time passcode For two-factor authentication:

» Protects against usage of stolen credentials » Much more secure than a static username/password

To stop fake account creation: » Verify that the user has access to the phone number they’ve entered » Limit the number of accounts that can be created per phone number

– Provide fraud info around each phone number Phone type Risk level



0 / 112 / 204

0 / 126 / 230

204 / 204 / 204

68 / 68 / 68

0 / 140 / 255


0 / 184 / 114

255 / 199 / 64

255 / 49 / 0

0 / 214 / 132

Font Type = Calibri

255 / 255 / 255

• On account registration: – Ask for the user’s phone number

– Verify the phone number via temporary passcode

– Link account to phone number

– Limit the number of accounts that can be created with that phone number (recommendation: between 1 and 5)

• Ongoing interaction: – 2FA on login

– Password reset

– Alert on high-risk behavior

– Blacklist phone number if fraud is discovered

The Basics of Phone Verification

21


• ~15-20% market

• “Walled garden”

• iOS 7 since Oct 13

• ~90% adoption

• ~65-70% market

• Open source

• Kit Kat (4.4) since Oct 13

• ~34% adoption


• 32% of all transactions originated from a mobile device*

• 40% of all fraudulent transaction originated from a mobile device*

• In 2013, there were 1M +new mobile malware strains vs. 35K in 2012**

– 99 % of malware targeting Android OS **

Mobile Use on the Rise

*RSA FRI CTO ** Trend Micro

25 RSA CONFIDENTIAL—INTERNAL USE ONLY

BANK

• Mobile OS malware and phishing scams on the rise

• Malicious apps are posing as legitimate apps

– For Malware Distribution

– For Phishing Scams

• Criminal underground selling mobile variants of web based malware

– CitMo, ZitMo, Perkele

Mobile the new Web?


Phishing, SMiShing

27 RSA CONFIDENTIAL—INTERNAL USE ONLY

Protecting at every step of online consumer lifecycle

RSA Solutions for Mobile Channel

IN THE WILD BEGIN ONLINE SESSION LOGIN / TRANSACTIONS

END ONLINE SESSION

FraudAction Web Threat Detection Adaptive Authentication

TeleSign & RSA Webinar - Mobile E-Commerce: Friend or Foe?

Internet

Transcript of TeleSign & RSA Webinar - Mobile E-Commerce: Friend or Foe?