From mobile threats and malware, to the organizations on the target lists of e-commerce fraud - a myriad of threats exist across the cyber landscape and the commoditization of cybercrime is making it easier and cheaper to launch attacks on a global scale. If you are a believer that the best predictor of future events is based on those of the past, I'd like to share insights based on real-world fraud data from the past year and offer ideas on what we can expect from the global cybercrime landscape in 2017.
Mobile Eats the World
Yes, mobile is literally eating the world. It has become the dominant channel for instant communication and the expressway for banking and commerce worldwide. As organizations use mobile to transform the way they interact with customers, cybercriminals have also taken note... as evidenced by the rise in fraud attempts originating in the mobile channel. In the past year, RSA has uncovered that 60% of transactions confirmed as fraud originated from a mobile device. And, mobile traffic is also growing at unprecedented rates, with RSA witnessing a nearly 1:1 ratio between mobile and Web transactions.
Predictions for 2017:
- Mobile transactions will outpace Web transactions for the first time. Fraud will continue to grow rapidly within the mobile channel, particularly from mobile applications, as banks, retailers, and other service providers offer more services to their customers via mobile apps.
- Biometric authentication will start to take off for mobile users. Many such initiatives are happening now, and cybersecurity is not the main driver. User experience is key to driving adoption of the mobile channel. Biometrics are considered the best option, as opposed to the traditional username/password combination, which is not ideal as a user access method for mobile customers. Fingerprint, voice, and eyeprint, combined with risk-based transaction monitoring, will be the predominant technology combinations for authentication and fraud management in the mobile channel.
Fraudsters Will Go Shopping On You
As the opportunity for in-person fraud diminishes with the rollout of EMV, card-not-present (CNP) fraud will dramatically increase, reaching over $7 billion in the U.S. by 2020. As fraudsters move from in-store card present fraud to purchasing goods with stolen cards from the comfort of their couch, retailers are likely to feel the effect. Today, online money transfer and bill pay services account for approximately 1 in 5 e-commerce fraud transactions, followed by the hospitality and airline, electronics, jewelry and fashion, entertainment (i.e., event ticketing sites), and gaming industries.
Predictions for 2017:
- The launch of 3D Secure 2.0, led by EMVCo, is going to change the game for the e-commerce ecosystem. There has been a flurry of renewed interest in the wake of the recent announcement. The new protocol offers many enhancements to the 1.x password-based, "challenge all" approach. Merchants and issuers are at least 12 - 18 months out from any major technology deployments as they just begin to formulate their strategies to adopt the 2.0 framework. As a result, there still a massive window of opportunity for fraudsters to capitalize on card-not-present e-commerce fraud in 2017.
Don't Let the Phish Bite
Among the headlines spouting ransomware hostages and DDoS botnets knocking entire countries offline, phishing is still a very real threat. From the CEO to the consumer, phishing is alive and well - and growing like never before. RSA identified more phishing attacks in the second quarter of 2016 than in all of 2015 combined; this equates to a new phishing attack launched every 30 seconds. The cost to organizations is hardly anything to scoff at either. When factoring in the average uptime of a phishing attack and the average cost for every hour an attack is live, phishing is estimated to cost global organizations an estimated $9 billion in losses in 2016.
Predictions for 2017:
- Phishers will continue to innovate in the coming year by improving on existing methods to host their attacks in order to increase the longevity that an attack is live. It is also a strong possibility that clever phishing attacks will emerge targeting cardholder information as breaches and skimming of POS terminals and ATM machines will be far less effective as more terminals are upgraded to support EMV cards.
This is just a glimpse into the 2017 fraud and cybercrime forecast. Stay tuned for more on DDoS attacks, botnets, credential stuffing, and account takeover when we deliver the full 2017 forecast in our Current State of Cybercrime series. And now for local sports...