telesign & rsa webinar - mobile e-commerce: friend or foe?
TRANSCRIPT
J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociates
www.jgoldassociates.com
Mobile E-Commerce: Friend or Foe? Jack Gold
Principal Analyst
J.Gold Associates, LLC.
February 12, 2015
Follow me: @jckgld
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
Coping with Fraudulent Transactions
Many consumers now interact with the Internet primarily through mobile
Traditional PC devices and browsers don’t fit into their always connected, on-the-move lifestyles.
For organizations with an on-line presence, this shift has a profound impact
• Including an impact on website security, loss prevention and fraud.
Assessing the impact of this shift on an organization’s cyber security is the focus of this study.
TREND: In the next 2-3 years, we expect e-
commerce interactions attributable to mobile
devices and mobile apps to surpass those from
standard browsers. As a result, companies not
properly securing their mobile transactions face a significant risk of fraud incidents overwhelming
their businesses
J.Gold Associates LLC.
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
Some Study Statistics
Survey consisted of 250 NA organizations
44% Large ($1B+), 25% Medium ($500M-$1B), 24% Small ($100M-$500M), 7% Very Small ($100M)
Average Total Revenues of $2.54B
Weighted average across all organizations
Internet and Mobile Revenues
One third generated revenues from the Internet in the 26%-50% range.
25% indicated that 11%-25% of that revenue came from a mobile app.
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
The Friend
Mobile revenue is important and growing.
> 50% of organizations believe mobile revenues will grow 11%-50% over the next 3 years,
30% believe it will grow 51%-100%.
Growth in mobile app revenues reflects market reality of more mobile users
To remain competitive, companies must offer mobile apps on smartphones and tablets
But there is a significant security risk in potential fraud.
Can this be eliminated or at least controlled?
Do organizations even understand the risks?
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
The Foe
The dark side.
Only 8% of companies indicated no losses due to fraudulent activity in the past 12 months.
34% indicated they had lost as much as 5% of revenues, 14% indicated as much as 10%, and 15% indicated much as 25%.
This is a staggering level of fraud induced losses.
Indicates a very serious problem exists not being adequately addressed by current systems and processes.
Many organizations living in denial!
About 2/3 of respondents believe that they can quickly detect and remediate Internet and Mobile fraud on their sites. Yet a large number of fraud incidents causing significant revenue losses are nevertheless occurring.
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
Protecting Against Fraud
About 2/3 believe that they can quickly detect and remediate Internet and Mobile fraud on their sites.
Yet a large number of fraud incidents causing significant revenue losses are occurring.
Many companies believe they are adequately protected, but level of security is lacking.
We expect growth of mobile interactions to significantly increase percentage of mobile incidents
19% of companies already indicating that 25%-49% of their fraud incidents are due to mobile.
We expect these rates to at least double over the next 2-3 years unless significant remedial actions are implemented quickly!
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
Is Better Authentication the Key?
Significant shift in required Mobile login credentials taking place over next 2-3 yrs
Primary focus shifts from user name and password to more advanced mechanisms • Biometric, phone based authentication, soft tokens for two
factor authentication.
Upgrading of login techniques will improve the security of transactions
More positively determine who and what device being used
Significantly reduce threat levels and consequent fraud on mobile transactions.
Organizations must implement in next 1-2 yrs
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
Improving Analytics is Needed
Use of advanced analytical tools will increase by approximately 50% in the next few years
Companies searching for compelling ways to fight increasing level of fraud.
• Advanced analytics tools to track behavior and mitigate fraud
This is a direct result of the maturity of tools
• Ability to use with less required resources, including cloud based service offerings, and reduced cost of employing the technology.
This trend will gain momentum over next 2-3 yrs.
Companies seeing benefits and realizing payback
Organizations MUST increase investments here
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
Mobile Losses by Company Size
Lost revenues as percentage of total revenue in past 12 months due to Mobile Fraud
By Company size (Average Percentage Ranges)
• Very Small ($100M), Small ($100M-$500M), Medium ($500M-$1B), Large ($1B+).
Total losses across all size organizations are large and will only grow!
Very Small Small Medium Large
% 1%-9% 10%-24% 10%-24% 10%-24%
$ $150K-$450K $150K-$6M $1.3M-$24M $15M-$240M
Copyright 2014 J.Gold Associates, LLC.
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
By The Numbers
Average Total Revenue
Average % of Total Revenue Due to Mobile
Average % of Total Rev Lost Due to Mobile
Average $ Loss per year due to Mobile
Average 5 Year Mobile Growth Rate
$2.54B 4.53% 3.04% $92.3M 47%
A compound view of revenues, losses, and growth rates
Total losses present large potential revenue if fraud eliminated.
Given these losses, companies are not spending enough on security.
Companies must increase level of expenditure on remediation of losses.
Investing as little as 10%-20% of the yearly losses in enhanced security would provide significant boost to organization’s ability to limit or eliminate the losses resulting from fraud.
Copyright 2014 J.Gold Associates, LLC.
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
Are You Investing Enough?
All organizations with a mobile presence are experiencing loss due to inadequate security!
It is imperative organizations invest in technology solutions that limit and/or eliminate Mobile induced fraud in an increasingly competitive marketplace.
Mobile security has a huge potential payback
Likely returning 10-20 times or more of the investment.
Security is long term challenge, needs continuous intervention.
It must be on high priority list for the next 1-2 years as challenge will only grow in the future with increased reliance on mobile commerce.
Waiting is not in the best interest of the organization and will make remediation even more difficult.
Not making required investment now in enhanced mobile security will mean sharply reduced revenue, much higher costs of operations, and a dissatisfied customer base driven to competitor’s more secure sites.
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
Conclusions
Mobile interactions are increasing
But major disconnect exists with protection of interactions.
Many companies believe they are protected
But current level of investment in security not up to the task.
It is imperative organizations reassess mobile strategies in light of growth in fraud and losses.
Mobile security has a huge potential payback, likely returning 10-20 times or more of the investment.
Must be on every organization’s high priority list for coming 1-2 years
Companies not making required investment in enhanced mobile security will have sharply reduced revenue, much higher costs of operations, and a dissatisfied customer base.
© 2015 J.Gold Associates, LLC J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociateswww.jgoldassociates.com
Questions?
How to contact me:
Jack E. Gold
President and Principal Analyst
Twitter: @jckgld
J.Gold Associates, LLC
6 Valentine Rd
Northborough, MA 01532
508-393-5294
www.jgoldassociates.com
J.GoldJ.GoldAssociatesAssociates
J.GoldJ.GoldAssociatesAssociates
THE MOBILE IDENTITY COMPANY @TELESIGN | CONFIDENTIAL
Primary Colors (RGB)
0 / 112 / 204
0 / 126 / 230
204 / 204 / 204
68 / 68 / 68
0 / 140 / 255
Highlight Colors (RGB)
0 / 184 / 114
255 / 199 / 64
255 / 49 / 0
0 / 214 / 132
Font Type = Calibri
255 / 255 / 255
Company Overview
14
About Us What We do
Who We Serve Rapid Growth: Last 4 Years
• Founded 2005
• Based in Marina del Rey
• Backed by Summit Partners, Adams Street, March Capital, Telstra Ventures
• LA, SCV, Seattle, London, Belgrade, Singapore, Sydney, Sao Paulo, Mumbai
• Security as a service
• Mobile Identity
• Two-Factor Authentication
• Intelligent Data for Authentication
• US: 9 of the top 10 largest web properties
• Global: 19 of the 25 largest web properties
• Global footprint: 200+ countries & territories
• Localized for 87 languages
• 12 to 240 employees
• Increased revenue >750%
• Complete global operation
• Proven team with deep security experience
Leader 2014
THE MOBILE IDENTITY COMPANY @TELESIGN | CONFIDENTIAL
Primary Colors (RGB)
0 / 112 / 204
0 / 126 / 230
204 / 204 / 204
68 / 68 / 68
0 / 140 / 255
Highlight Colors (RGB)
0 / 184 / 114
255 / 199 / 64
255 / 49 / 0
0 / 214 / 132
Font Type = Calibri
255 / 255 / 255
• Various methods used to obtain user credentials, card numbers, etc: – Phishing
– Smishing
– Malware
– Fake apps
– Rogue wireless networks
– Data breaches
– Etc.
The Bad Guys are Harvesting Info on Hundreds of Millions of Users Every Year
15
THE MOBILE IDENTITY COMPANY @TELESIGN | CONFIDENTIAL
Primary Colors (RGB)
0 / 112 / 204
0 / 126 / 230
204 / 204 / 204
68 / 68 / 68
0 / 140 / 255
Highlight Colors (RGB)
0 / 184 / 114
255 / 199 / 64
255 / 49 / 0
0 / 214 / 132
Font Type = Calibri
255 / 255 / 255
Massive Rise in Data Breaches Year over Year
16
Almost 15 breaches per week in 2014 - 25% increase from 2013
419 470
614
768
-
100
200
300
400
500
600
700
800
900
2011 2012 2013 Projected 2014
Data Breaches – 2011-2014
145M 4.6M Massive Reach Cultural
Awareness 56M
THE MOBILE IDENTITY COMPANY @TELESIGN | CONFIDENTIAL
Primary Colors (RGB)
0 / 112 / 204
0 / 126 / 230
204 / 204 / 204
68 / 68 / 68
0 / 140 / 255
Highlight Colors (RGB)
0 / 184 / 114
255 / 199 / 64
255 / 49 / 0
0 / 214 / 132
Font Type = Calibri
255 / 255 / 255
Carder Forum: BlackStuff.Net
17
THE MOBILE IDENTITY COMPANY @TELESIGN | CONFIDENTIAL
Primary Colors (RGB)
0 / 112 / 204
0 / 126 / 230
204 / 204 / 204
68 / 68 / 68
0 / 140 / 255
Highlight Colors (RGB)
0 / 184 / 114
255 / 199 / 64
255 / 49 / 0
0 / 214 / 132
Font Type = Calibri
255 / 255 / 255
Mobile Fraud Examples
18
• Fraudsters use stolen credentials on mobile devices to:
– Purchase goods with the victim’s debit/credit cards
– Gather more info about the victim to be used/sold for fraud purposes
Name, address, phone, email, order history, address book, etc.
– Send money via BillPay service, etc.
– Access sensitive information (i.e. bank account records)
– Lock real user out of account
• Fraudsters create thousands of accounts they control to:
– Test and use stolen credit/debit card numbers
– Spam/phish other users
THE MOBILE IDENTITY COMPANY @TELESIGN | CONFIDENTIAL
Primary Colors (RGB)
0 / 112 / 204
0 / 126 / 230
204 / 204 / 204
68 / 68 / 68
0 / 140 / 255
Highlight Colors (RGB)
0 / 184 / 114
255 / 199 / 64
255 / 49 / 0
0 / 214 / 132
Font Type = Calibri
255 / 255 / 255
• Identifying and stopping fraud on mobile is very different from web – IP address pool is small on many carriers
– Device fingerprinting is less effective
– Cookie tracking is limited
• Solutions that work for web fraud are far less effective for mobile fraud
• Visible in the $240m/year loss
Why the Disconnect in Perception?
19
THE MOBILE IDENTITY COMPANY @TELESIGN | CONFIDENTIAL
Primary Colors (RGB)
0 / 112 / 204
0 / 126 / 230
204 / 204 / 204
68 / 68 / 68
0 / 140 / 255
Highlight Colors (RGB)
0 / 184 / 114
255 / 199 / 64
255 / 49 / 0
0 / 214 / 132
Font Type = Calibri
255 / 255 / 255
How TeleSign Can Help
20
• Fraud prevention for internet and mobile-based companies
– Mobile phone as main form of identity Global & ubiquitous Real-time communication channel for authentication, alerting, etc. Difficult/expensive to acquire in volume
– Verify phone numbers by sending SMS or call with one-time passcode For two-factor authentication:
» Protects against usage of stolen credentials » Much more secure than a static username/password
To stop fake account creation: » Verify that the user has access to the phone number they’ve entered » Limit the number of accounts that can be created per phone number
– Provide fraud info around each phone number Phone type Risk level
THE MOBILE IDENTITY COMPANY @TELESIGN | CONFIDENTIAL
Primary Colors (RGB)
0 / 112 / 204
0 / 126 / 230
204 / 204 / 204
68 / 68 / 68
0 / 140 / 255
Highlight Colors (RGB)
0 / 184 / 114
255 / 199 / 64
255 / 49 / 0
0 / 214 / 132
Font Type = Calibri
255 / 255 / 255
• On account registration: – Ask for the user’s phone number
– Verify the phone number via temporary passcode
– Link account to phone number
– Limit the number of accounts that can be created with that phone number (recommendation: between 1 and 5)
• Ongoing interaction: – 2FA on login
– Password reset
– Alert on high-risk behavior
– Blacklist phone number if fraud is discovered
The Basics of Phone Verification
21
23 © Copyright 2015 EMC Corporation. All rights reserved.
• ~15-20% market
• “Walled garden”
• iOS 7 since Oct 13
• ~90% adoption
• ~65-70% market
• Open source
• Kit Kat (4.4) since Oct 13
• ~34% adoption
24 © Copyright 2015 EMC Corporation. All rights reserved.
• 32% of all transactions originated from a mobile device*
• 40% of all fraudulent transaction originated from a mobile device*
• In 2013, there were 1M +new mobile malware strains vs. 35K in 2012**
– 99 % of malware targeting Android OS **
Mobile Use on the Rise
*RSA FRI CTO ** Trend Micro
25 RSA CONFIDENTIAL—INTERNAL USE ONLY
BANK
• Mobile OS malware and phishing scams on the rise
• Malicious apps are posing as legitimate apps
– For Malware Distribution
– For Phishing Scams
• Criminal underground selling mobile variants of web based malware
– CitMo, ZitMo, Perkele
Mobile the new Web?