How to prevent & eradicate mobile device fraud
In a recent Inside Track Episode, Dion Price spoke with Jon France, Head of Industry Security at the GSMA. Jon has over 20 years’ experience in Enterprise IT and Security within the Media and Telecoms fields and has been part of the GSMA since 2008 in a variety of roles before moving into his current position in 2018.
As both the GSMA and Trustonic are focused on wider global industry perspectives, this provided opportunities to initiate some insightful discussions focused on security within the industry on a global level, including issues that are currently presenting themselves around the world but also those that need to be considered in the long-term as we witness the emergence of upcoming technologies.
Combatting fraud in mobile supply chains
The robbery of £5M worth of Apple products from a lorry on the M1 motorway in the United Kingdom in November 2020 piqued the interest of the wider public and drew attention to the porous nature of mobile supply chains and that they can be easily disrupted; it is estimated that this costs the mobile industry $17 billion on a yearly basis.
As the average cost of a handset has continued to increase due to their greater levels of functionality and sophistication – and in some cases tripling in value over the previous 10 years – this has meant that smartphones have become an increasingly attractive target for criminals and fraudsters looking to profit from one of the most ubiquitous consumables on the planet.
This is especially true when we consider the omnipresent nature of mobile handsets as illustrated by Jon’s insight that, “There are more (handset) connections than there are people on the planet”. This has led to proliferation on a global level and looks set to continue for the foreseeable future.
The fraud that is resulting from this is particularly damaging for the industry and it is estimated that over 4 million devices are trafficked yearly, with bulk prepaid trafficking equating to a gargantuan $900 million, approximately $225 per device.
When considered on a global level, the majority of device theft and fraud that is committed is due to the value of the device and its resale value on the black market. This is an area that is going to remain a key challenge for the industry on a long-term basis when it comes to combatting and preventing fraud unless wider action is taken to combat theft at various stages of the supply chain.
It is not, however, only their functionality that has made them a prime target, but also the ability for fraudsters to takeover accounts by targeting weakness in two-factor authentication, and even the content of, and data contained on, the device itself can be enticing for criminals.
When we consider that not only do smartphone users tend to store highly-sensitive personal information on their devices, but there is also a plethora of opportunities available for fraudsters to gain access to highly sensitive information via mobile applications, including email accounts and financial services.
This is where utilising Trustonic’s cloud-based Telecoms Platform provides enhanced levels of protection for mobile operators looking for a solution that protects their devices throughout their lifecycle. At each stage, including manufacturing, shipments or even at the point of sale, operators are able to track, identify and even completely lock a device once it has been reported as stolen, rendering it unusable and eliminating any resale value.
Our technology can be utilised even in countries where IMEI blacklisting is not available and provides enhanced levels of protection, while playing a wider role in combating the multi-billion dollar issue of supply chain theft that continues to plague the industry by both discouraging and disincentivising device theft.
This eradicates incentives for criminals and fraudsters and helps ensure that the impact of porous supply chains is eradicated and enabling the industry to focus on other matters, including IOT security. This is becoming increasingly important as the number of devices continues to increase according to the GSMA’s estimates as highlighted by Jon, “We are predicting something in the region of 25 billion devices connected by 2025”.
Protecting mobile applications is a necessity
Another of the main avenues of handset fraud is SIM-swapping, which is essentially a type of account takeover that targets fragilities in two-factor authentication when the second step to gain access to an account is done via an SMS received, or a call placed to, a mobile number.
This is achieved by the fraudster using a victim’s personal details to convince the network operator that they are actually the victim and that their mobile phone has been lost. The number is then ported onto a SIM owned by the fraudster and the account is then compromised and the criminal is able to intercept one-time passwords that are sent to the device.
Ultimately, this means that the fraudster will then have access to sensitive accounts, such as financial services, via the device’s mobile applications. The ubiquity of SMS has meant that it has long been adopted as a viable component of 2FA, however it was not designed for such use cases and therefore has many inherent weaknesses when it comes to user authentication.
While it is certainly more beneficial than having no second factor authentication and there being ways of combating fraud through SS7 firewalling around the signalling, that is not to say that there are not risks that need to be considered from both the point of view of enterprises and end users alike.
There are currently initiatives within the industry that are focused on a more secured solution for 2FA, including the Rich Communication Suite, which is essentially the evolution of SMS in the long-term and much more secure. However, this has not been universally rolled out on a global level, especially from a A2P perspective.
There are currently ongoing initiatives being explored with certain verticals, including financial services and insurance companies, with a view to improving the verification process to further enhance levels of security and to reduce risks of fraud and account takeover.
However, there are also currently various other elements within the overall ecosystem to consider, including issues in relation to the global supply chain, which is currently under pressure due to geopolitical reasons. This has led to constrictions in terms of componentry for certain vendors and manufacturers, and a reduction in choice.
From this have come bifurcation and security challenges that can be difficult to reconcile, as articulated by Jon, “If we look at things like Android and the Google mobile services that go with it not being available in some markets because of some of those politics, that’s actually kind of given us a split within the industry”.
How to protect mobile devices
If theft or fraud is committed, then there are certain ways in which the handset can effectively be blocked, removing the incentives for those looking to gain from illicit activity.
This can be achieved by reporting a device as being stolen and blocking it via the IMEI number so that when someone tries to onboard it onto a network, the operator is then able to block the device and prevent it from being used, effectively breaking it and removing any resale value.
Unfortunately, IMEI blacklisting is not universally used around the world meaning that in order to gain enhanced levels of device protection, further measures are required to combat theft at various stages of the device supply chain.
One core challenge on a global level is that there is no universal take-up when it comes to mobile application security, and therefore a multi-layered approach is essential when it comes to protecting both the handset itself from theft and ensuring that its contents remain as secure as possible.
This should include robust mobile application security and protection for apps that deal with sensitive data. Failure to keep this in mind can have devastating repercussions for both enterprises and end users alike.
Our approach to application security is to ensure that the security-critical aspects of the application are isolated and ensuring that they are robustly secured, while implementing a broader approach to the rest of the application logic. Ensuring that the solution adapts to the device’s inherent capabilities is of the utmost importance, providing the highest levels of security.
This provides reassurance for both end users and enterprises and ensure that malicious attacks targeting the application itself of the Android or IOS platform are avoided.