5 security threats to watch in 2019

As consumers grow more attached to mobile devices for e-commerce and payments, fraudsters are intensifying their focus on handsets with new phishing, vishing to SIM-swap tricks.

Payment providers are looking for broad, new approaches to fighting fraud. The hunt for a new, universal digital ID will reach a critical point this year, in combination with innovations in artificial intelligence and biometrics technology.

But fraudsters are also working hard to stay ahead of these developments — and come up with new tricks of their own.

Mobile risk on the rise

iphone 6s shadowed
An Apple Inc. iPhone 6s smartphone is arranged for a photograph in Hong Kong, China, on Friday, Sept. 25, 2015. The latest models, following last year's hugely popular design overhaul that added bigger screens, may not match the success of previous releases, according to analysts. Photographer: Xaume Olleros/Bloomberg
Xaume Olleros/Bloomberg
As more banks rely on mobile devices as a second factor of authentication, fraudsters have shifted their sights to the cell phone providers that control that channel.

SIM-jacking and SIM swap fraud — which allow scammers to take over a phone number and/or intercept text messages sent to it — will increase in 2019 as crooks figure out new techniques. It’s still a relatively heavy-handed exploit, but anyone in possession of something hackers want will be a target, according to Adam Levin, co-founder of Credit.com, who was previously a director of the New Jersey Division of Consumer Affairs.

The South African Banking Risk Information Centre in October 2018 said the number of SIM-swap fraud incidents more than doubled in South Africa over the past year, and other global regions are seeing rising incidents. Also known as Port-Out scams, or SIM splitting, this technique targets the weakness in two-factor authentication where the second step triggers a call or text message to a mobile phone. In doing so, fraudsters can approve high-risk transfers long before the bank or customer is aware.

Further undermining device security is runaway spam call volume, which is expected to soar in 2019 to about half of all calls. Spam calls undermine consumers’ discipline in checking suspicious activity on their phones, and hurt payment providers’ ability to police and block fraud. Solutions requiring collaboration between financial services providers, device makers and wireless carriers — such as the carriers' own Project Verify — could gain traction this year.

Bigger data breaches ahead?

Data center blackout
Blackout concept. Emergency failure red light in data center with servers. 3D rendered illustration.
vchalup - stock.adobe.com
Major data breaches have been a threat to the payments industry for more than 13 years, according to credit bureau Experian's recent risk forecast.

The data breach of a rival credit bureau, Equifax, was said to be one of the biggest in history, but even bigger events could be ahead in 2019, Experian warns. A major wireless carrier, for example, could be attacked with devastating effect on iPhone and Android devices loaded with payments and financial data, possibly disabling wireless communications.

It’s also a matter of when, not if, a top vendor of cloud data storage will be hacked, Experian predicts.

Biometrics are a big area of innovation to make payments more secure, but it's not without its own unique risk factors.“Biometric data is considered the most secure method of authentication but it can be stolen or altered, and sensors can be manipulated and spoofed or deteriorate,” Experian said in its report.

In online gaming forums, fraudsters can pose as gamers and gain access to the computers and personal data of trusting players, the company said. “Some regulation and oversight are necessary to strip away the total anonymity of players,” Experian said.

Who will control Digital ID?

apple touch id
A customer tries out the new Touch ID fingerprint scanner on an Apple Inc. iPhone 5c during the launch at a Verizon Wireless store in West Valley City, Utah, U.S., on Friday, Sept. 20, 2013. Apple Inc. attracted long lines of shoppers at its retail stores today for the global debut of its latest iPhones, in the company's biggest move this year to stoke new growth. Photographer: George Frey/Bloomberg
George Frey/Bloomberg
The search for a better way to manage digital IDs to authenticate payments is on.

As identity theft has become rampant and passwords have become virtually useless in blocking fraud, companies across the technology spectrum in financial services, healthcare and government are working on streamlined, consumer-friendly approaches to verify their identities.

Mastercard and Microsoft’s recent announcement about plans to collaborate on a decentralized digital ID approach is the first of a wave of cross-industry partnerships for identity verification and payment authentication that will take different forms.

But the biggest risk is one of incentives — the companies best positioned to control digital ID are the ones least motivated to benefit from it. Collaboration will be vital to making a digital ID system that is both trusted and secure.

One possible approach is designing a way for federations to work as a mechanism for transferring a consumer’s ID credentials from one point to another, suggests Sunil Madhu, co-founder and chief strategy officer of Socure, which offers a digital ID verification solution to protect against payment fraud.

“ID requirements should be contextual, so there would be no need for 100 percent of everyone’s ID information for 100 percent of all actions, which is the approach some organizations are heading for now,” Madhu said.

But don’t expect a single digital ID solution to appease all users. “It’s unlikely, and there’s no need for one solution to rule them all,” Madhu said.

Don't overlook AI

computer data
Working Programmer. Programmer Showing Code Issue on the Screen.
Tomasz Zajda - Fotolia
The prevailing wisdom in battling payments fraud for years has been layering solutions over one another, but many organizations have reached their limit in supporting multiple tools to fight fraud. And there's a risk in relying too much on disparate solutions rather than adopting technology that can see the full picture.

Strategies are gradually changing to smarter use of machine learning and artificial intelligence with existing tools, said Amit Bhute, senior vice president and global head of payments at Virtusa, a global I.T. consulting firm based in Southborough, Mass.

“Artificial intelligence will play a growing role in tackling payments fraud, with the predictive abilities of machine learning helping detect hidden flaws and reacting to fraud faster,” Bhute said.

A higher price for privacy

EU flag
European Union (EU) flags fly outside the Berlaymont building, which houses the headquarters of the European Commission, in Brussels, Belgium. Photographer: Yuriko Nakao/Bloomberg
Bloomberg Creative Photos/Bloomberg
Privacy and security in payments will become a premium feature.

Consumers are already paying for password-management services, ditching companies and apps they don’t trust, and seeking out companies, products and services that promise to protect privacy and data.

Shane Green, U.S. CEO of U.K.-based Digi.me and co-founder of UBDI is building a company focused on user-centric data solutions that put consumers in control. “A number of new companies are creating more decentralized and ethical approaches that deeply value the data and privacy of individuals,” Green said.

Because of real risks and ongoing data breaches, the era of consumers blithely sharing their data in exchange for free services will eventually fade, said Credit.com's Levin.

“Europe’s GDPR gives consumers the right to be forgotten, and we’re going to see more requirements like this for consent and disclosure, and new rules about how data is stores and shared. Canada has a tough new privacy law, Australia has gotten tougher on privacy and China is following that trend,” Levin said.

While cross-border payment demand rises, barriers to the flow of information could rise and impede that growth.

“Increased legislation will make the web less 'worldwide,' and today’s global sites will become more fenced-off in areas in what used to be a comparatively location-less internet,” he predicts.
MORE FROM AMERICAN BANKER