Washington: The massive cyber attack on target last year unleashed efforts to protect consumers from crooks swiping credit card data from in-store transactions. But as retailers and regulators scramble to develop a solution, hackers have already moved on.
Most hackers are focusing their efforts on online transactions — increasingly with an eye on those conducted over smartphones or other mobile devices. In other words, retailers are two steps behind the criminals.
While cyberattacks on physical systems, such as registers, card readers and gas pumps, have garnered a lot of attention lately, shoppers' online transactions are much more likely to fall victim to hackers, security experts say.
Mobile malware accounts for a small part of data breaches — Cisco estimates that malicious software targeted at mobile devices comprise only 1.2 per cent of all Web malware — but security experts say it is growing at a frightening pace. MacAfee recently reported that the number of malware targeting Google's Android operating system nearly tripled between 2012 and 2013, to 3.7 million.
"Although not a significant percentage, it is still worth noting because mobile malware is clearly an emerging-and logical-area of exploration for malware developers," Cisco researchers wrote in the firm's latest annual report outlining major security threats.
For retailers, that trend is particularly troubling. Shoppers have embraced mobile transactions, and retailers are happy to accommodate them, adding easy ways to buy goods with just a few taps on a smartphone or tablet. IBM Analytics reported that, on Cyber Monday 2013, mobile shopping accounted for 17 per cent of all online sales — an increase of 55.4 per cent year over year.
When big companies start paying attention, however, so do fraudsters. Mobile malware started in the early 2000s as a way to scam users by tricking them into dialing pay-per-call numbers or responding to messages that tacked on service charges to their bills. But now, the mobile channel can turn over real money, and at a time when security measures are still in early stages of development.
In 2012, Visa e-commerce company CyberSource estimated that around 1.4 per cent of all mobile commerce revenue was lost to fraud — between $300 million and $400 million — as compared to the 1 per cent lost to online fraud.
Much of the problem is that average consumers aren't attuned to figuring out when they're being targeted by malware on their phones, experts said. Links are often truncated for small screens, for example, keeping people from noticing that the address they're trying to go to isn't what it says it is.
Similarly, a text message from a friend telling you about a new app or a cool website may seem genuine but turn out to take you somewhere you don't want to be.
"With computers, you mostly get malware through exploits — you browse the website, and you get infected," said Mikko Hypponen, chief research officer for the security firm F-Secure. "That never happens on phones."
On phones, he said, attacks happen because customers actively download a programme that looks legitimate but has hidden features that tap into phones to collect information. This kind of malware is mostly a problem for Android phones; Cisco reported that 99 per cent of the malware it discovered for smartphones in 2013 targeted Google's operating system.