Fraudsters reaping the rewards of data harvested from discarded devices
Whether your smartphone has succumbed to inbuilt obsolescence, or the latest Apple phone release is simply shinier than the last, there is no denying that consumers are swapping, reselling or trading in their devices with increasing frequency.
Today, on average a Westerner upgrades their smartphone every 18-24 months. Whipping out a Blackberry at a business meeting in 2019 would garner the same bamboozled looks as heading down to the tennis court for a hit with your wooden racket.
The market for refurbished phones more than doubled from 56 million devices in 2014 to 120 million devices, totalling over $5 billion in 2017. It was five years ago that the number of mobile phones in the world outstripped the number of humans.
Refurbished phones are data gold mines
This growing, billion-dollar industry poses a huge security risk for financial institutions. Discarded devices are data treasure troves: email addresses, birth dates, home addresses, credit card numbers, license details, wage slips, passport numbers and personal images or documents are among the most commonly recovered files.
Experts have repeatedly proved the ease of harvesting personal data from recycled hardware, even on phones that had been factory reset. In a 2012 study The University of Hertfordshire purchased 200 used devices on eBay and found over two-thirds, regardless of whether the files had been manually deleted, contained private and sensitive information.
In a more worrisome study, Cambridge University researchers found that on second-hand phones, they were able to recover account tokens on all the devices, and on 80 percent of the phones the “master token” (essentially a digital key to your front door) was recovered. From there, all data could be restored including emails, passwords, contacts, messages and other sensitive information.
These titbits of personal information are enough for a criminal to hijack your identity. A malicious individual could simply use the “forgot my password” function to gain access to your accounts, or they could even convince your service providers they are you, based on the information they now have. With new “auto-fill” technology, criminals with access to your device have much more for freedom to shop the net using your pre-populated credit card details in the checkout box.
The Cambridge Analytica scandal may have given the false impression that stealing personal data requires a coordinated, covert operation. In reality, scraping private data from discarded devices is not all that difficult, with free forensic apps allowing even the most techno-challenged Luddites to download your long-deleted summer holiday snaps.
The real cost of free data is billed to the banks
So why is it that a flaw with phone technology is a cause of concern for banks? Banks have a responsibility and a duty of care to their customers to protect against fraud and keep their customers’ data secure.
This is before you consider the lost revenue, reputational damage, and the possible regulatory liability for failing to detect and prevent fraud threats. Yet, financial institutions have been too slow to react to the proliferating gateways for fraud and identity theft.
Trends show a considerable rise in bank and credit card fraud, with both the frequency and amounts stolen from customers increasing. In 2016, on average £475 was stolen from an individual fraud victim, but this has risen to an average of £833 in 2018.
Quite significantly, in 2018 one in four consumers in the UK were victim to some sort of online fraud. Losses to fraud in Britain last year alone cost the major banks £1.2 billion, with that number growing year on year as more data becomes available to criminals.
Time to act
With identity theft only becoming easier, more accessible and harder to detect, banks need to invest in their financial crime detection and response capabilities. TSB is the first British bank to announce that it would give an automatic refund to victims of fraud. Intended as a reaction against the bank’s IT meltdown last April, it can be praised as a step in the right direction by relieving customers from paying the cost of fraud.
However, the issue remains that British banks tend to process fraud without treating the customer as the victim of a crime. This tacitly condones criminal activity by paying off their losses, rather than committing to preventing fraud. In turn, this could further incentivise fraudsters to target more customers with the knowledge that the losses incurred to the individual will be recovered.
In positive news, the advent of Strong Customer Authentication under PSD2 later this year will force banks across Europe to implement process and technology changes that will make it much harder to commit fraud using details recovered from an old device. Biometrics and 2 Factor Authentication (2FA) will become the norm for all online or mobile payment journeys – with measures such as fingerprint recognition, FaceID, or a code sent to a mobile number used to mitigate fraud risks.
Given that 7 out of the top 12 online banking providers in Britain do not provide multi-factor authentication today, this will require a significant level of investment across the industry.
Unless banks are willing to ask their customers to hold onto their iPhones in perpetuity, they will need to invest in and deploy enhanced security measures to better protect their customers.