Transaction laundering moves to mobile: Banks need to watch out
By Ron Teicher, CEO, EverCompliant
Mobile is the future. Everybody knows that. And, there are more people than ever doing their online shopping via mobile devices. In 2015, 17 percent of all retail sales were via mobile smart devices, 53 percent more than the year before, and that number seems to be heading in a positive direction.
And as e-commerce goes, so goes electronic crime. The increased opportunities for legitimate sellers, thanks to the many methods of reaching and selling to customers – via apps, text messages, even chat apps – also provide more opportunities for cybercriminals intent on corrupting the system for their own benefit.
One scam that is enjoying a golden era thanks to the many possibilities offered by mobile is transaction laundering, in which cybercriminals hijack the legitimate payment process to sell all manner of illicit goods and services online. The plethora of payment options and methods on mobile make it easy for peddlers of porn, drugs, even weapons, to hide in plain sight – using legitimate-looking fronts to process transactions for illegal goods and services – with less fear than ever that they will get caught.
Unfortunately for banks and payment platforms that unknowingly process these transactions, the law is likely to hold them responsible for the illegal activity they should have caught being processed through their system. To protect themselves, banks, PSPs (payment service providers), acquirers, and other financial service organizations need to figure out ways to detect and disable illegal transaction laundering before the Justice Department, the FBI, or Interpol detect it for them.
The numbers are mind-boggling. Studies indicate that banks may be processing as many as 10 percent of additional unauthorized e-commerce sites without their consent or awareness; and it’s possible these sites are actually fronts for the sale of illicit goods and services.
A legitimate-looking web site that sells flowers, for example, may actually be a front used to process payments from other sites that sell completely different merchandise, often illegal in nature. Payment is made by credit card, Paypal, etc., and appears on credit card statements – and the card issuer's records – as a legitimate-looking transaction from the online flower shop. That shop's website can now also provide a mobile app that can process payments from illicit sources coming from other mobile apps or other websites.
The iOS App Store holds more than one and a half million apps, and over 2 million in Google Play, including thousands of shopping apps that bring the online commerce experience from sites like Amazon, Zappos, Walgreens, and many others to mobile. But there are many other lesser known markets for downloading mobile apps. Many of these apps can offer in-app purchases or link to mobile-web payment pages.
While Apple and Google could be presumed to check out the merchant apps offered on their sites, there are other sources where users pick up rogue apps creating a huge rogue marketplace. Users of Android, Windows phones, Blackberry, and other devices can install any platform-compatible app, and these are not vetted by anyone. No one knows how many of these unknown apps there are, and whether they are being used for illegal activities.
Even ostensibly legitimate App Store and Google Play apps pose a major risk. Hundreds of thousands of apps of all kinds - games, information and news, entertainment, etc. - offer in-app purchase possibilities to enhance user experience. What’s to stop a rogue internet merchant from using a gaming app, for example, to link to a site selling illicit items via an in-app purchase link?
Things could get even more grim in the future as merchants begin using chat bots to reach customers. Chat bots operate within chat apps like Messenger and WhatsApp, using artificial intelligence to communicate with members of the group with the objective being to drive e-commerce sales. For cyber-crooks, chat offers an unprecedented opportunity: find the right group of disillusioned teens, for example, and a drug dealer can have a field day selling goods online to an amenable audience.
What to do?
Mobile has upended e-commerce in a very short period of time, but it hasn't changed the law; banks and credit card issuers who are involved (even without their knowledge) in illegal transactions can find themselves in deep trouble legally and from a reputation point of view. Without the data, they are sitting ducks, and once they get it, they need to effectively use it to figure out where the cybercrooks are and fast.
The current threats from transaction laundering require a fundamental change in how the industry goes about vetting and monitoring online merchants and mobile apps. This requires the use of advanced cyber intelligence techniques that allow the detection and monitoring of the elaborate online networks that have until now been invisible to MSPs.
Additionally, it is critical to enable ongoing monitoring of the merchant portfolio. The bad guys know how to circumvent the system and compromise it by making sure they look 100 percent legitimate. All of the questionable mobile apps that exist appear weeks and months after the front shop has planted roots within the payment system. Only later does transaction laundering start being introduced through newly marketed mobile apps.