Brian Pennington

A blog about Cyber Security & Compliance


April 2011

Study: Consumers’ Reaction to Online Fraud

Image representing ThreatMetrix as depicted in...
Image via CrunchBase

ThreatMatrix and Cloud-based Fraud Prevention Company and the Ponemon Institute have released the findings of their joint study on Consumers and their awareness and appreciation of online fraud.

The study has revealed

  • 85% of respondents reported being worried and dissatisfied with the level of protection online businesses are providing to stop fraudsters. This % is up 5% on the Ponemon study of 2009.
  • 42% of respondents said they have been the victim of online fraud.
  • 80% of victims said they did not report the crime.
  • 19% that said they had reported the fraud only reported to the online business.

A lot of fraudulent activity goes unreported today, making it difficult for online businesses to fully understand the prominence and seriousness of the problem,” said Reed Taussig, president and CEO, ThreatMetrix. “With a rise in online transactions and activities across devices, more needs to be done to educate online merchants, banks, social outlets and other businesses on how to decrease fraudulent activity.”

Those respondents that expressed concern over online fraud said they felt online merchants, banks and social networks need to take additional steps to prevent fraudsters from stealing consumer information.

  • 68% would allow a trusted online business to place a cookie on their computer to automatically authenticate them
  • 82% indicated that they would expect an online business to offer alternative authentication methods if they were unable to match the consumer’s digital fingerprint to their security system.

“Our survey results help validate the need and consumer preference for technology, such as device identification, to authenticate identity as opposed to using personally identifiable information,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute. “Consumers expressed much more willingness to share data like ISP, computer serial number, type and make, rather than information like date of birth and telephone number.”

Information Consumers are Willing to Allow a Trusted Online Business to Check to Verify Their Identity, or Digitally Fingerprint Their Computer:

1. Serial number of computer 88%
2. Type and make of your computer 83%
3. Internet service provider 76%
4. Browser settings  71%
5. Type of browser  65%
6. IP address 59%
7. Types of software applications residing on your device 54%
8. Email address  46%
9. Purchase history  39%
10. Planned future purchases  35%
11. Date of birth  34%
12. Telephone number  17%
13. Home address  16%
14. Name  14%
15. Zip code 9%
16. Social Security number 4%
17. Driver’s license number 2%

Study findings indicate that consumers have a “positive perception about companies that use authentication and fraud detection tools to prevent online fraud”.

  • 56% of consumers indicated they are ‘more willing’ to shop or browse an online business if they know that company is taking specific measures toward combating fraud.
  • 88% of respondents stated a preference for companies to share information about their device for authentication purposes — as opposed to sharing personal information to verify their identity.

 Read the whole study here.

Identity Theft Resource Center found that hacking accounted for the largest number of breaches in 2011 year-to-date

The Identity Theft Resource Center® has found that hacking accounted for the largest number of breaches in 2011 year-to-date.

Almost 37% of breaches between January 1st and April 5th were due to malicious attacks on computer systems. This is more than double the amount of targeted attacks reflected in the 2010 ITRC Breach List (17.1%).

ITRC point out that their findings do not include the large Epsilon Email Breach as the full findings were are to be disclosed and the effects seen. The findings will not include the massive Sony Playstation Network breach as this was after the report.

Anecdotally the ITRC in their press release also refer to other pieces of research

  • Symantec Internet Security Threat Report. This report discloses that over 286 million new threats were identified during 2010. Additionally, the Symantec report said they witnessed more frequent and sophisticated targeted attacks in 2010.
  • McAfee found that the most significant threat to businesses was data leaked accidentally or intentionally by employees.

ITRC views employee breaches as two different types of breaches.

1. Accidental breaches are those that happen by employee mistakes, and while they cause harm, the people who made a mistake never intended to injure the company.

2. The insider who intentionally steals or allows others access to personal information is considered a malicious attacker.

“At first it may be difficult to know if a hacking was perpetrated by an insider or outsider,” says Linda Foley, founder of the ITRC and data breach report manager. “ITRC does not have access to the Secret Service’s forensic information has so we can only report on situations when information is released.   As of April 5, 11.6% of 2011 breaches with known forms of leakage were insider theft.  When these events are added to known hacking attacks, ITRC’s breach database report indicates that 48.2% of published breaches are some form of targeted attack.

Businesses are taking the brunt of hacking attacks, according to published reports of breaches. 

  • 53.6% of all breaches on the ITRC report were business related. 
  • The other categories, “Banking/Credit/Financial,” “Educational,” “Government/Military and Medical/Healthcare all dropped in their respective percentage of reported breaches.

Other ITRC finding include:

  • Nearly half of breached entities did not publicly report the number of potentially exposed records
  • Several medical breaches ranging up to 1.9 million records caused a spike in the total records for the health services field.

ITRC was unable to draw any long term conclusions from these initial findings.

For further details of the ITRC visit.


Symantec MessageLabs April 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec MessageLabs have released their April 2011 Intelligence Report which as usual makes very interesting reading.

The highlights of the Intelligence Report are below:

  • Spam – 72.9% in April (a decrease of 6.4 percentage points since March 2011)
  • Viruses – One in 168.6 emails in April contained malware (an increase of 0.11 percentage
    points since March 2011)
  • Phishing – One in 242.2 emails comprised a phishing attack (an increase of 0.02
    percentage points since March 2011)
  • Malicious web sites – 2,431 web sites blocked per day (a decrease of 18.2% since March
  • 33.0% of all malicious domains blocked were new in April (a decrease of 4.0 percentage
    points since March 2011)
  • 22.5% of all web-based malware blocked was new in April (a decrease of 1.9 percentage
    points since March 2011)
  • Targeted attacks increase in intensity: What does a recent targeted attack look like?
  • Shortened URLs: Do you know what you’re clicking on?

Symantec MessageLab’s table below shows the most frequently blocked email-borne malware for April, many of which take advantage of malicious hyperlinks. Overall, 55.1% of email-borne malware was associated with Bredolab, Sasfis, SpyEye and Zeus variants, a trend initially reported in the MessageLabs Intelligence Report for February 2011. 

Malware % Malware
Trojan.Bredolab!eml  37.67%
Exploit/FakeAttach  4.54%
HeurAuto-08ba  3.88%
Gen:Variant.Kazy.17074 3.53%
Trojan.Bredolab 3.31%
W32/Bredolab.gen!eml-19251 3.27%
W32/Bredolab.gen!eml 2.83%
Gen:Variant.Kazy.16615 1.80%
W32/Generic-afcd 1.79%
W32/Delf-Generic-ad9e 0.70%

Symantec MessageLab’s table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec MessageLabs Web or Symantec MessageLabs Email

Malware % Malware
W32.Sality.AE  8.10%
W32.Ramnit.B!inf  7.80%
W32.Ramnit!html  6.90%
Trojan.Gen 6.80%
Trojan Horse  6.80%
Trojan.Bamital  5.30%
W32.Downadup.B 4.10%
Trojan.Gen.2  3.80%
Downloader  3.80%
W32.Almanahe.B!inf  2.50%

See entire Symantec MessageLab’s Intelligence Report here

The March report summary can be found here.


Symantec MessageLabs March 2011 Intelligence Report

Image representing MessageLabs as depicted in ...
Image via CrunchBase

Symantec MessageLabs have released their March 2011 Intelligence Report which as usual makes very interesting reading.

The highlights of the Intelligence Report are below:

  • Spam – 79.3% in March (a decrease of 2.0 percentage points since February 2011)
  • Viruses – One in 208.9 emails in March contained malware (an increase of 0.13 percentage points since February 2011)
  • Phishing – One in 252.5 emails comprised a phishing attack (a decrease of 0.07 percentage points since February 2011)
  • Malicious websites – 2,973 web sites blocked per day (a decrease of 27.5% since February 2011)
  • 37.0% of all malicious domains blocked were new in March (a decrease of 1.9 percentage points since February 2011)
  • 24.5% of all web-based malware blocked was new in March (an increase of 4.2 percentage points since February 2011)
  • Global spam volumes drop by one third, as Rustock botnet is dismantled
  • First review of spam-sending botnets in 2011 identified Bagle as most active botnet as Rustock fell silent

SPAM. The Russian Federation is now the most frequent source of spam in March; perhaps in large part given that there are a large number of bots for Bagle, Lethic and Maazben located in this geography.

Country % of Spam
Russian Federation 12.4%
India 8.8%
Brazil 5.9%
United States 4.5%
Ukraine 4.4%
Colombia 3.9%
Romania 3.8%
Argentina 2.8%
Vietnam 2.5%
Korea, Republic of 2.5%

Symantec MessageLab’s table below shows the most frequently blocked email-borne malware for March, many of which take advantage of malicious hyperlinks. In March, 35.3% of email-borne malware was associated with Bredolab, SpyEye and Zeus variants, a trend initially reported in the MessageLabs Intelligence Report for February 2011.

Malware % Malware
Trojan.Bredolab!eml 24.0%
Exploit/SuspLink-7d87 17.1%
W32/Bredolab.gen!eml-19251 4.8%
Trojan.Bredolab 1.9%
Exploit/SuspLink.dam 1.8%
Exploit/SuspLink-6c7b 1.6%
W32/Bredolab.gen!eml 1.5%
W32/Bredolab!gen-ad91 1.4%
Exploit/LinkAliasPostcard-b354 0.8%
W32/Delf-Generic-ad9e 0.7%

Symantec MessageLab’s table below shows the malware most frequently blocked targeting endpoint devices for the last month.

Malware % Malware
W32.Sality.AE 8.3%
Trojan.Gen* 7.7%
Trojan Horse 7.4%
W32.Ramnit!html 5.8%
Trojan.Gen.2* 4.9%
W32.Ramnit.B!inf 4.3%
Trojan.ADH.2 4.3%
Trojan.Bamital 4.3%
W32.Downadup.B 3.9%
Downloader* 3.5%

See the whole Symantec MessageLab’s Intelligence Report here.

It is also worth reading the earlier posts on Phishing and the impact on the UK Banks and the Fraud Intelligence Report.


Phishing – the UK banking losses

Malware logo Crystal 128.
Image via Wikipedia

In March 2011 the UK Card Association reported that Online banking fraud losses totalled £46.7 million in 2010. This represented a 22 per cent fall on the 2009 figure. 

The factors contributing to this fall include

  • Customers better protecting their own computers with up-to-date anti-virus software
  • Banks’ use of sophisticated fraud detection software.

This decrease has occurred despite a continuing rise in phishing attacks, up 21% from 2009.

UK annual reported banking losses 2006 to 2010 due to Phishing

  2006 2007 2008 2009 2010 % +/-09/10
No of phishing attacks  14,156 25,797 43,991 51,161 61,873 +21%

The link to the UK Card Association Press Release is here

In my last blog post Fraud Intelligence Report – First Quarter 2011 there were some other interesting Phishing statistics:

  • Phish attack volume increased 17% from the previous quarter to 99,800 attacks
  • The number of targeted organizations increased 11% from the fourth quarter of 2010, to 511
  • Attacks per organization increased 6% from Q4 2010 to 195
  • Financial sector accounted for 47% of phish attacks in the first quarter of 2011
  • Payment Services sector accounted for 27%
  • Auction sector phish increased 47% quarter-over-quarter to 5,414 attacks
  • Gaming sector phish increased 60% from the previous quarter to 6,834 attacks
  • Social Networking sector phish increased 40% from the previous quarter to 4,768 attacks

Source of Phishing in quarter one 2011

  • UK grew by 63%
  • Russian-hosted phish grew 93%
  • North America hosted the majority of phishing attacks, with 61% of total attacks in the first quarter
  • Western Europe followed, hosting 19% of phishing attacks in the same period

Read the blog – Fraud Intelligence Report Q1 2011 here


Fraud Intelligence Report – First Quarter 2011

Image representing MarkMonitor as depicted in ...
Image via CrunchBase

MarkMonitor, a global leader in enterprise brand protection, offers comprehensive solutions and services that safeguard brands, reputation and revenue from online risks.

MarkMonitor produce a Fraud Intelligence Report on a quarterly basis and the report for the first quarter of 2011 is now available. The headline findings are:

Phishing Attacks Reversed Decline
Phish attack volume increased 17% from the previous quarter to 99,800 attacks.

Organizations Targeted Continued Growth Trend
The number of targeted organizations increased 11% from the fourth quarter of 2010, to 511

Attacks per Organization Increased Slightly
Attacks per organization increased 6% from Q4 2010 to 195

Financial Sector Continued as Most Popular Phishing Sector
The Financial sector accounted for 47% of phish attacks in the first quarter of 2011, while the Payment Services sector accounted for 27%

Auction, Gaming, and Social Networking Sectors Reversed Previous Declines
Auction sector phish increased 47% quarter-over-quarter to 5,414 attacks. Gaming sector phish increased 60% from the previous quarter to 6,834 attacks. Social Networking sector phish increased 40% from the previous quarter to 4,768 attacks.

Phishing Attacks Targeting Spanish Brands Doubled
Attacks targeting Spanish brands grew 127% from the previous quarter. However, North American brands continued to attract the lion’s share of attacks, accounting for 74% of phishing attacks in the first quarter. Western European brands accounted for 18% of phish.

Phishing Attacks Hosted in the UK and Russia Showed Substantial Growth
In the first quarter, phish hosted in the UK grew 63% and Russian-hosted phish grew 93%. As with targeted brands, however, North America hosted the majority of phishing attacks, with 61% of total attacks in the first quarter. Western Europe followed, hosting 19% of phishing attacks in the same period.

Download the full report here


PCI DSS Compliance Trends Study, 2011

PB Visa Gold Credit Card
Image by liewcf via Flickr

Imperva and Ponemon 2011 PCI DSS Compliance Trends Study. Survey of IT & IT security practitioners in the U.S.

The Payment Card Industry Data Security Standard (PCI DSS) continues to be one of the most important regulations for all organizations that hold, process or exchange cardholder information.

In 2009, Ponemon Institute, with sponsorship from Imperva, conducted the first study to determine if IT and IT security practitioners believe PCI compliance improves organizational security and how it affects the ability to respond to security threats affecting payment account data.

In this study, 2011 PCI DSS Compliance Trends Study, we (Imperva and Ponemon) continue to examine how efforts to comply with PCI affects the organization’s strategy, tactics and approach to achieving enterprise data protection and security and how the state of PCI compliance has changed since the first study. We also consider the reactions of IT and IT security practitioners in different-sized organizations have about compliance with PCI.

A total of 670 US and multinational IT and IT security practitioners who are involved in their companies’ PCI compliance efforts were surveyed on the following topics:

  • What is the state of PCI DSS compliance in the organization?
  • Who is most responsible in an organization for ensuring compliance with PCI DSS requirements?
  • What technologies are preferred to achieve compliance with PCI DSS requirements?
  • Does PCI DSS contribute to a decline in data breaches?
  • Where are the greatest threats to the security of cardholder data located?
  • What is the value PCI DSS compliance provides to the organization?

 This year’s report shows that:

  • 55% of respondents say their organization’s data breach incident did not concern the loss or theft of cardholder data 
  • 39% say one of the data breach incidents involved cardholder data and 6% report two to five incidents involving cardholder data 
  • The percentage of respondents reporting that their organization had a data breach in the past 24 months increased from 79% in 2009 to 85% in 2011 
  • The majority of PCI compliant organizations suffer fewer or no breaches, most practitioners still do not perceive the mandate to have a positive impact on data security 
  • About 64% of PCI-DSS compliant organizations reported suffering no data breaches involving credit card data over the past two years, while only 38 percent of non-compliant organizations reported suffering no breaches involving credit card data over the same period 
  • Certain technologies are adopted more quickly than others to comply with PCI. For example, code review saw the biggest decline in adoption 
  • The percentage of non-compliant companies decreased from 25% to 16%. Correspondingly, the percentage of fully compliant companies increased from 22% to 33% 
  • 38% of the compliant organizations say their organizations had two or more breaches in the past 24 months versus 78% of respondents in the non-compliant group 
  • 66% of respondents say their organizations retain and store primary account numbers for various reasons 
  • 33% of respondents see PCI DSS compliance costs as adding more value than other IT security expenditures. Another 35% say these expenditures are at about the same level of value. Finally, 32% see PCI DSS compliance costs as adding less value than other IT security expenditures made
  • 58% of respondents say that their organization has conducted or is in the process of conducting an audit or assessment by a bona fide QSA professional. Of those who have completed such an audit or assessment, 68% say that it helped the organization achieve its PCI DSS compliance requirements

Download the Imperva and Ponemon Report here


Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

Verizon logo
Image via Wikipedia

Verizon have released their Data Breach Investigations Report 2011 and as usual with the Verizon report there is a lot to take in.

The investigations by Verizon and the U.S. Secret Service discovered that data breaches had dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008.

 The percentage of internal breaches fell massively from 49% to 16% which the report claim is due to the large increase in external attacks rather than a fall in internal breaches.

Key results from the 2011 report shown in the Verizon press release are below:  

  • Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others.  Businesses are much better protected if they implement essential controls across the entire organization without exception.
  • Eliminate unnecessary data.  If you do not need it, do not keep it.  For data that must be kept, identify, monitor and securely store it.  
  • Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
  • Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties.  Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
  • Monitor and mine event logs.  Focus on the obvious issues that logs pick up, not the minutiae. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.  
  • Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

Verizon Recommendations for Enterprises

  • Large-scale breaches dropped dramatically while small attacks increased.  The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
  • Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources.  Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks.  Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
  • Physical attacks are on the rise.  After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals.  The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
  • Hacking and malware is the most popular attack method.  Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data.  The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
  • Stolen passwords and credentials are out of control.  Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security.  Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Download the report here


Call Centre Security and PCI Compliance

An Indian call center
Image via Wikipedia

Credit Card data is the Crown Jewels for hackers and the financial lifeblood of many companies. An Account Data Compromise, also known as a breach can lead to bad press and a bad reputation, you only need to Google or Lush to see the impact.

With the 18th March 2011 launch of the PCI Councils “Protecting Telephone Based Payment Card Data” on Call Centres it is worth noting that, according to research from Connected World 36.7% of contact Centres claimed to be fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).

However, the majority (89%) admitted to not understanding PCI DSS, the requirements nor penalties.

There are many business and regulatory requirements that impact Call Centres, especially the recording of telephone calls, for example in the United Kingdom, the Financial Services Act.

The act of recording a call can break the rules of PCI DSS as most calls will involve the recording of ALL the data. Data such as, CAV2, CVC2, CVV2 or CID, which should never be recorded. Storing the PAN and Expiry data is acceptable so long as the data is encrypted and the Merchant has acted on all the questions within SAQ D or undertaken a formal Audit if they are a level 1 Merchant.

The number one piece of advice for Call Recording is DO NOT DO IT unless you really have to.

However, the recording of the calls and storing of Credit Card Data in an encrypted format are small parts of the issue facing Call Centres.

By considering the following points and reviewing the documents on the PCI Resource page  you can go a long way towards achieving a PCI compliant Call Centre.

  • Employee vetting is the first step in ensuring a secure Call Centre.
  • There needs to be a formal employee induction programme where employees learn about the company’s policies (rules) and the ramifications of breaching the policies.
  • Specifically, there needs to be a documented Policy on how employees handle Calls and Data resulting from the Calls, especially Credit Card Data?
  • The Merchant needs to communicate the Policy to all employees that have access to Credit Card Data.
  • Do employees regularly receive training on the Policy and its importance? They should do.
  • Are employees made aware of their IT Security responsibilities?
  • Security Awareness training needs to be provided, for example, how to deal with the threat of computer viruses, how to report suspicious activity, etc
  • Security Awareness has to be promoted, for example, on posters and in newsletters.
  • Do supervisors/managers enforce a clear desk Policy? For example, no MP3 players, no note pads or any other methods to record information.
  • Access to photocopiers and scanners needs to be restricted.
  • Restricting physical access to the Call Centre should be considered.
  • Call Centres should be restricted to employees only and visitors need to be escorted.
  • All paperwork leaving the Call Centre should be shredded to avoid the unnecessary risk or Personally Identifiable Information (PII) finding its way into the public domain.
  • Consideration should be made to CCTV
  • Do all employees have unique logon identities?
  • Are strong passwords enforced?
  • Are passwords changes enforced every 30 days, or less?
  • Are password changes significantly different after every change? For example, not simply adding a 1 or a 2 at the end of previous password.
  • Home and remote workers need to have local security installed, for example, personal Firewalls and Anti Virus.
  • Do systems and servers that store credit card data, for example, CRMs and Databases, have access restricted on a need to know basis?
  • Are logs taken and stored for system and networks where data is stored?
  • Is the Merchant’s network and systems attached to the network adequately protected against viruses, hackers and other threats?
  • Are these systems regularly scanned and patched for vulnerabilities. PCI DSS requires that all systems and networks with the scope of the card data environment be scanned by an Approved Scanning Vendor at least quarterly.
  • Is the Merchant’s security regularly tested? For example, by having Penetration Tests.
  • Does the Merchant have a plan on how to deal with a breach and is this plan tested? This is often called an Incident Response Plan and can be tuned to deal with all types of breaches for example, the Epsilon Email Breach.

In summary, PCI DSS is not the only area on compliance affecting the Call Centre but PCI DSS does help focus the business on what security, processes and procedures are required to achieve best practice.


Epsilon admits to a data breach that could affect millions

On the 1st April 2011 Epsilon reported on their website “On March 30th, an incident was detected where a subset of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system. The information that was obtained was limited to email addresses and/or customer names only. A rigorous assessment determined that no other personal identifiable information associated with those names was at risk. A full investigation is currently underway.”

Whilst there is no immediate financial risk to those individuals who have had their name and email address stolen there is the risk of their information being used for Spam and phishing attacks.

Epsilon is one of the world’s largest “provider of multi-channel marketing services” and claims to have 2,500 clients, including 7 of the Fortune 10. These clients in the words of Epsilon “trust Epsilon to build and host their customer databases”.

It is believed that Best Buy, TiVo, Walgreens, Capital One, JP Morgan, Citigroup and Kroger are among the 2,500 clients of Epsilon who are likely to have been affected.

It is expected that Epsilon’s clients will issue warnings about the lose of data. This in itself will be part of the problem, because as businesses seek to protect their reputations they will become spammers by sending unwanted emails.

The there is the potential for the hackers to introduce phishing attacks disguised as the legitimate business trying to protect their brand, for example, “sorry we lost your information, can you please update your details here…”

Epsilon’s press release is here.

Smartphone users at risk of ID Fraud

Image representing Equifax as depicted in Crun...
Image via CrunchBase

Credit reference agency Equifax has recently released its research into the implications of Smartphone Theft on Identity Fraud.

The findings of the reasearch are very interesting as they show how cavalier Smartphone owners are with their information and Identity.

The highlights of the research are below:

  • 94% of consumers fear identity fraud and theft yet many keep too much personal data on mobile devices
  • 54% of second-hand phones contain personal data including texts, emails and even banking details, identity fraud expert Equifax is urging consumers to think about what personal data they store on their mobile phone and ensure they delete all data from both the phone and SIM card before recycling or selling it
  • 40% of smartphone users also don’t use the passcode function, leaving them vulnerable to ID fraud. And this jumps when looking at the younger generation that have most embraced the new technologies
  • 62% of 22-25 year olds use their smartphone to regularly check their online banking. Yet despite fears about identity theft, 69% do not use a passcode function on their phone
  • 35% admit to regularly clearing their browsing history after they use online banking. It’s also this generation where there’s probably more chance of them having personal items stolen when out shopping or in bars and clubs, making them the perfect target for fraudsters


  • Always use the PIN function on your handset
  • Don’t store reminders of passwords on your phone
  • Think about which accounts you access from your phone – would it be better to wait until you’re at the security of your home
  • Wipe browser history, especially if reviewing online banking
  • Keep an eye out for malicious software masquerading as apps
  • Keep your smartphone safe at all times
  • Delete all personal information from the phone and the SIM card before recycling or selling your phone

Read the full press release here.


Blog at

Up ↑

%d bloggers like this: