3 burning questions about mobile security, answered

You’re not alone if you feel pressure to improve the security strategies surrounding your organization’s mobile traffic. More and more frequently, our team at nudata is called upon to support clients in improving the security and user experience (UX) behind their mobile services, most often to complement existing desktop practices. Based on these interactions, we’ve curated a list of common questions that seem to be on decision-makers’ minds — and potentially yours as well. 

woman sitting in a window looking at her phone

1. Why should I prioritize mobile security?

The first part of our answer to this question is simple — because mobile adoption continues to climb. There are more than 6 billion smartphone users on Earth today, and that number is only rising.

The second part of our answer is more nuanced. As online activity through mobile becomes even more popular and widespread, governments have enacted stricter privacy laws to protect consumer data. This is largely good news — nobody wants shady third-party groups accessing your personal information.

But when it comes to security, privacy regulations have unintended side effects. Now that laws restrict the mobile data companies can collect when consumers visit their sites, teams have less information available to validate good users and prevent fraud. That opens the door for intelligent fraudsters to take advantage of security gaps by launching all sorts of attacks — from application fraud to credential-stuffing schemes. This variety of approaches gives bad actors unauthorized access to user accounts.

Even on mobile apps that brands create and own, there are still barriers to accessing certain types of customer data. For example, branded apps are subject to the limitations manufacturers put in place on their mobile devices, which we all experience when our favorite apps prompt us to share access to our photos and contact information. As users, we’re in the position to accept or decline those requests — and sometimes our choice to keep information private affects a company’s security strategy downstream. If you’re relying on users to update mobile apps and transmit helpful information back to your servers, you may be waiting months — or even years — for that data to arrive. Look at your phone and be honest: How many of your apps are waiting for you to install updates?

By switching the privacy power dynamic away from companies and toward consumers (which is great), new regulations have given fraudsters more ways to hide (which is not so great).

So, what’s a company to do? Proactively design a mobile-first security strategy, that’s what.

2. What security factors should I consider when building a mobile-first strategy?

Developing a secure mobile experience takes more than copying and pasting your existing desktop security strategies, even if those tactics work perfectly fine on desktop. Besides the limitations on user data just mentioned, there are a few other unique mobile considerations to keep in mind when building your strategy. Your mobile fraud strategy must interact back and forth across mobile and desktop devices and spot fraudulent occurrences at all interaction points.

Here are a few elements to note:

  • Avoid cumbersome mobile authentication. Consumers demand streamlined, seamless experiences everywhere — but especially on mobile devices. Mobile users expect the ability to open new accounts, make purchases, and do almost anything else with a quick click of a button. With security risks on the rise and mobile user data dwindling, many companies pile on new security measures like multi-factor authentication (MFA) to supplement traditional tactics and authenticate users. Is MFA effective? Yes — until cybercriminals step up their game. At the same time, protections like MFA have a big downside: added friction. Interrupting users to ask for an MFA code each time they log on is hardly seamless and streamlined. By contrast, solutions like behavioral biometrics and behavioral analytics can verify users in the background without requiring additional steps. These solutions help you know your users better — how they hold their devices, what time of day they log on, how many times they inaccurately enter passwords on average, and more. Prioritizing passive solutions helps you protect mobile users without getting in their way as behavioral security tools flag suspicious users deviating from known patterns.
  • Ensure you’re looking at the correct data. As noted earlier, a major question mark for brands is how to replace the customer data they’ve lost access to as privacy standards tighten. A key missing data piece is around device identification. Companies often rely on identifiers like device ID, device fingerprint, and device user-agent to recognize a returning device and associate it with individual users/accounts. This method leans on details about mobile technology like the phone’s make, model, and IP address. While companies can still access most of this information in many instances, you can no longer rely on device identification tactics alone to recognize users and prevent mobile fraud. Mobile usage also makes device identification more complicated, because the datasets and parameters important to mobile devices differ from those common to desktop. As a result, the fraud rules you write for mobile should look unique, including which identifiers you source and how you gather that information. For example, while an IP address is available on both mobile and desktop devices, you should treat that device ID differently in each environment. While a desktop IP address is a useful user verification method, a mobile IP address can be shared across multiple users at the same time on a public Wi-Fi network (or even at home). That makes IP addresses less helpful for establishing trust on mobile devices.The same rule applies when incorporating behavioral biometrics and behavioral analytics solutions. On a desktop device, these tools may monitor how users move the mouse and strike the physical keyboard; on a mobile device, focus could shift to accelerometer movements and other touch events. Again, different data sets require different security strategies.

 

  • Account for rooted and jailbroken devices. When you stroll into your local Apple Store to purchase a new iPhone, the device you receive is all yours — with certain limitations, of course. Your device is locked down, meaning you can install approved apps from the App Store and make customizations, but only within the provided parameters.However, there’s a growing segment of mobile users — called power users — who jailbreak their devices, which allows them to install apps from unauthorized sources and make other unapproved device customizations. Jailbroken devices show distinctive patterns in their device information that raise red flags for security tools. While many power users are fraudsters, good users sometimes jailbreak devices, too. At the same time, consider how different mobile device providers require unique security approaches because a user’s ability to adjust their phone settings differs across providers (for example, Apple and Samsung). This presents a complex security tightrope and leaves many risks unaddressed if you cannot distinguish between trusted and fraudulent mobile interactions.Especially when it comes to mobile security, be proactive with your approach and develop measures that operate in the background regardless of user’s device type. The most effective security strategy bundles behavioral and device attributes. This multilayered approach mitigates false positives and reduces user friction while keeping fraud-capture rates high.

3. Where should I start with mobile security?

If you’re feeling overwhelmed by all of this information, don’t stress — securing mobile channels is complex and needs are always changing.

A good first step for improving security across your organization’s mobile traffic is to review the mobile fraud strategies you already have in place, if any. Identify vulnerabilities within those plans, with an eye toward how your tactics will hold up as device and privacy regulations evolve. If you’re relying on a small set of data elements now, what information might you lose access to if consumer privacy protections expand in the next few years? If new privacy legislation went into effect tomorrow, what kind of fraud strategy would you be left with? 

Think through these questions now — or work with a security partner to find answers. Look for a partner experienced in the mobile devices your users prefer and capable of evolving alongside emerging fraud strategies and operating systems. Ongoing support offers a foundation to continue getting to know your good users, whatever new threats come your way.