Ai Editorial: Use of app cloners and machine learning rises in mobile commerce fraud

First Published on 17th September, 2018

Ai Editorial: Considering the growth of mobile commerce, it is imperative for travel merchants to assess how fraudsters are crafting new techniques and tools for executing fraud through mobile devices, writes Ai’s Ritesh Gupta


Merchants can’t ignore mobile commerce. In fact, it doesn’t come as a surprise to see the way travel merchants are enhancing their apps with digital features and capabilities. The consumer is mobile and interconnected across multiple devices, shopping and switching from one to the other.

Shopping via mobile devices is flourishing. The growth rate is faster in certain countries, with China leading the way (m-commerce reached 93% of all e-commerce sales last year in China). In the U. S., an estimated 30% of all online sales are made on mobile devices. In Europe, transactions on mobile and desktop are estimated to be split 50-50. But is there any threat that is being ignored by travel merchants as the world of retailing is now mobile-first in most parts of the world?

“A new mobile commerce-related fraud technique that we found has emerged is the use of app cloners and machine learning techniques to create synthetic device identities,” says Justin Lie, CashShield’s CEO.

Mobile and synthetic identity fraud

Synthetic-identity fraud has already been described as the fastest-growing forms of identity theft in the U.S., according to the Department of Justice, as reported by in June this year. This kind of theft is working out a false identity using either fabricated or valid elements, such as a Social Security number, name, address, date of birth etc. As we highlighted in one of our articles this year, it often is not identified as fraud and the crime can go undetected for an indefinite period.

Even cloning has proven to be an issue for those who have been trying to control mobile device fraud.

For instance, a SIM swap attack in which a mobile number is hacked remains a problem. The fraudster takes control of a legitimate mobile user’s text messages, calls etc. Then login credentials are obtained through social engineering, phishing, an infected downloaded app etc. Mobile apps being reverse engineered and adding malicious code, too, has been around for a while.

As for how app cloners are being used in a malicious way, Lie shared, “Using app cloners, fraudsters can masquerade as multiple users to trick systems since the different transactions or logins will be detected as unique devices,” shared Lie.

Swift response 

In one of its recent blog posts regarding mobile bank fraud, Microsoft Azure stressed on the significance of latency and response time when it comes to fraud detection. The team mentioned that the time taken by a bank to respond to an illegitimate transaction “translates directly to how much financial loss can be prevented”. The response time window or detection needs to happen in mere two seconds.

“This means less than two seconds to process an incoming mobile activity, build a behavioral profile, evaluate the transaction for fraud, and determine if an action needs to be taken,” recommended the blog.

In this context, as Lie also stated, machine learning can be used to identify such new forms on fraud.

“For instance, whether or not an app cloner has been used may be collected and analyzed as one of the data points, in addition to the other various data points that will be analyzed to identify hidden patterns between the same transactions by the same fraudster,” mentioned Lie.

Making the most of signals

As for what signals are being considered for transactions coming from mobile when it comes to previous purchases and also pattern recognition for possible fraud in the future/ unknown attacks, Lie indicated that rather than focus on the signals for fraud, the company often tends to focus on signals that may point to positive genuine behavior of the user making the transaction. For example, if the user chooses to connect with social media, that is more likely genuine as most fraudsters who want a quick exit would not bother connecting with social media in making transactions.

“However, such signals are not necessarily accurate in pointing out fraud - a more sophisticated fraudster might put in more effort to imitate a genuine user, and connect with social media just to trick the system. Therefore, what is more important in identifying unknown attacks would still be to use real-time pattern recognition to draw patterns between incoming transactions, and identify coordinated fraud patterns,” added Lie.


Follow Ai on Twitter: @Ai_Connects_Us