Nexmo logoIn a mobile-first world, SMS is proving to be one of the most essential tools for businesses. From its critical role in communicating with customers globally to providing top security, this series produced by Nexmo explores key aspects of SMS that many organizations may be unaware of. See all the posts here.

It’s hard to read the news these days without hearing about another data breach. When private information goes missing, companies end up paying big money to set things right and reclaim their good name. Yet, even with those high stakes at risk, a recent study by IBM showed mobile app developers are not investing enough into security.

According to the study, nearly 40 percent of large companies, including many of the Fortune 500, don’t take the right precautions in securing the apps they build for customers. The reason why: more than three-quarters of those interviewed claimed speed to market was the primary reason they left the door open for hackers.

How hackers abuse the system

Hackers use a few predictable tricks for getting a foot in. Many of these tricks involve posing as actual users of an app or taking over someone’s account. Let’s look at a few examples.

1. Spamming social networks
Email used to be the inroad to phishing schemes. Now hackers set their sights on social networks. By setting up fake accounts, spammers send out friend requests and use sharing features to bait people with malicious links. Clicking on a link triggers activities that range from downloading malware to stealing personal information.

Clickjacking is one example. This scheme disguises malicious code as legitimate looking buttons. On Facebook, it’s called Lifejacking, and it works like this. You see a link on your newsfeed a friend has allegedly shared or liked. When you click on the link, it takes you to another page that asks you to complete a simple action, like click on a button to confirm you are over 18. When you do this, the link gets added to your Facebook newsfeed, indicating you ‘liked’ the site. Your friends see you liked the site, they click on it, and the cycle continues.

2. Referral fraud on gaming apps
Referral fraud happens when abusers take advantage of a reward system within a game. As a typical scenario, the game offers some virtual goody to users who refer a certain number of friends. Scammers game this by using bots to create multiple fake user accounts to amass referral rewards, which they can use to sell accounts to other players and earn real money. The bots negatively affect players and their game experience.

3. Account takeover and resale
When customer accounts get hacked, companies pay the price. Recently, Netflix, Spotify, Sky Go, and Hulu experienced a wide-scale security breach. Their customer accounts were offered for sale on eBay for as little as $2. This type of fraud results in chargebacks, higher customer care costs and loss of customers.

On social networking sites, cyberthieves hack into people’s accounts and exploit the implicit trust between users to lure victims to malicious websites. Or they dig up personal information on users valuable for identity theft or driving targeted spam campaigns.

Hacking into an email account can wreak even more havoc. Recently Adam Draper, who runs an accelerator for Bitcoin, lost $50,000 when someone broke into his Gmail account.

2FA: the ultimate protector

The best way to combat data breaches like these is to make sure hackers never get in the door. When a user signs up for a new account or into an existing account, it’s critical to verify his or her identity.

The best way to do this is using a process called two-factor authentication (2FA). The technique requires that, in addition to entering a regular static password online, users must also enter a randomly generated PIN sent to their mobile phone as an SMS text message. We covered some examples of 2FA in a previous article.

Phone numbers are the ultimate way to verify users for several reasons. Number one, phone numbers are difficult to fake. To get a mobile phone number, you have to obtain a SIM card or a number issued by a carrier. Virtual numbers, if spammers try and use them, are easy to spot and block using a service such as Nexmo Verify. And if your phone does go missing, you can call your carrier and have them lock the account.

To set up your 2FA system, make sure you follow the best practices outlined in RFC 6238. A PIN needs to work for only a short period of time. That way, no one will be able to find the code unless they have the phone in front of them. A failover system is also important. If your user doesn’t receive the PIN on the first attempt, allow him or her to request a second PIN or use a separate channel such as voice to receive the PIN.

Mainly, when you send a PIN, you want to make sure it gets delivered reliably and on time, otherwise, the end-user may abandon the process. Look for a reputable phone verification solution with global coverage that is well integrated with carriers in all areas of the globe.

When it comes to protecting your mobile app, 2FA is a big security win. Ease of integration combined with the fact your users don’t need proprietary hardware — everyone carries their phone with them these day — makes 2FA a reliable, affordable way to secure customer data.

Sponsored posts are content that has been produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. The content of news stories produced by our editorial team is never influenced by advertisers or sponsors in any way. For more information, contact