11:37 AM
Connect Directly

Banking Industry Proactively Developing Anti-Fraud Measures for Mobile

The industry, having experienced so many online attacks, is proactively developing strategies and solutions for mobile fraud – many of which have been on display at BAI Payments Connect.

Fraud hasn’t hit the mobile channel hard yet, but industry experts expect that it will as mobile adoption and mobile payments capabilities increase. The industry seems to be heeding the experts’ warning as many solutions and strategies are being discussed here at BAI payments connect to address the coming wave of mobile fraud.

“Banks and vendors are being proactive [about mobile fraud]. At least for the online [fraud] experience they know to strategize before mobile fraud hits,” Michael Braatz, senior vice president and product line manager at ACI Worldwide, said in an interview yesterday.

[See Related: 5 Critical Strategies for Mobile Banking Security]

Fraudsters have already developed means to attack mobile devices. “These [mobile devices] are being targeted. We’re seeing Zeus, Citadel and other malware making their way to mobile. We need to get the word out and develop anti-malware software [for mobile],” Al Pascual, senior analyst for security, risk and fraud at Javelin Research and Strategy, said during a panel session Monday morning about the top issues in mobile fraud. Pascual urged that more anti-malware software needs to be developed for mobile devices, particularly for iOS, which doesn’t have anti-malware available for its devices. Pascual also said that geo-location tracking gives banks a technology they can use - and that customers are comfortable with - to prevent fraud. “When customers know that [geo-location tracking] will make them safer, they like it. There is value there for mobile commerce and mobile wallets,” Pascual noted.

Voice biometrics have also been talked about a great deal during the conference as a means to counter criminals. “Voice in our opinion is the best biometric [defense],” John Petersen, global head of business development for Validsoft, an authentication solutions provider, said yesterday in an interview. “It’s the only biometric that works across all channels, including the call center.” Validsoft showed off its own biometric authentication method for mobile at the conference. Petersen explained that its very difficult for fraudsters to break a voice biometric. If they try to replay a recording of the customers voice, the frequency of the recording drops, which Validsoft’s system can detect. And the company has built a voice blacklist of known fraudsters that they can check a customer’s voice against to verify the customer is not a known fraudster.

Validsoft has partnered with Spindle, a mobile wallet provider, to use this technology to ensure secure enrollment in mobile wallets. Many mobile wallet solutions don’t have secure enrollment processes, Petersen said, meaning there is no way they can know if it is really the customer who is attaching their card to the digital wallet, and not a fraudster.

As data and analytics have emerged as a major tool in the fight against online fraud, they can be used in the mobile channel as well. Banks should look to use the same transaction monitoring strategies they use now online to protect their mobile customers, said Tiffany Riley, VP of marketing for Guardian Analytics, which uses big data and analytics in its solutions for monitoring online transactions. “You can’t totally rely on [securing] the device. You can’t totally lock down the device,” she explained. “A lot of best practices from online banking apply to mobile. Banks need to build a strategy accordingly to monitor behavior.”

Many options and capabilities are being discussed to secure mobile against fraud in the future. Banks can’t afford to wait on the sideline for fraudsters to migrate to fraud, Rilely said: “Mobile fraud will come hard and fast. You have to be proactive in developing the ability to react to that.”

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
3/13/2013 | 5:40:56 PM
re: Banking Industry Proactively Developing Anti-Fraud Measures for Mobile
It is kind of amazing that there have not yet been any (significant) (reported) instances of mobile banking fraud. I'm sure that's partly because banks have been proceeding with caution. This may also be an area where the regulators get involved, e.g., the CFPB potentially playing a role in setting guidelines/requirements to protect consumers who are using mobile banking/payments.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.