Mobile payments adoption can gain a significant boost if customers are sure that it is secure, but increased adoption will also create new opportunities for fraudsters, which banks - and customers - must be prepared for.
One of the biggest areas of growth for 2013 is shaping up to be in mobile commerce, with the consumer becoming increasingly receptive to new, ever more convenient ways of shopping, banking, stock trading, and so on. But right alongside all the new conveniences will be many new opportunities for cyber crime. Some of the risks that come with mobile commerce and payments are phone-based fraudulent communications such as text message scams, security/accessibility issues, with human nature playing a cameo role within these various scenes.
Those of us in the mobile payments space need to help consumers understand dangers that lurk in the new payment methods: is that payment text message really coming from your actual bank? Is that app the genuine bank app? Is that link a genuine link? As online consumers, we tend to act without forethought. Click first, think later. And we want to be trusting souls, so fraudsters easily play to our gullibility. Or we’re apathetic, so we don’t check first. New payments methods simply create more opportunities for criminals to prey on our human frailties.
In the case of mobile offers and payment forms, exploitation of the devices and operating systems is actually executed by the user, even though it’s driven by the criminal. Would-be fraudsters need to somehow trick us into installing or accessing something we shouldn’t. The Eurograbber Trojan recently affected those European banks that use two-factor authentication with the use of SMS message codes to allow users to conduct online banking. And therein lies the apathy characteristic – the banks’ customers thought they were using a cutting-edge level of security – whereas in fact they were being compromised, and millions of dollars were stolen. The success of the criminal campaign hinged on the user blindly following instructions without question and doing something they shouldn’t have, such as clicking a phishing email, installing a desktop Trojan and later being duped again into installing a smart phone “security upgrade,” which in reality installed the smart phone Trojan. So, unwittingly, now you have an infected desktop and smart phone -- and the criminal is all set.
Security is always counterbalanced by accessibility. To make something ultra-secure you have to make it pretty much inaccessible, which is why Apple’s platform is widely considered more secure than Android’s -- simply because it is less accessible, opting for a closed operating system and a walled garden App Store versus an open operating system and web-based app marketplace.
The Near Field Communications (NFC) platform, with its much-touted inherent security, also seems to offer an exciting range of new opportunities for businesses and consumers alike. But again, that means a parallel range of opportunities to exploit our curiosity and desire to use new forms of technology. Sideloading – the passing of data from device to device – could become a new threat if the user has downloaded a malicious app, for example – and one where you may unwittingly have sat down right next to the criminal in a coffee shop!
In addition to helping them become more aware of the risks, those banks not already doing so, should be providing some practical advice for how to increase their vigilance against these threats. Probably the most important piece of education is that the bank will not ask for any personal information before the customer is fully logged into the bank itself, and that there’ll be a multi-factor login to get the customer to that point. At one point or another, we’ve all received emails or text messages from scammers pretending to be your bank, asking the customer to change passwords or requesting personal information. Customers should know that these communications are almost certainly scams.
Mobile and online consumers can stay one step ahead of the fraudsters by asking themselves a few questions and exercising some common sense. Is this a genuine email or a phishing email? Does my bank usually send me SMS messages for any reason? In addition, customers should be sure to download the bank’s mobile application (app) to be sure they are visiting their own bank and not a fraudulent site. Online banking sites should not be set to automatically log in – if the mobile device is stolen, the thief could potentially access the account and transfer funds or make payments. Banks should advise their customers to be suspicious. If something apparently valuable is “free,” ask yourself why -- and if you have even the slightest suspicion, don’t download! Always exercise caution: our advice is “if something appears too good to be true, it almost certainly is.”
Notably, we are entering a new chapter of the Internet, wherein the new gTLDs (generic Top Level Domains), that is, the domain name suffixes, can serve as a form of trusted platform or venue. Customers who bank with a financial institution that has applied for a gTLD that bears its own name, such as .chase, will have that much more reason to trust going to any .chase domain, no matter what. In the U.S., Chase has applied .chase and Bank of America has applied .bofa. Correctly applied, these gTLDs will give Chase and Bank of America significant leg up in terms of trust online, and in turn could become a key trust differentiator.
In sum, banks will only see a rise in adoption of mobile commerce when their customers are better able to address their account holders’ very understandable fears around security. The best way to speed up the adoption cycle so that everyone benefits from the convenience of mobile banking, is to make it as difficult as possible for the scammers to get the better of your customers. That boils down to helping them, customer by customer, know the difference between a scam, and the real thing. Otherwise, the adoption curve will likely remain slow.
Luge Pravda is Senior Vice President at NetNames USA, which specializes in protecting online brands from cyber crime.