It has only been four years since the iPhone revolutionized the consumer smartphone market, but the expectations for rich consumer experiences and real-time fulfillment have grown exponentially in that time. The market has seen the increasing consumerization of devices, where the boundaries between devices used for personal and business purposes have been erased. The introduction of tablet-based computing further blurred the lines between the computer and mobile experiences. All of this is a boon to consumers, but introduces a new frontier for fraud risks, which keeps many financial institution (FI) fraud prevention executives tossing and turning at night.
Today, the mobile banking environment is pretty well locked down in terms of capabilities, and few FIs are experiencing much in the way of mobile fraud. This will change as mobile banking adoption continues to rise and higher-risk functionality is rapidly deployed to the mobile channel (e.g., person-to-person payments, mobile business banking, and remote deposit capture). Aite Group interviewed 24 risk executives from financial services firms in November 2011 to gauge the current sentiment toward the mobile channel1. Eighty-eight percent of executives interviewed believe that mobile fraud will be the financial services industry’s next big point of exposure, as shown in the figure.
Part of the reason for this is the fact that consumers still do not treat their mobile device like the tiny little computer that it is. According to a 2011 study by Consumer Reports, only 20 percent of consumers have any type of password security on the phone. Consumers are all too willing to download apps of unknown provenance from the app store, and rogue apps are increasingly prevalent. Credential-stealing malware has made inroads into the mobile device, with the strains of malware targeting the Android OS alone jumping 76 percent between Q1 2011 and Q2 20112. The denominator is still small, with only 1800 known unique strains of malware in mobile as of Q3 2011, versus over 75 million unique strains of malware in the online environment. Some of these strains are already leveraging the unique properties of the mobile device; there are at least two known strains of malware on the Android OS which have proved capable of recording voice conversations and sending them back to the cybercriminals’ command and control center. As more transaction volume and high-risk functionality is ported to the mobile device, it will be an increasingly attractive target for malware, and the intensity of the attacks will increase proportionally.
To prepare for these threats, financial institutions are taking a lesson from the online environment and deploying a layered approach to security. Indeed, the mobile channel is considered within the scope of the June 2011 FFIEC guidance that a layered, risk-based approach be used to secure “high-risk” transactions. Even though the title of the guidance solely references “online authentication,” the definition of high-risk transactions is “electronic transactions involving access to customer information or the movement of funds to other parties,” and mobile is considered in scope as regulators begin their initial round of examinations.
[Securing Mobile Payments On the Go.]
Many FIs are leveraging their lessons learned from the online environment, and applying technologies such as complex device fingerprinting, behavioral analytics, and anomaly detection to the mobile platform. These technologies have the added benefit that they can easily support an integrated strategy that examines the customer’s behavior patterns across both the online and mobile channel. However, some technologies don’t port quite as well. Out-of-band authentication (OOBA), which has proved to be a useful approach to stepped-up authentication in the online environment, does not work quite as well in the mobile channel. For one thing, the inherent value in out-of-band authentication is proving that the end user is in possession of two known and trusted devices. A call or SMS to a mobile phone to verify a mobile banking transaction taking place on that same device does not offer the same level of multi-factor authentication. That issue aside, there are technical challenges as well, in that some mobile operating systems do not support voice calls while the customer is engaged with an app, and accepting the OOBA call results in the termination of the mobile banking session.
Biometrics is a technology that many believe has promise in the mobile environment. The phone’s camera can enable facial recognition, fingerprint biometrics, and even signature biometrics. The phone itself provides the ability for voice biometrics to be applied, and newer apps such as that recently deployed by E*Trade, which has voice interaction as an inherent element of the navigation also provide for the ability to integrate a voice biometric component with minimal friction for the consumer. While the application of biometrics to the mobile channel is still a nascent concept, a handful of FIs are experimenting in this area, and most believe biometrics will be a necessary element of an effective layered solution.
Many banks are also embedding security directly in the banking apps that consumers are willingly installing on their phones. With an effective strategy of layered technologies, along with customer education, the mobile platform actually has the promise of being a more secure operating environment. However, as the industry learned with the online channel, cybercriminals are nimble and innovative, and banks will need to continue to evolve their protection strategies across all channels to keep pace.
Julie Conroy McNelley is the research director at Aite Group.