News & Commentary

08:59 AM
By Julie Conroy McNelley, Aite Group
By Julie Conroy McNelley, Aite Group

Mobile: The Next Fraud Frontier

Financial institutions will need to take a layered approach to security as the increasing consumerization of tablets, smartphones and other mobile devices introduces more fraud risks and malware concerns.

It has only been four years since the iPhone revolutionized the consumer smartphone market, but the expectations for rich consumer experiences and real-time fulfillment have grown exponentially in that time. The market has seen the increasing consumerization of devices, where the boundaries between devices used for personal and business purposes have been erased. The introduction of tablet-based computing further blurred the lines between the computer and mobile experiences. All of this is a boon to consumers, but introduces a new frontier for fraud risks, which keeps many financial institution (FI) fraud prevention executives tossing and turning at night.

Bank Systems & Technology examines the rapid take-up of the mobile channel, the parameters of the security challenge, the common approaches taken by financial institutions to combat fraud, and the overall benefits of a multi-layered, multi-factor approach to mobile security and fraud prevention. To read more, download our special report.

Today, the mobile banking environment is pretty well locked down in terms of capabilities, and few FIs are experiencing much in the way of mobile fraud. This will change as mobile banking adoption continues to rise and higher-risk functionality is rapidly deployed to the mobile channel (e.g., person-to-person payments, mobile business banking, and remote deposit capture). Aite Group interviewed 24 risk executives from financial services firms in November 2011 to gauge the current sentiment toward the mobile channel1. Eighty-eight percent of executives interviewed believe that mobile fraud will be the financial services industry’s next big point of exposure, as shown in the figure.

Part of the reason for this is the fact that consumers still do not treat their mobile device like the tiny little computer that it is. According to a 2011 study by Consumer Reports, only 20 percent of consumers have any type of password security on the phone. Consumers are all too willing to download apps of unknown provenance from the app store, and rogue apps are increasingly prevalent. Credential-stealing malware has made inroads into the mobile device, with the strains of malware targeting the Android OS alone jumping 76 percent between Q1 2011 and Q2 20112. The denominator is still small, with only 1800 known unique strains of malware in mobile as of Q3 2011, versus over 75 million unique strains of malware in the online environment. Some of these strains are already leveraging the unique properties of the mobile device; there are at least two known strains of malware on the Android OS which have proved capable of recording voice conversations and sending them back to the cybercriminals’ command and control center. As more transaction volume and high-risk functionality is ported to the mobile device, it will be an increasingly attractive target for malware, and the intensity of the attacks will increase proportionally.

To prepare for these threats, financial institutions are taking a lesson from the online environment and deploying a layered approach to security. Indeed, the mobile channel is considered within the scope of the June 2011 FFIEC guidance that a layered, risk-based approach be used to secure “high-risk” transactions. Even though the title of the guidance solely references “online authentication,” the definition of high-risk transactions is “electronic transactions involving access to customer information or the movement of funds to other parties,” and mobile is considered in scope as regulators begin their initial round of examinations.

[Securing Mobile Payments On the Go.]

Many FIs are leveraging their lessons learned from the online environment, and applying technologies such as complex device fingerprinting, behavioral analytics, and anomaly detection to the mobile platform. These technologies have the added benefit that they can easily support an integrated strategy that examines the customer’s behavior patterns across both the online and mobile channel. However, some technologies don’t port quite as well. Out-of-band authentication (OOBA), which has proved to be a useful approach to stepped-up authentication in the online environment, does not work quite as well in the mobile channel. For one thing, the inherent value in out-of-band authentication is proving that the end user is in possession of two known and trusted devices. A call or SMS to a mobile phone to verify a mobile banking transaction taking place on that same device does not offer the same level of multi-factor authentication. That issue aside, there are technical challenges as well, in that some mobile operating systems do not support voice calls while the customer is engaged with an app, and accepting the OOBA call results in the termination of the mobile banking session.

Biometrics is a technology that many believe has promise in the mobile environment. The phone’s camera can enable facial recognition, fingerprint biometrics, and even signature biometrics. The phone itself provides the ability for voice biometrics to be applied, and newer apps such as that recently deployed by E*Trade, which has voice interaction as an inherent element of the navigation also provide for the ability to integrate a voice biometric component with minimal friction for the consumer. While the application of biometrics to the mobile channel is still a nascent concept, a handful of FIs are experimenting in this area, and most believe biometrics will be a necessary element of an effective layered solution.

Many banks are also embedding security directly in the banking apps that consumers are willingly installing on their phones. With an effective strategy of layered technologies, along with customer education, the mobile platform actually has the promise of being a more secure operating environment. However, as the industry learned with the online channel, cybercriminals are nimble and innovative, and banks will need to continue to evolve their protection strategies across all channels to keep pace.

Julie Conroy McNelley is the research director at Aite Group.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.