How mobile is transforming the banking industry and the fraud concerns with it, a Q&A with Mike Gross
Mike Gross is the director of risk strategy and professional services at 41st Parameter and has more than 10 years of experience in financial services fraud prevention and risk management. At 41st Parameter, Mike is responsible for identifying banking, ecommerce, and travel industry trends, highlighting emerging fraud threats, understanding client and partner risk management controls, and defining, implementing, and measuring the performance of new risk strategies for top global online brands. I sat down with Mike to discuss how the banking industry is changing to adapt to new mobile technology and the new forms of fraud that exist as a result.
Matt: Mobile is transforming the banking industry, what are current fraud trends that banks and financial service companies need to be prepared for?
Mike: Current fraud trends in mobile include increasingly sophisticated malware and attackers capitalizing on banks’ providing new service offerings to consumers via mobile devices. As consumer adoption of smartphones and tablets continues to steam-roll PCs (nearly 50% of logins via native app at some of the largest US banks, according to 41st data), we’re seeing more fraudsters taking advantage of services like mobile deposit capture and peer-to-peer payments options in native applications and mobile websites.
The growth of mobile malware (especially within the Android OS) is also particularly concerning. While most malware is intended to capture user credentials, which can be used by attackers to log into accounts and cause victims financial damage, more recent sophisticated variants like Svpeng leverage standard features like SMS balance checks to complement typical phishing, keylogging, and ransomware capabilities.
Matt: What do you see as the next trend in fraud within the banking industry as the shift to mobile increases?
Mike: We haven’t seen much fraud originating from smartphones and tablets in comparison to PCs, but what we are seeing is the continued growth of mobile fraud. As services that directly target mobile users continue to expand we will see more attacks because many features were designed for convenience and not for security. Here are some fraud trends within mobile banking:
- Mobile deposit capture has been a consumer hit from a service and convenience perspective, but it has also been a major concern at top banks because risk and security teams are often not closely aligned with marketing initiatives as they are being designed and developed. So risk mitigation teams are often left scrambling to fill security gaps in new app functionality rather than being closely consulted throughout the development of new mobile-specific offerings.
- Mobile malware is seeing a meteoric rise, and the sophistication and number of new variants is also troubling. Malware is the most common attack method to steal consumer information, whether that is through a phishing site that redirects users or some other scheme. For example, a consumer opens the banking app but they are redirected to a phishing site that asks for account credentials as well as additional information like card number, PIN, SSN, etc. Another method is through keylogging to capture login details. Almost every variant of malware leverages one of these methods for data and credential theft.
- Social engineering via emails, calls, links, etc. also continues to be a growing threat, as attackers are increasingly leveraging knowledge of relationships to make attempts more personal and legitimate-looking. The days of the Nigerian 419 and lottery scams with misspellings and no personalization are long gone. Today’s attacks often leverage personal information for the fraudster and look incredibly legitimate. As such, they can trick consumers into providing a few missing pieces of data that can be used to open accounts, transact online, etc.
Matt: As discussed, the ability to provide mobile money transfers is a very popular feature for mobile banking, what are the fraud risks with this option?
Mike: Most mobile money transfer services (either through banks or other applications enabling P2P transfers and bill payments) traditionally required the service to be set up online where there was more control and security in place to identify attacks. But those services are increasingly being expanded via native application enhancements.
In the past, consumers could send money via mobile phone, but they could only transfer funds to individuals who had been set up through the online channel as receivers / payees. Today, for added convenience, more functionality is being pushed to consumers and essentially allows account to account transfers with nothing more than a receiver’s e-mail address. This absolutely adds risk and banks have added layers of phone-based step-up authentication controls to ensure that mobile transfers are not fraudulent. Obviously, this is a fraud concern and will continue to grow as an attacker MO, along with consumer wire and other transfer types.
Matt: How much have cybersecurity policies changes in the past few years within the banking industry?
Mike: There has been intense industry regulatory pressure, which has even grown recently in light of several data breaches with large point-of-sale stores, online retailers and other providers. Compromised data is free-flowing in the criminal underground, and unfortunately, no amount of regulation can completely address that problem. So organizations are left to protect themselves from a wide array of attack types where fraudsters often have pristine identity data and can answer basic out-of-wallet questions or pass standard authentication controls.
Obviously, pressure will continue around data security through PCI, encryption, EMV, and even tokenization for the retail and online community. But we’re finally starting to see regulatory attention given to security in the mobile channel as well. That’s been a major gap in previous guidance such as the FFIEC Online Guidance of 2005 and update in 2011.
The most obvious and pivotal change, however, is that employing basic authentication methods to determine whether an individual really is who they say they are online is no longer acceptable. Regulators demand more and require that organizations deploy multiple strategies to prevent losses resulting from account compromises. This begins with basic know your customer (KYC) requirements, but often layers solutions like device intelligence, malware detection, behavior analytics, and anomaly detection on top of existing risk-based authentication solutions. Even that is not a guarantee that attackers won’t be successful, however.
There have been countless examples where several layers of security were in-place but banks and retailers still failed to spot the attacks due to all of the noise around differentiating good customers from attempts by attackers. It will be increasingly important for organizations to not just have solutions deployed — but to have those solutions optimized and layered in a way that produces minimal friction for legitimate users and stops attackers at the door.
Matt: What can banks do to help protect themselves but also consumers who bank with them?
Mike: Banks should employ multiple layered security through a continuously refined set of controls that immediately identify fraudulent access attempts so they can protect their invaluable customer relationships. Device intelligence coupled with a powerful risk engine is one critical component of such a layered approach, and it needs to be in-place across mobile and online channels. With the abundance of compromised data from recent breaches, relying solely on usernames / passwords, accurate identity information, and basic step-up authentication to protect accountholders at login is a recipe for disaster without visibility into attacks across the entire online estate.
The list of alternative or complementary two-factor authentication approaches is long, and most enterprises are implementing multiple complementary controls and options to meet security needs and limit user inconvenience. This is often a delicate balancing act, but technologies like device intelligence and SMS-based tokens are seeing mass adoption. Biometrics, geo-location, and other native app technologies continue to show promise for mobile devices, but are often viewed as too intrusive unless the consumer is performing transactions that require a significant increase in security. These are also often opt-in only solutions, which could ultimately limit adoption.
We also see more institutions rolling out technologies that are focused on quickly authenticating good users to make their user experience as convenient as possible. Covert device intelligence is a strong option for this use case as well, since it limits friction and can enable seamless consumer interaction across all channels, from desktops to smartphones and tablets to any device capable of an Internet connection.
To learn more please visit: https://www.experian.com/decision-analytics/41st-parameter.html