The Meteoric Rise of the Mobile Channel

About half the adult global population now owns a smartphone, and by 2020, an estimated 80 percent will have one. Smartphones have penetrated every facet of daily life. The average American is buried in one for over two hours every day or glances at it 150 times a day.

But while the mobile channel now touches every market and vertical, no sector has adopted mobile technology more wholeheartedly then the financial industry. Mobile banking channel development has even become the No. 1 technology priority of North American retail banks.

In fact, mobile banking has become so important that, in a recent survey, consumers voted mobile banking availability as the most important deciding factor when choosing a bank, outranking both branch location and fees.

Cybercriminals Set Their Sights on Mobile Banking

The rapid adoption of the mobile channel by consumers has not gone unnoticed by the gangs that make their living from online fraud.

A recent report by Alcatel-Lucent Motive Security Labs shows a growth of 25 percent in the number of malware-infected devices in 2014 alone, while the antivirus company McAfee puts the total number of mobile malware samples at well over 5 million by just the third quarter of the year. These security issues aren’t all minor glitches, either: In February 2015, news reports emerged of a criminal organization dubbed the Yanbian Gang stealing millions of dollars from mobile banking customers in South Korea using fake apps.

Most alarmingly of all, IBM Security Trusteer research has found an increase in the number of mobile fraud toolkits offered for sale in underground forums. These fully loaded and ready-to-use mobile Trojans typically carry an arsenal of malicious tools able to:

  • Steal customers’ banking login credentials;
  • Intercept, forward and delete short message service (SMS) alerts and calls;
  • Inject fake messages, such as requests for login credentials and credit card information;
  • Gain administrator privilege on the device, which effectively blocks attempts to remove the malware.

Toolkits, such as the Android malware-spreading kit MazelTov recently discovered by IBM Trusteer researchers, are priced at only a few thousand dollars. Affordable prices provide an easy pathway to gangs that have historically focused on the online channel and are now looking to shift their tactics to the mobile arena.

Fortunately, most financial organizations have not seen significant mobile fraud attacks. But remember: Just because you don’t see something doesn’t mean it’s not there. The rise of online banking fraud attacks started slowly a little over a decade ago and progressed quite rapidly ever since. The industry was unprepared, fraud was rampant and, in the U.S. and other regions, the banking regulators stepped in, forcing institutions to bolster their defenses.

The mobile channel is now in its early stages of fraud attacks, but current-day foes are much more capable and experienced than the early online banking cybercriminals ever were.

Security Is Critical to Mobile Users

Examining the present situation shows that the risk of fraud and unauthorized access in the mobile channel far exceeds direct losses. Are we waiting for something big to happen before we secure our data? Isn’t that what got online fraud to where it is today? To what extent would news of successful fraud attacks against a bank’s mobile application influence its customers’ willingness to use it? According to a recent survey by the U.S. Federal Reserve, 62 percent of customers don’t use mobile banking because of security concerns; reports of successful mobile fraud attacks would certainly increase that number. Additionally, an attack against a customer’s mobile device is bound to elicit an emotional response, given the high level of attachment to one’s smartphone.

Experience Is Paramount

While rightfully demanding that mobile banking should be secure, users are not willing to compromise their customer experience for its sake.

Online channel users have gotten accustomed to cumbersome authentication methods such as security questions, tokens and one-time passwords. However, these same users are unlikely to accept anything that would prevent them from using their mobile devices on the fly.

One unique challenge in securing mobile banking is the lack of credible out-of-band authentication such as SMS one-time passwords. A single malware or rogue app running on a device could steal the SMS as easily as it could steal login credentials.

If Banks Are Giving Customers an App, Why Not Make It More Secure?

Despite the many disadvantages banks face when looking to strike a delicate balance between mobile banking security and ease of use, they possess one key advantage: Users will download and install the mobile app. Therefore, the bank’s mobile app can be a soft target for a cybercriminal, or it can be enhanced to become a security tool that helps protect the user and the device.

For any app to become a security tool, it must not only be able to detect threats, but also establish a device ID while maintaining a frictionless customer experience. Here are a few critical aspects that secure apps must have:

  • Threat awareness. The app must be able to detect all mobile risk factors such as mobile malware, rogue applications and jailbroken devices.
  • Fast-acting intelligence. Detection must be cognizant of the rapid pace at which threats evolve. To achieve that, threat intelligence must then be translated into actions such as restricting or blocking access to high-risk devices.
  • Strong device ID. The app must be able to provide identification of a user’s device. Such identification must be persistent over varying operating systems and version changes while being immune to tampering.
  • Seamless use. Threat awareness and a strong device ID must be transparent to the user and precise enough not to affect the customer experience of legitimate users, all while blocking unauthorized access.

While the war against fraud in the mobile channel is still in its infancy, one thing is certain: Those who prepare for it will be in a better position to win than those onlookers waiting on the sidelines.

More from Banking & Finance

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

Cost of a Data Breach: Banking and Finance

The importance of cybersecurity has touched almost every industry. Beyond that, robust cybersecurity is table stakes for several sectors, particularly health care and the banking and finance industry. Not only is financial data at risk, but so is customer trust. In banking and finance, trust means everything. Yet, consumers are hesitant to share their confidential data. A recent McKinsey survey revealed that no industry achieved a trust rating of 50% for data protection. Here’s the most sobering stat: 87% of…

What Do Financial Institutions Need to Know About the SEC’s Proposed Cybersecurity Rules?

On March 9, the U.S. Securities and Exchange Commission (SEC) announced a new set of proposed rules for cybersecurity risk management, strategy and incident disclosure for public companies. One intent of the rule changes is to provide “consistent, comparable and decision-useful” information to investors. Not yet adopted, these new rules – published in the Federal Register on March 23 – could change reporting requirements. Take a look at some of the big-ticket items and what your organization needs to know.…