Are You Ready for the Mobile Banking Authentication Challenge?

The Meteoric Rise of the Mobile Channel

About half the adult global population now owns a smartphone, and by 2020, an estimated 80 percent will have one. Smartphones have penetrated every facet of daily life. The average American is buried in one for over two hours every day or glances at it 150 times a day.

But while the mobile channel now touches every market and vertical, no sector has adopted mobile technology more wholeheartedly then the financial industry. Mobile banking channel development has even become the No. 1 technology priority of North American retail banks.

In fact, mobile banking has become so important that, in a recent survey, consumers voted mobile banking availability as the most important deciding factor when choosing a bank, outranking both branch location and fees.

Cybercriminals Set Their Sights on Mobile Banking

The rapid adoption of the mobile channel by consumers has not gone unnoticed by the gangs that make their living from online fraud.

A recent report by Alcatel-Lucent Motive Security Labs shows a growth of 25 percent in the number of malware-infected devices in 2014 alone, while the antivirus company McAfee puts the total number of mobile malware samples at well over 5 million by just the third quarter of the year. These security issues aren’t all minor glitches, either: In February 2015, news reports emerged of a criminal organization dubbed the Yanbian Gang stealing millions of dollars from mobile banking customers in South Korea using fake apps.

Most alarmingly of all, IBM Security Trusteer research has found an increase in the number of mobile fraud toolkits offered for sale in underground forums. These fully loaded and ready-to-use mobile Trojans typically carry an arsenal of malicious tools able to:

  • Steal customers’ banking login credentials;
  • Intercept, forward and delete short message service (SMS) alerts and calls;
  • Inject fake messages, such as requests for login credentials and credit card information;
  • Gain administrator privilege on the device, which effectively blocks attempts to remove the malware.

Toolkits, such as the Android malware-spreading kit MazelTov recently discovered by IBM Trusteer researchers, are priced at only a few thousand dollars. Affordable prices provide an easy pathway to gangs that have historically focused on the online channel and are now looking to shift their tactics to the mobile arena.

Fortunately, most financial organizations have not seen significant mobile fraud attacks. But remember: Just because you don’t see something doesn’t mean it’s not there. The rise of online banking fraud attacks started slowly a little over a decade ago and progressed quite rapidly ever since. The industry was unprepared, fraud was rampant and, in the U.S. and other regions, the banking regulators stepped in, forcing institutions to bolster their defenses.

The mobile channel is now in its early stages of fraud attacks, but current-day foes are much more capable and experienced than the early online banking cybercriminals ever were.

Security Is Critical to Mobile Users

Examining the present situation shows that the risk of fraud and unauthorized access in the mobile channel far exceeds direct losses. Are we waiting for something big to happen before we secure our data? Isn’t that what got online fraud to where it is today? To what extent would news of successful fraud attacks against a bank’s mobile application influence its customers’ willingness to use it? According to a recent survey by the U.S. Federal Reserve, 62 percent of customers don’t use mobile banking because of security concerns; reports of successful mobile fraud attacks would certainly increase that number. Additionally, an attack against a customer’s mobile device is bound to elicit an emotional response, given the high level of attachment to one’s smartphone.

Experience Is Paramount

While rightfully demanding that mobile banking should be secure, users are not willing to compromise their customer experience for its sake.

Online channel users have gotten accustomed to cumbersome authentication methods such as security questions, tokens and one-time passwords. However, these same users are unlikely to accept anything that would prevent them from using their mobile devices on the fly.

One unique challenge in securing mobile banking is the lack of credible out-of-band authentication such as SMS one-time passwords. A single malware or rogue app running on a device could steal the SMS as easily as it could steal login credentials.

If Banks Are Giving Customers an App, Why Not Make It More Secure?

Despite the many disadvantages banks face when looking to strike a delicate balance between mobile banking security and ease of use, they possess one key advantage: Users will download and install the mobile app. Therefore, the bank’s mobile app can be a soft target for a cybercriminal, or it can be enhanced to become a security tool that helps protect the user and the device.

Related to this Article

For any app to become a security tool, it must not only be able to detect threats, but also establish a device ID while maintaining a frictionless customer experience. Here are a few critical aspects that secure apps must have:

  • Threat awareness. The app must be able to detect all mobile risk factors such as mobile malware, rogue applications and jailbroken devices.
  • Fast-acting intelligence. Detection must be cognizant of the rapid pace at which threats evolve. To achieve that, threat intelligence must then be translated into actions such as restricting or blocking access to high-risk devices.
  • Strong device ID. The app must be able to provide identification of a user’s device. Such identification must be persistent over varying operating systems and version changes while being immune to tampering.
  • Seamless use. Threat awareness and a strong device ID must be transparent to the user and precise enough not to affect the customer experience of legitimate users, all while blocking unauthorized access.

While the war against fraud in the mobile channel is still in its infancy, one thing is certain: Those who prepare for it will be in a better position to win than those onlookers waiting on the sidelines.

Share this Article:
Ori Bach

Senior Security Strategist, Trusteer

Ori Bach is a product and risk management expert with 12 years of expertise in the financial services fraud and compliance space. He currently serves as Senior Security Strategist at IBM-Trusteer.Ori previously worked at NICE–Actimize for 9 years as Director of Solutions Management, where he helped oversee various aspects of company’s fraud and case management solutions. Ori has an LLB degree from Tel-Aviv University and is a member of the Israeli BAR association. Ori's special areas of interest are analytics and the interdependencies between risk management and customer experience.