Friday, August 26, 2011

Mobile users are three times more vulnerable to phishing attacks

As smartphone usage grows exponentially, so does the potential for fraud

A study by Trusteer in early 2011 showed that mobile users are three times more vulnerable to phishing attacks, and a Juniper Networks study published this May shows that instances of malware on Android phones grew 400 percent between summer 2010 and spring 2011. Both banks and consumers need to understand how to detect and prevent fraud so that malware attacks don't grow at the same rate, or exceed the rate, of mobile banking adoption.

Major banks have begun to offer new mobile services in response to this trend. For today's retail banks, mobile banking is seen as table stakes, and new functionality like remote deposit capture is continuously being integrated. There are several touchpoints where mobile banking users are potentially exposed to fraud. Malware and phishing are on the rise.

Transactions can be viewed and intercepted. Fraudulent operating systems and applications can be written for download and used by unsuspecting consumers. And good operating systems and applications can be corrupted.

In addition, wireless networks themselves can pose risks. One particular emerging fraud threat, dubbed a "sidejack" attack, occurs when fraudsters and/or thieves insert themselves into an unsecured Wi-Fi network connection and intercept messages and data that are exchanged.

Consumers also too often conduct mobile banking over insecure networks in places like airports, hotels and libraries. Successful fraud mitigation approaches need to be able to cover consumers at all of these touchpoints.

The key to identifying mobile banking fraud is by understanding consumer usage patterns. In normal activity, for example, banking actions like mobile payments and fund transfers take place on demand, with patterns that appear random.

Fraudulent usage patterns for payments, on the other hand, tend to take place several times in a row; and funds transfers could take place several times after that. Fraud analytics, which can build unique, adaptive profiles based on a consumer's real-time mobile banking activity, are emerging because of their ability to monitor transaction patterns and integrate those profiles into data for wireless access points, banking applications, as well as the time of the day and week when the network was used.

Then banks can compare one user's profile to the entire user base, to evaluate and assess whether the patterns fall outside the norm. If the patterns do fall outside the norm, that could be an indicator of suspicious activity. The behavior of mobile bank customers does change over time, as new apps and features are introduced. New pattern-detection technologies are built in to identify out-of-the-ordinary activity for a particular user.

In order to prevent mobile bank fraud, those fraud analytics identify patterns in milliseconds, which is critical. Speed enables a bank to deny a transaction or ask a user for additional user verification, ensuring intentions are proper. Not only does this help a bank ensure a successful customer experience, it also helps avoid aggravating consumers by incorrectly denying a legitimate transaction.

Most mobile banking applications today don't include these kinds of sophisticated security capabilities, as the focus is more on functionality. As mobile banking continues to grow, security needs to become an integral component of mobile infrastructure planning.

Today's security systems reside in a bank's data center; tomorrow they need to be on mobile devices, wireless hotspots and the like. Security also should be built into mobile apps, so that the apps can monitor usage patterns and self-police a user's own mobile-banking activity.

As the use of mobile banking grows, banks and credit unions also should take steps to educate their customers and members about safe e-banking practices.

Here are some tips banks could share:
  • Always use a secured Wi-Fi connection, where you have a unique user name and password, before sending any sensitive information over your mobile phone.
  • Download your bank's mobile application from a legitimate app store associated with your phone and use it every time, so you can be sure you are visiting the real bank every time and not a copycat site.
  • Install anti-malware technology, and back up data regularly.
  • Configure your device to auto-lock after a period of time with a password of six-to-eight alphanumeric characters.
  • Keep your apps and device software up-to-date.
Mobile banking technologies will revolutionize the way we handle our money, and they give banks a wonderful way to serve their customers. But just as banks are rolling out mobile banking interfaces, they also need to develop and integrate fraud prevention. It will be much easier to do so now, when the mobile banking trend is still in its relative infancy.

No comments: