Mobile Banking Fraud: An Industry Talk with a UK Regulator, Bank and FinTech
Across the financial services industry, what do banks, financial start-ups, regulators, and technology vendors think about the state of mobile banking fraud?
In a recent webinar hosted by Finextra, Cutting Mobile Banking Fraud with Dynamic Authentication and App Security, we asked an expert panel about the growing complexities of mobile banking fraud and how to mitigate it using dynamic authentication and a multi-layered approach to security.
Guest speakers included experts from ALEXBANK, credit card fintech Infynit, OneSpan, and the UK’s Payment Systems Regulator. During the webinar, the group discussed fraud as a threat to financial institutions and the security measures banks are taking to combat social engineering, phishing, account takeover, mobile malware, and identity fraud.
The panel also discussed areas where banks can improve, in particular how to better defend against mobile banking fraud. Panelists provided insights into some of the most effective security technologies and tools that operate in real time, in a way that is inconspicuous to customers. They also shared additional best practices, such as educating the board and getting leadership at the highest levels of your organization involved in security decisions and fraud strategy.
If you missed this webinar, here is an overview of what was covered. To watch the full presentation, access it on-demand.
Constant Threat of Fraud on the Mobile Device
During the past year, the financial services industry has experienced immense pressure to rapidly adapt and digitize as many stages of the customer journey as possible. A recent digital banking survey of 14,000 consumers from around the world found that 96% of respondents had completed banking transactions digitally, and over 50% engaged more with mobile banking apps now than they did before the pandemic. The vast majority (87%) said they would continue using mobile banking services post-pandemic.
Simultaneously, the sophistication and volume of fraud attacks and cybercrime has also increased. Fraudsters have risen to the occasion in response to the global shift to digital banking, with focus especially on mobile phones. Part of this is because it’s now easier to buy tools such as mobile fraud-as-a-service products underground, making it easy for less skilled attackers to launch relatively sophisticated attacks on account holders. This is evidenced by a Kaspersky report that saw a 20% increase in financial account takeover attacks in 2020, and a 125% increase in mobile banking Trojans (malware that steals bank account credentials).
There is hope despite these bleak numbers. There are several options for banks, lenders, payment service providers, and others, to combat fraudsters. Some are already doing so, and seeing great success. They key is to understand areas of vulnerability so you can determine the best course of action.
Jonathan Williams, Technical Payments Specialist at the UK’s Payment Systems Regulator, an independent subsidiary of the Financial Conduct Authority, pinpoints the problem as being largely an identity issue. He explained that identity is an area that fraudsters tend to target and exploit, whether that is the identity of the customer, the financial provider, or the beneficiary.
“Ultimately, identity is the key,” he says. “We need to know that our customer is really the person who is trying to transact. And they need to be sure it’s us, as a bank or payment service provider, that is interacting with them. That mutual identification is an important part of the process.”
Cybersecurity technologies like multi-factor authentication, digital identity verification, behavioral biometrics and continuous monitoring help ensure that financial institutions really know their customer before financial transactions take place – that it really is the legitimate party transacting and not a cybercriminal.
Common Vulnerabilities in Mobile App Security
Some of the specific challenges that financial institutions face when it comes to mobile app security and mobile scams include:
- Consumers might download mobile banking apps from unauthorized or unofficial app stores where fraudsters may upload spoofed or fake apps designed to steal data while masquerading as legitimate mobile banking apps.
- Sometimes vendors and/or banks that create the software in-house don’t provide adequate security, such as obfuscation. Obfuscation makes it more difficult for fraudsters with technical skills to reverse-engineer mobile banking apps to detect vulnerabilities and attack accordingly. This is especially important from an information security standpoint, because a lot of mobile apps store sensitive data in the app itself.
- User sessions need to be terminated correctly at the end of the session. In some cases, fraudsters can take advantage of an open session.
- Transmission of data is also a challenge in mobile banking applications. Using an unsecured internet connection could let fraudsters enter, as could third-party keyboards.
- Fraud detection and fraud prevention should be dynamic and continuous, not stopping with authentication at login. Just because the person logging in has a username / password for a legitimate user doesn't mean they are indeed the legitimate user. Banks and other financial institutions need to monitor behavior continuously and in real-time, to ensure the user isn't doing anything potentially malicious and that the session hasn't been hijacked.
3 Best Approaches to Real Time Fraud Prevention
Below are some of the approaches that the banking industry is using and where they have experienced success in preventing mobile banking fraud and cyberattacks:
- App shielding
Mobile app shielding can monitor the execution of apps and stop attacks when fraudsters try to steal data. It can also protect the app from spoofing (i.e., preventing the creation of fake apps by untrustworthy third parties). App shielding can also help in dynamic monitoring of the app. If an attacker tries to penetrate or latch on to the app, the app will simply shut down. - Dynamic fraud prevention
Using a fraud prevention system to continuously monitor each customer’s banking sessions for unusual activity or suspicious activity is another way to protect customers. Two-factor authentication passcodes aren’t enough. Accounts need to be monitored in real time, from the time a user logs in to when they log out. In addition, behavioral and transaction monitoring checks if account activity matches historic patterns. - Biometric authentication
Biometric authentication is a fantastic opportunity for banks to simultaneously implement both security and convenience. Speakers advised implementing biometric authentication to improve the customer experience. For implementation, partnering with a third-party provider with expertise in this field, such as OneSpan, is highly recommended.
The Ongoing Fight Against Mobile Banking Fraud
Nothing is 100% secure, so banks and other financial institutions need to take a multi-layered approach to fraud prevention. This consists of implementing multi-factor authentication (MFA), not storing data unless absolutely necessary, and encrypting the data. Another way to keep your strategy dynamic is to conduct app security testing, along with penetration testing throughout the development process. Of course, no matter how secure your Android and iOS mobile banking apps are, you’ll eventually lose a certain degree of control since it’s not possible to control the security hygiene of the devices on which your app is downloaded. This is where mobile app shielding and continuous user, transaction, and device monitoring provide an additional layer of security.