Mobile Banking Fraud: Controlling It EarlyBuild Strong Fraud Detection Tools Now
The FFIEC hasn't, however, formally integrated much in the way of mobile security measures into its guidelines, though the council says it will continue to work closely with financial institutions to promote security in electronic banking.
The reason for the warning is clear: Now that 35 percent of all U.S. adults owns a smartphone, mobile banking is booming.
As mobile banking grows, so, too, does the potential for fraud.
Forrester Research reported in its January 2011 U.S. Mobile Banking Forecast that adoption of mobile banking among online adults in the U.S. more than doubled during the fourth quarter of 2010, relative to where it was two years ago, hitting 16 percent. As a result, mobile banking is expected to grow 20 percent annually over the next five years. Based on that projection, an estimated 50 million U.S. online adults will be using mobile banking by 2015.
Major banks have begun to offer new mobile services in response to this trend. On May 23, Bank of America, JPMorgan Chase and Wells Fargo partnered to launch a system that lets customers transfer money from their checking accounts using only mobile numbers or e-mail addresses. And banks are beginning to build text-payment services into their banking apps via services such as those provided through Telrock.
For today's retail banks, mobile banking is seen as table stakes, and new functionality like remote deposit capture is continuously being integrated.
But as mobile banking grows, so, too, does the potential for fraud.
A study by Trusteer in early 2011 showed that mobile users are three times more vulnerable to phishing attacks, and a Juniper Networks study published this May shows that instances of malware on Android phones grew 400 percent between summer 2010 and spring 2011. Both banks and consumers need to understand how to detect and prevent fraud so that malware attacks don't grow at the same rate, or exceed the rate, of mobile banking adoption.
Points of VulnerabilityThere are several touchpoints where mobile banking users are potentially exposed to fraud. Malware and phishing are on the rise. Transactions can be viewed and intercepted. Fraudulent operating systems and applications can be written for download and used by unsuspecting consumers. And good operating systems and applications can be corrupted.
In addition, wireless networks themselves can pose risks. One particular emerging fraud threat, dubbed a "sidejack" attack, occurs when fraudsters and/or thieves insert themselves into an unsecured Wi-Fi network connection and intercept messages and data that are exchanged. Consumers also too often conduct mobile banking over insecure networks in places like airports, hotels and libraries. Successful fraud mitigation approaches need to be able to cover consumers at all of these touchpoints.
Security Into the FutureThe key to identifying mobile banking fraud is by understanding consumer usage patterns. In normal activity, for example, banking actions like mobile payments and fund transfers take place on demand, with patterns that appear random. Fraudulent usage patterns for payments, on the other hand, tend to take place several times in a row; and funds transfers could take place several times after that.
Fraud analytics, which can build unique, adaptive profiles based on a consumer's real-time mobile banking activity, are emerging because of their ability to monitor transaction patterns and integrate those profiles into data for wireless access points, banking applications, as well as the time of the day and week when the network was used. Then banks can compare one user's profile to the entire user base, to evaluate and assess whether the patterns fall outside the norm.
If the patterns do fall outside the norm, that could be an indicator of suspicious activity. The behavior of mobile bank customers does change over time, as new apps and features are introduced. New pattern-detection technologies are built in to identify out-of-the-ordinary activity for a particular user.
In order to prevent mobile bank fraud, those fraud analytics identify patterns in milliseconds, which is critical. Speed enables a bank to deny a transaction or ask a user for additional user verification, ensuring intentions are proper. Not only does this help a bank ensure a successful customer experience, it also helps avoid aggravating consumers by incorrectly denying a legitimate transaction.
Most mobile banking applications today don't include these kinds of sophisticated security capabilities, as the focus is more on functionality. As mobile banking continues to grow, security needs to become an integral component of mobile infrastructure planning. Today's security systems reside in a bank's data center; tomorrow they need to be on mobile devices, wireless hotspots and the like. Security also should be built into mobile apps, so that the apps can monitor usage patterns and self-police a user's own mobile-banking activity.
As the use of mobile banking grows, banks and credit unions also should take steps to educate their customers and members about safe e-banking practices.
Here are some tips banks could share:
- Always use a secured Wi-Fi connection, where you have a unique user name and password, before sending any sensitive information over your mobile phone.
- Download your bank's mobile application from a legitimate app store associated with your phone and use it every time, so you can be sure you are visiting the real bank every time and not a copycat site.
- Install anti-malware technology, and back up data regularly.
- Configure your device to auto-lock after a period of time with a password of six-to-eight alphanumeric characters.
- Keep your apps and device software up-to-date.
Mobile banking technologies will revolutionize the way we handle our money, and they give banks a wonderful way to serve their customers. But just as banks are rolling out mobile banking interfaces, they also need to develop and integrate fraud prevention. It will be much easier to do so now, when the mobile banking trend is still in its relative infancy.
Mike Urban is fraud chief and senior director of product management at FICO.