Mobile banking is a dream come true for many users and banks but a veritable nightmare for the bank’s security team themselves. After all, what can be more convenient for a customer than handling his financial affairs from the always present smart phone? No need to wait in line at a bank or ATM, log in to a PC, wait ages to conduct transactions or pay utility bills. The ability to automate these transactions instead of building new branches gives banks the opportunity to both offer more services to current customers and attract new clients. It doesn’t come much better than that.
But the dream takes on nightmarish proportions for the security teams that must provide foolproof protection against sophisticated fraudsters hell-bent on grabbing the cash and running. Current threats to mobile feature a wide variety of attack types. Data- and credential-stealing malware comes in the form of fake applications, SMS stealers and PC/mobile combination malware.
Cyberwar Tools for Fraud 101
Veracode provides basic definitions for some of the most prominent mobile banking fraud weapons in use:
- Malware - Mobile malware assumes many shapes and forms: There is spyware, which can be disguised as a legitimate app to gather information. Mobile Trojans infect user devices by attaching themselves to seemingly harmless or legitimate programs. Mobile viruses, which are similar to Trojans, can be used to root the device and gain access to files and flash memory.
- Phishing apps - Mobile phishing sites look like a legitimate service but they can steal user credentials or worse. Some phishing schemes use rogue mobile apps, disguising their true intent as a system update, marketing offer or game. Others infect legitimate apps with malicious code that’s only discovered by the user after installation.
- SIM swap - In this case, the fraudster applies phishing techniques to obtain an individual’s banking details. They then use this information to pose as the victim to the mobile network operator and fool them into cancelling and reactivating the victim's mobile number to a SIM in their possession. All subsequent calls and texts to the victim’s number are routed to the fraudster’s phone, including passwords for banking transactions.
Sophisticated cyber weaponry is enabling attackers to set their sights high. They are launching increasingly aggressive attacks against national banks. Malware was used in attacks against the Bangladesh SWIFT systems in July 2016 to steal $81 million. Later in the year, new attacks were instigated against the Banks of Indonesia, Bangladesh and India. Ecuador's Banco del Austro claimed in a lawsuit that hackers made off with more than $9 million through fraudulent SWIFT transfer requests. Although mobile fraud prevention methods are constantly being developed to fight vicious fraud and malware, false positives are significantly raising costs while the attacks just keep coming.
The Failings of 2FA
Indeed, fraudsters are dramatically upping the stakes with increasingly sophisticated attacks, and old protection methods like single- and even two-factor authentication (2FA) just can’t cut it. For example, the actual security offered by a prompted temporary code sent via text message to supplement a regular password. Determined hackers can easily hijack these SMS messages. Another weakness is that account recovery can be used as a tool for breaking 2FA. This ruse simply bypasses the 2FA entirely. A hacker pretending that he lost your data can ask to have the 2FA disabled, and once this is done, he can log into your account unrestricted.
Which leads us to multi-factor authentication (MFA). Logically, the use of multiple identification factors offers greater security than double factors in mobile banking fraud prevention.
This fact hasn’t escaped the general public or security experts: According to the latest Mastercard Digital Payments Study, 43% of the consumers are interested in biometrics and other forms of authentication. In the recent “Biometrics and Banking” report, Rawlson O’Neil King, lead researcher at Biometrics Research Group, notes: “Augmenting biometric liveness detection with other security layers for multi-factor authentication greatly enhances digital security and renders the theft of any one personal data element inconsequential.”
The Benefits of Biometrics for Mobile Banking Fraud Prevention
Indeed, the use of biometrics for reliable (2FA or MFA) authentication is becoming increasingly widespread in preventing mobile banking fraud. Biometric recognition can be based on two different types of factors; static physical characteristics or human behavioral patterns. Static biometrics includes inherent physical characteristics like fingerprints and DNA, as opposed to dynamic characteristics that relate to behavioral activities such as personal gestures, walking gait, voice and even one’s typing rhythm.
Which method is more reliable for authentication purposes? The fact is that physical biometrics can be captured and, in some cases, reused. Take a fingerprint or DNA, for example: Humans leave behind biometric traces on every glass they pick up and each piece of gum they discard. In addition, criminals can use violence to obtain the biometric identifier, such as a fingerprint, thus reducing the effectiveness of this factor of authentication. Yet, dynamic biometrics is far more secure because this kind of live interaction simply cannot be replicated or stolen. The use of dynamic biometrics - or the way a human interacts with his surroundings - is also less invasive and more consumer friendly.
Behavioral Biometrics for Foolproof Authentication
Powered with machine learning capabilities, behavioral biometrics, an application of dynamic biometrics, bases itself on learning dynamic biometric activities. It continuously monitors and improves the accuracy of its authentication capabilities, studying a wide variety of the individual’s pattern elements and analyzing everything in the background. The security layer is dynamically improved accordingly. All of the accumulated data is used to create a unique and easily identified personal profile. Not only effective for the initial authentication of the user, behavioral biometrics allows for continuous authentication of the user throughout the session. Being able to identify both human and non-human activity allows for an even more reliable security layer. It therefore comes as little surprise that the European Commission’s PSD2 directive was recently updated to include behavioral biometrics as an acceptable MFA method for strong customer authentication.