As banking increasingly goes mobile, users expect the same functionality as with online banking. However, mobile banking represents new risks, and the attack surface widens. Smartphones contain a mother lode of information about the user, including sensitive data such as bank account numbers, credit card numbers and other personal information. At the same time, threat actors can approach mobile banking through various attack vectors, including the device itself, the mobile network and the web server.
Types of mobile fraud
There are various types of mobile fraud, and new, increasingly sophisticated attack methods seem to be popping up regularly. Here is a short description of the prominent attack methods currently in use:
- Malware - Mobile malware can appear in the form of spyware, legitimate looking Trojans, and viruses that take over devices. RATs in particular are very common and designed to provide the attacker with complete control over the victim's device by installing a backdoor for administrative control.
- Phishing apps - Authentic looking phishing sites or apps can steal user credentials, making seemingly innocent requests for a system update, or offering a great sale or fun game.
- SIM swap - The fraudster applies phishing techniques to obtain an individual’s banking details and poses as the victim to the mobile network operator .
- Vishing - In this type of fraud, attackers try to trick users into revealing personal information over the phone.
- Smishing - Attackers send bad links via text messages which enable them to extract personal data the minute the link is pressed.
Effective tools for detecting mobile fraud
But simply securing applications at login is not enough; legitimate app sessions can be hijacked and taken over for malicious purposes. Digital officers need to focus on implementing security protocols that go beyond secure log-ins and continuously authenticate the user in order to identify the abnormal behavior or suspicious activity. So, which processes and tools are best suited to detect mobile fraud beyond authentication stage?
The threats are myriad and proliferate as time goes on. Here are some of the most effective mobile fraud detection methods that you need to have in your toolbox:
Customer security checks
Customer education is key. Make sure to clearly communicate to your customers the importance of keeping an eye on their accounts to identify fraudulent transactions. Teaching users to be vigilant about noticing suspicions behavior as well as teaching healthy security habits is of paramount importance here.
Customer awareness of the different types of breaches out there can be key to detecting and fighting fraud. They also need to be encouraged to regularly update apps, operating systems and antivirus programs. It is important for them to know what action to take in the event of attack, including changing passwords and informing their bank or credit card company immediately about the breach.
Manual reviews involve a team of analysts that examine flagged transactions in order to determine whether they are a real threat or not. If a reviewer determines that a transaction is a threat, the order is refused. If the threat proves to be false, the order is allowed to be processed. This type of review is particularly effective in cases where the circumstances are not clear-cut, and an actual human being can make an informed decision.
While the above methods can be useful, due to the dependence on the human element, it is both costly and time-consuming. Thus, more cost-efficient, scientific methods are needed. Using already collated data, machine learning enables the design and application of algorithms that identify and assess the significance of various behavioral patterns. By recognizing thousands of patterns on a user’s purchasing journey, for example, fraud can be predicted in a large volume of transactions. If the user’s keystroke appears different or even if the typing rate is slower than usual, a red flag is automatically raised. Through these simple parameters it is easier to identify possible fraud effectively and efficiently, thereby decreasing the number of false positives.
Traditional authentication models (both 2 factor and multifactor) are now too flimsy to thwart sophisticated hacking. Using stolen and legitimate user credentials fraudsters can commit digital identity fraud easily. Authentication needs to be able to continue past the login.
By continually validating the user throughout any session, a machine learning-based layer of security can continuously authenticate a user. If there is a deviation, a red flag is risen and the user is investigated or the session is closed. The most effective form of continuous authentication is based on dynamic biometrics, which you can read more about here.
Mobile banking security requires more than just tools
According to The Federal Reserve, 67% of millennials use mobile banking, and the adoption will continue to surge with the future generations of banks’ customers. Yet, despite the rapidly growing adoption, mobile devices remain the least secured link in the digital banking chain. The combination of rapidly growing adoption and the numerous challenges to mobile banking security will inevitably lead to an increase in fraudulent activity. As a strong mobile strategy is becoming mission-critical for the banking sector, securing the mobile channel should be the first priority for digital officers.