According to the Federal Reserve Board, 48% of smartphone owners have used mobile banking in the last 12 months. While consumers are embracing mobile banking for its ease-of-use and convenience, it poses significant security and fraud risks – especially during the holidays when transaction volume is at an all-time high, writes Andreas Baumhof
Banks do not have the time to screen each transaction for fraud risks, making it more difficult to spot cybercriminals.
With the holiday season under way, it is important for banks and financial institutions to offer customers the increased convenience associated with mobile banking without compromising security.
Understand Root Causes of Threats
With highly sensitive customer data and the challenges associated with online customer authentication, financial institutions are exceptionally susceptible to sophisticated cybercrime attacks.
Fraudsters can steal customer credentials, hijack online sessions and use malware to scam funds from unsuspecting account holders.
Mobile banking customers in particular are subject to an array of threats including hacking, malware, denial-of-service attacks and phishing scams. This is because too many banks make the mistake of prioritizing mobile convenience for consumers over implementing effective security strategies.
As the number of malware attacks continues to grow exponentially year-over-year, the biggest risks for financial services companies include account takeover, new account originations and payment and wire transfers.
While organized crime is responsible for the bulk of attacks, customer apathy towards password security also plays an important role.
Additionally, customer credentials can be easily compromised on low value sites that lack the robust security measures needed to prevent account takeovers and other malicious attacks such as watering hole attacks.
Implement Mobile-Specific Solutions
Banks must take a tailored approach to mobile security and implement preventative strategies to screen for fraudulent transactions in real-time without disrupting the user experience for authentic customers.
The Federal Financial Institutions Examination Council (FFIEC) mandates a layered approach to fraud prevention that maintains security without damaging the customer experience by incorporating two key techniques-recognizing returning customers using complex device identification, and detecting emerging malware threats to provide a secure browsing environment.
A comprehensive cybercrime prevention solution will address both requirements and evaluate risks based on multiple factors, including interactional context, consumer history, risk intelligence, behavioral analysis and plausibility.
By identifying high-risk transactions through device and transaction abnormalities, banks can protect legitimate customers and transactions from targeted malware and detect compromised devices that pose threats to customer assets.
Legitimate online banking customers using verified devices may still be victims of transactional fraud through Man-in-the-Middle, Man-in-the-Browser, phishing, session hijacking, key-loggers and other malware-driven attacks.
Transaction-level security measures should focus on reducing the potential for fraudulent wire transfers and other transactions, preventing web-based and machine-resident attacks from executing fraudulent transactions, and protecting online banking customers from session-based transaction attacks.
Alerts and Geolocation Techniques
Financial institutions can prevent account takeovers and eliminate online fraud by flagging high-risk attempts and using location information to distinguish between real, returning customers and cybercriminals hiding behind proxies.
An effective cybercrime prevention solution detects compromised accounts in a number of ways, including identifying:
– Automated logins from bots of compromised devices
– Shared user accounts, including concurrent access or access from multiple locations
– Malicious software, such as web-based and machine resident malware
– Access from suspicious locations, unrecognized computer settings or from masked machines
By gathering location information and comparing IP addresses to the physical locations of smartphones, financial institutions can also improve the detection of fraudulent transactions originating from proxies and Virtual Private Networks (VPN).
With the rate of malware increasing every year, fraudsters are developing new ways to target and attack consumers. Financial institutions must treat fraud prevention as an ever-evolving security concern. Ongoing risk assessments and a well-designed feedback loop are key to achieving a successful fraud prevention strategy- during the holidays and year round – while constantly improving the customer experience.
Andreas Baumhof is chief technology officer at ThreatMetrix