-
-
Sentiment analysis, which tracks social networks and other web venues to analyze what customers are saying, is being used by firms like BBVA and Citi to determine mood, tastes, and tendencies toward various products or services.
August 1 -
New business process management projects are making use of sophisticated data analytics. PNC is among the banks taking advantage.
August 1
Mobile banking introduces a great opportunity to improve the customer experience through anywhere, anytime banking, but as financial institutions introduce this new channel to their customers, they need to ensure the risks don’t outweigh the rewards. The first step to implementing an effective fraud prevention strategy for mobile banking is to recognize that the solution doesn't lie entirely in securing mobile devices and applications.
This may sound counter-intuitive because banks have come to rely on mobile phones to provide an extra layer of security through out-of-band authentication, the practice of using two separate networks simultaneously to authenticate a user and transaction verification callbacks. But with mobile banking creating a rich opportunity for cybercriminals (as evidenced with the recent surge of malware like SpitMo, ZeusMitMo and DroidKungFu), institutions should re-orient to consider mobile another endpoint that is compromised, rather than a layer of security.
A compromised mobile device provides easy entry to a wealth of personal information; apps, contact lists, email, call history and social media accounts are all readily accessible to anyone with physical or programmatic control of the device. Couple this with the natural tendency of humans to snoop around when they find something that isn't theirs, and we have a security risk that stems not only from professional criminals but also the "average Joe." In a recent experiment, Symantec purposefully "lost" 50 smartphones in public areas. Of those lost smartphones, 96% were accessed by their finders, and 80% of the finders tried to access files clearly marked with sensitive corporate or personal information.
Essential to mobile banking risk assessment and security strategy is the understanding that fraud attacks are rarely executed through one channel. Consider this: a customer receives an email asking for his credentials, which redirects him to what he assumes is his online banking site; he is asked to enter his mobile phone number for "verification," which then sends a text message with a link that downloads mobile malware. Schemes like this are complex, but deploying the holistic security measures needed doesn't have to be.
Net-net: banks must assume that what used to be a primary layer of defense through out-of-band authentication — the mobile phone — is now compromised.
Fraud losses and new regulatory guidance have spurred banks to incorporate multiple layers of security for online banking that assume the endpoint is compromised, and these same processes should be applied to mobile. In June of last year, the FFIEC updated its recommendations regarding layered security in an internet banking environment, outlining two minimum expectations: the ability to detect and respond to suspicious activity at login and initiation of transactions in all accounts, and enhanced controls of administrative functions for business accounts. While many expect the FFIEC to clarify with mobile-specific guidance, banks can't afford to wait.
Until now, most of the chatter around mobile strategy has focused on solutions that secure the device or application. Regulators have stated publicly that the FFIEC guidance for an internet banking environment is applicable for the mobile channel, but applying the same layered security to mobile has left many institutions with questions.
The best way to go beyond protecting the device is to understand how account holders are using their smartphones and tablets for banking activities, so as to detect suspicious behavior and stop fraud attacks before criminals can make a transaction. It's proven to be the only way to stop fraud, because let's face it – cybercriminals will find a way to compromise your device if they are determined enough. Not only does this approach prevent fraud in online and mobile banking, banks can improve the effectiveness of their security strategy across all channels because additional information provides a more comprehensive understanding of how the user interacts with the institution, and the more complete user profile enables banks to identify abnormalities faster and stop fraud before any money can leave the bank.
The mobile train has left the station, but it's not too late to get security strategies in order by applying the same layered security approach applied to other banking channels and by keeping a watchful eye on account behavior. By doing this, you can reap all the opportunities mobile has to offer, and avoid the risks.
Craig Priess is founder and vice president of Guardian Analytics.
