The phrase "May you live in interesting times" has often been purported to be an ancient curse. While the accuracy of that claim is not clear, we surely live in interesting times when it comes to providing mobile financial services. Whether it is a curse or a blessing is largely in the hands of the provider.
The long awaited swell of mobile users and transactions in financial services is finally arriving through the continued increase in smartphone penetration and the wild growth of tablets. As consumers have shifted more of their online activity from their laptop and desktop devices, they have demanded more mobile functionality from financial institutions, which have responded with improvements to their applications' usability and core capabilities.
This has brought large numbers of users and more complete functionality to mobile apps, but has yielded a downside as well. While the customers are finally there and the applications are finally worth using, mobile apps have also become worth targeting by fraudsters. Without action, mobile apps will be the weakest channel, presenting a substantial exposure to fraud attacks for several reasons.
First, mobile devices subvert many of the controls that are heavily relied on in the browser-based online world. The internet provides fraudsters with reach, anonymity, and scalability; in response, financial institutions have built core capabilities around IP addresses, IP- based geolocation, device identification, and malware detection. However, mobile carrier IP addresses are consolidated, reused, and shared. Browser-based detection does not run at all unless added to an app, and even then yields few and generic responses.
A second issue is the proliferation of mobile malware, and that mobile devices offer a soft target for it. Mobile users tend to be uninhibited about what they click on or install on their devices. Even cautious users are much more likely to be fooled on their mobile devices by phishing and its SMS-text-based cousin SMishing, as these are more difficult to spot due to limited screen sizes and they lack contextual information. Android devices, now the majority of devices in play, are particularly vulnerable, due to their open platform and third-party app stores, which may distribute mobile malware.
Finally, new capabilities like remote check deposits and mobile payments are bringing new attack vectors. Remote check deposit provides an easy path for check counterfeiters and ring activity, across the country and around the world. Historically, checks have been deposited at a bank branch or ATM with the depositor standing in front of a camera at a known location. Now checks can be deposited from anywhere in the world, with the possibility of faking the location at will via IP proxies to hide where fraudsters really are. Remote payments replace physical cards with virtual cards that can be effectively downloaded by anyone with account credentials.
The situation may sound bleak, but there is actually great potential with the right orientation and action. For organizations that aren't actively addressing these mobile threats, the risk equation shifts dramatically against them. However, mobile has the potential to be the safest and most preferred channel for financial transactions, while making the customer experience better.
Financial institutions must avoid treating mobile as just an extension of the browser, moving instead to mobile-centric authentication and fraud detection capabilities. With deep enough expertise in mobile devices, a great deal of useful identification and risk information can be harvested from them.
Device-asserted identity allows for extremely robust authentication of the mobile device. This is completely behind the scenes, and reduces the need to challenge the user. Once a device has been proven itself trustworthy in association with an account, it can be the strongest proxy available for the user.
