With every new banking technology comes new security implications and threats.
Consumers are increasingly coming around to the idea of mobile banking, especially with the enhanced number of services being offered via handsets, including financial information services, funds transfer, bill payment and presentation, account management and customer service. At the same time, banks are faced with enhancing their security measures to help address a serious consumer concern — how safe is it to use mobile banking?
Though some argue that mobile banking can be more secure than its Internet equivalent since no data is typically held on the phone itself, security experts and consumers are expressing concerns. Skeptics have good reason to be apprehensive.
The transactions between a mobile device and an institution simply aren't as well guarded as their Internet counterparts, with only basic identification and verification checkpoints in place.
Authenticating a user's identity in mobile banking is as critical as it is with fixed-line Internet. Yet in reality, most mobile banking systems are struggling with this essential task. While most mobile banking systems have a "sentry at the gate" mechanism that catches some fraud, it isn't enough. They aren't able to ascertain whether the device transacting on its mobile site is in fact a mobile device or a PC or laptop acting as one. In one recent incident, networks of high-level gangsters were trading not just bank account details and card security codes, but mobile phone numbers, as well as e-mail addresses, PIN numbers, passwords and dates of birth of unsuspecting members of the public.
Mobile banking touch points are easier for criminals to gain access to, as they don't have the security layers that Internet sites do. Because fraudsters are able to mimic the appearance of a mobile device as easily as they can a PC or a laptop, they are capable of infiltrating an unsuspecting bystander's mobile banking account. Having many layers of protective measures in place is the most effective way of detecting and preventing fraud — be it via mobile or fixed-line devices. Beyond the initial "firewall," mobile banking services should have additional password and encryption barriers. These, in combination with real-time tracking capabilities, will identify instances of devices that were initially refused admission to a site and that have changed their identity to try and gain access. Studies have shown that it takes a matter of minutes for fraudsters to do this.
Client device identification is an extremely valuable antifraud tool that helps identify suspicious transactions. By capturing and identifying device characteristics during the login process, CDI goes beyond simple user names and passwords to detect suspect mobile transactions at the device level. It is designed to differentiate individual devices visiting a site regardless of past registration, the credentials presented or the connection (telecom carrier or IP address).
Such parameters and real-time reporting can create a full picture of the user for the fraud-detection engine at the other end of the line, whether a mobile phone, PDA, smart phone, PC or networked gaming console, such as a PSP or Xbox. The more comprehensive the picture created, the harder it will be for a fraudster to forge.
CDI has become an immensely powerful antifraud tool, adding new layers of strength to a company's security without changing the user's behavior, without leaving tags on the device and without "showing your hand" to the fraudsters.
Ori Eisen is the founder, chairman and chief innovation officer of 41st Parameter in Scottsdale, Ariz.
