LOS ALTOS, Calif.-At a time when criminals are ramping up their efforts, banks and credit unions are racing to add mobile services, which is only opening the door wider to thieves seeking members' financial data.
Fraud analysts suggest that while credit unions are paying attention to protecting the rapidly expanding channel, the race to expand mobile access could compromise security efforts that take time to develop. Moreover, it remains largely unknown how criminals will attack mobile devices and where they will find weaknesses.
"There are competitive pressures," said Terry Austin, CEO at Guardian Analytics. "If Chase comes out with remote deposit capture and your members want that service, you are suddenly in the position of introducing the advanced payments service to remain competitive."
Criminal activity coming in through mobile channels is nowhere near the intensity of the activity of online threats, explained Julie McNelley, research director at the Boston-based Aite Group. "But we are already seeing mobile getting targeted by bad guys. The fraudsters are coming to mobile and I think it will be the next frontier for cyber criminals to hone in on."
Austin warned that remote deposit capture presents many vulnerability issues, especially for thieves to kite checks. He said crooks can clone a member's cell phone and then easily deposit a bogus check. "They control the user's account, deposit money, and then immediately steal the money that never existed in the first place."
Guardian is adapting its behavior analytics programs to spot the steps criminals use to set up this type of fraud. Austin said his company is seeing malware developed for mobile devices, most if it showing up on the Android platform, and on iPhone, to a lesser degree.
It's Not A Game
"Just like with your PC, malware has been adapted to be downloaded from an app store," Austin said. "You think you're downloading just a game, but malware is hidden that then steals user names and passwords."
A threat to mobile that Austin is most concerned about and is seeing, however, is fraudsters taking over someone's SMS capability. "They start controlling the phone's communication mechanisms from malware. They can redirect communications to or from your bank."
But Austin is confident that behavior analytics can stop this type of fraud, again, by recognizing the process the criminal has to go through to set up the crime. "We are not trying to stop the access. We are assuming the criminals will get malware on your phone and will steal your credentials. We are trying to stop the theft before it is completed."
John Larsen, fraud prevention consultant for JHA Payment Processing Solutions, Seattle, said what will deter mobile fraud is consumers understanding the threat. "We have to get credit unions to educate their members that the cell phone is an avenue for fraud. People think because it is in their pocket that it's safe. But the technology is there for the crooks to come right into their own pockets."
Larsen insisted members need to be educated about the threat from downloading apps and to understand to only download programs they know are secure. "With phones there is a tendency to download apps because they might be cute or quirky. But members need to know to not judge a book by its cover."
But the battle is not only getting members to partner with the credit union in the defense against mobile fraud. Larsen said the push and pull between the goals of marketing and IT can lead to vulnerabilities, putting a mobile application out before enough is known about how to effectively defend against threats. Larsen said there will always be a debate between internal marketing and the fraud teams over the need to get a payments technology used expediently versus spending more time on data safety. "Sometimes the fraud department loses."
