The phrase "May you live in interesting times" has often been purported to be an ancient curse. While the accuracy of that claim is not clear, we surely live in interesting times when it comes to providing mobile financial services. Whether it is a curse or a blessing is largely in the hands of the provider.
The long awaited swell of mobile users and transactions in financial services is finally arriving through the continued increase in smartphone penetration and the wild growth of tablets. As consumers have shifted more of their online activity from their laptop and desktop devices, they have demanded more mobile functionality from financial institutions, which have responded with improvements to their applications' usability and core capabilities.
This has brought large numbers of users and more complete functionality to mobile apps, but has yielded a downside as well. While the customers are finally there and the applications are finally worth using, mobile apps have also become worth targeting by fraudsters. Without action, mobile apps will be the weakest channel, presenting a substantial exposure to fraud attacks for several reasons.
First, mobile devices subvert many of the controls that are heavily relied on in the browser-based online world. The internet provides fraudsters with reach, anonymity, and scalability; in response, financial institutions have built core capabilities around IP addresses, IP- based geolocation, device identification, and malware detection. However, mobile carrier IP addresses are consolidated, reused, and shared. Browser-based detection does not run at all unless added to an app, and even then yields few and generic responses.
A second issue is the proliferation of mobile malware, and that mobile devices offer a soft target for it. Mobile users tend to be uninhibited about what they click on or install on their devices. Even cautious users are much more likely to be fooled on their mobile devices by phishing and its SMS-text-based cousin SMishing, as these are more difficult to spot due to limited screen sizes and they lack contextual information. Android devices, now the majority of devices in play, are particularly vulnerable, due to their open platform and third-party app stores, which may distribute mobile malware.
Finally, new capabilities like remote check deposits and mobile payments are bringing new attack vectors. Remote check deposit provides an easy path for check counterfeiters and ring activity, across the country and around the world. Historically, checks have been deposited at a bank branch or ATM with the depositor standing in front of a camera at a known location. Now checks can be deposited from anywhere in the world, with the possibility of faking the location at will via IP proxies to hide where fraudsters really are. Remote payments replace physical cards with virtual cards that can be effectively downloaded by anyone with account credentials.
The situation may sound bleak, but there is actually great potential with the right orientation and action. For organizations that aren't actively addressing these mobile threats, the risk equation shifts dramatically against them. However, mobile has the potential to be the safest and most preferred channel for financial transactions, while making the customer experience better.
Financial institutions must avoid treating mobile as just an extension of the browser, moving instead to mobile-centric authentication and fraud detection capabilities. With deep enough expertise in mobile devices, a great deal of useful identification and risk information can be harvested from them.
Device-asserted identity allows for extremely robust authentication of the mobile device. This is completely behind the scenes, and reduces the need to challenge the user. Once a device has been proven itself trustworthy in association with an account, it can be the strongest proxy available for the user.
Mobile apps also allow for unprecedented checks for device vulnerabilities, including malware targeting the user, criminal tools that can be used in an attack, whether the device is rooted or jailbroken, and evidence of phishing / SMishing victimization. Financial institutions can protect the customer from rogue apps and spyware, while limiting their response to genuine threats, and detect mobile crimeware that is used against banks, such as location spoofing and proxy management apps. Mobile device location is another new capability. While fraudsters can use proxies and VPNs to change their IP address to appear to be somewhere safe, mobile location data can be more accurate. A critical caveat is that using standard mobile location services functionality is not enough; many apps are available that will easily spoof this location. With a deeper dive into the phone using multiple mobile location methods, however, these attempts to mislead can be caught.
Device-asserted identity, constant device-based authentication, mobile malware and crimeware detection, root and jailbreak detection, and strong mobile location are key among the blessings that mobile apps can bring when we stop fighting the last war and instead adopt a mobile-focused approach to mobile security and fraud detection. Not only can these make mobile the safest channel, it can be the most convenient by virtually eliminating challenges and allowing for options like mobile sign-in via PIN rather than user name and password. We definitely live in interesting times, but we can make them interesting because of the tools and possibilities rather than the challenges.
Joseph Quickle is vice president, anti-fraud products, at InAuth.
