Fraud has not yet become common through mobile-banking channels, but experts warn that cyber criminals likely have mobile banking and mobile payments on their radar.
And while many financial institutions lack fraud protection that equally covers mobile and online banking programs, the threat of loss will become more serious as more mobile transactions involve larger sums of money, Julie Conroy McNelley, senior analyst and fraud expert with Boston-based Aite Group, tells PaymentsSource.
In a survey of 24 global risk executives from financial institutions or payment processors conducted in November 2011, Aite examined emerging risks surrounding mobile banking and mobile payments. “Mobile Fraud: The Next Frontier” is the third of five parts of a cybercrime report Aite will release through early 2012. Respondents represented 10 different countries on five continents.
“The most surprising thing in compiling this report was that two-thirds of the respondents said they did not have integrated fraud protection between mobile and online channels at their financial institutions,” McNelley says.
Financial institutions have not yet built multiple layers of fraud protection for their mobile banking programs because so far they have not noticed a lot of breaches in that arena. And such fraud measures can be expensive, McNelley says.
But stiffer fraud measures may soon become essential, if history is any guide, she suggests.
Financial institutions went through a similar cycle about five years ago when deploying fraud-protection measures with online banking programs, McNelley notes.
Initially, financial institutions saw relatively low levels of online fraud, but when organized crime threw its weight behind online banking attacks, fraud prevention became a higher priority, she adds.
Mobile and online banking are differentiated only by the technology the consumer uses to view his account or perform money transfers, deposits or withdrawals, McNelley says.
In mobile banking, the customer uses a mobile phone or tablet to view an account, while online banking occurs when the customer sits a computer terminal to access the bank’s website to view an account, she explains.
Ominously, 75% of respondents agreed that mobile banking creates exposure to risks that are not yet completely understood because cyber criminals are always developing new attack methods, the report states.
Equally worrisome is the fact that 57% of respondents fear mobile banking service innovations may outpace the ability of risk management and fraud protection tools to protect them.
“Mobile banking and online banking use very different technologies, and it takes different technologies to protect them, and we know the bad guys are trying to figure out how to attack vulnerable spots in those differences first,” McNelley says.
Fraudsters typically create attacks that capitalize on the lack of similar protection measures in place when monetary transactions cross channels at the bank, from mobile to online, or call centers to branch offices, the report suggests. Only 37% of respondents have the same fraud protection measures in place for mobile and online banking programs, the report states.
Many protection measures that have proven successful in online banking show a high potential to apply to mobile banking as well, the report notes. Those measures include complex device printing, or the establishment of a “unique fingerprint” to identify the device being used by the consumer, and behavior analytics, which monitor the site-navigation patterns of a consumer banking online, the report states.
Mobile channels lend themselves to biometric protection measures, such as voice recognition, signature recognition and fingerprint images using a smartphone camera, the report adds.
Because small and mid-size businesses are increasingly aware of potential liability from fraud and the need for protection, banks already confident in their layered security approach could possibly create another revenue source by guaranteeing those businesses additional protection, McNelley suggests in the report.
Banks could guarantee safety, if merchants use the system properly on their end, and tell the merchants they “will swallow the losses” if there is a breach, McNelley says.
In doing so, the banks could charge a premium protection rate, she adds.
“It would be kind of like selling insurance,” she suggests. “You are paying more for the guaranteed, great security.”
McNelley authored previous reports that studied the growing cyber attacks on corporate accounts in banks (
What do you think about this? Send us your feedback.
