When in December 2012 an estimated 36 million Euros were stolen from of over 30,000 mobile banking app users in Europe, the expected public outcry failed to appear. Although Trojans and other malware have been repeatedly used to hijack user accounts (migrating from PCs and laptops to new devices) those incidents still don’t spark too many concerns for mobile security. As the volume and value of payments flowing through the mobile channel are on the rise, it is likely that hackers will target mobile channels in rapid succession, exploiting users’ outright dependency on handheld devices.
There’s no question that the innovation, product and services development, that is taking place, provides consumers with greater convenience and flexibility. We are used to connecting with friends on Facebook, entertaining ourselves with a quick game and carrying out our everyday banking tasks, using sensitive access data while on the go.
Ensuring that the consumer is appropriately protected in this changing environment is a challenging task for financial institutions and mobile operators. Accompanied by the rapid mobile development, new ways of fraud, breaching security, and other acts of piracy are opening up. The following list illustrates the most common risks today:
Mobility and Convenience
One of the reasons that mobile banking is so popular, is that it can be done ‘on the go’. The immediate access to all our bank information and services meets our need for convenience. This need results in the saving of passwords and user names, which undermines their effectiveness, or even the omission of additional tokens for processing payments. Entering another token might slow the user down, but it adds another layer of security. Losing a device with so little security entails great dangers.
Phishing scams aim to lure users to reveal their private information such as user names, passwords or credit card credentials. By imitating text messages or emails from the bank that contain links to spoofed websites or a request for account information, the user is betrayed into giving sensitive data directly to the thief.
Public connections are generally not very secure - most places that offer a public Wi-Fi hotspot warn users not to share sensitive information over the network. Many users might be tempted to check their balance while frequenting the coffee shop around the corner.
Several way authorization
While the classic online banking uses an interplay of various channels (e.g. computer and mobile phone, computer and paper-tokens - transaction authentication numbers, computer and token-generator), for mobile banking this is not the case. With a smartphone this protective duality disappears: both credentials (card number/user name and the token) are available on the phone. It is obvious that a stolen phone therefore offers more sensitive data, which can cause a financial loss.
The mobile channel offers a whole new wealth of possibilities for hackers. Trojans that record entire voice conversations, sending them back to command and control the phone, keylogger programs that record every single keystroke the user makes - those are just two examples of malware attacks that are on the rise.
It is therefore the new imperative for financial service providers and banks to shed their widespread ‘wait and see’ attitude and start implementing a comprehensive strategy that includes cross-channel monitoring, development of clear policies and monitoring of the market places where their apps have achieved mass penetration. The solution lies in being responsive to the rapid changes taking place in the mobile landscape - allowing defenses to respond in real time by using big data algorithms. However, the most important and most neglected part of any security strategy must be the education of the client. 99% of all security breaches in online banking are (ultimately) causes by human error and carelessness. So, it was shocking for us when we found in our mobile app benchmarking analyses - over and over again - a lack of security information and anti-fraud education within mobile apps, app store descriptions or on mobile portals which function to make apps more popular. The change of this shortcoming is job number one.