Keep Mobile Fraudsters at Bay

The ubiquity of mobile devices has created three primary security concerns.

February 6, 2014

The proliferation of mobile devices has been a game changer— and a development that has created a “general sense of unease” among many financial institutions, particularly in the realm of security, says Jason O’Dell, senior security operations manager at the Gladiator Technologies division of ProfitStars.

“By 2015 there will be 1.1 billion mobile banking customers doing $1 trillion in annual transactions,” he says. “By 2016, it’s expected that the number of mobile devices worldwide will exceed the entire human population.”

O’Dell says this ubiquity has created mobile security concerns in three primary areas: Mobile apps designed without proper levels of security, wireless security, and device theft and loss.

“Wireless security can be compromised at open-access points such as coffee shops where ‘man-in-the-middle’ attacks can come into play,” he says. “These attacks trick users into thinking they’ve connected to the merchant’s wireless portal when instead they’ve logged into a fake site that collects their financial data. They’ll even impersonate credit union websites.”

Amanda Smith, manager of emerging products at CO-OP Financial Services, says security issues open mobile devices to two main areas of risk: identity theft/account takeover and mobile malware.

The latter threat involves malware specifically targeted at mobile operating systems, says Jay McLaughlin, chief security officer at Q2. “The threat is real, and the proliferation of malware attacking mobile devices will continue to grow.”

Currently, he says, mobile malware is growing at a fast rate in the Android market, partly due to the open architecture.

“Thus far, most mobile malware has been used to run up charges from cellular carriers, for example, directing users to premium services,” McLaughlin says. “This is quickly evolving towards credential-stealing and theft of financial data.”

Still, mobile banking risks thus far haven’t been as great as those related to online banking. “Fraudsters will always focus their attention where they have the most to gain, which so far has been online banking,” he says. “But as mobile banking functionality and user adoption rates increase, fraudsters will focus more on the mobile channel.”

How to respond

Smith says credit union members are legitimately concerned about mobile banking security, citing a recent survey where 78% of respondents cited security concerns as the biggest factor in not adopting mobile banking.

O’Dell cites a recent Hewlett-Packard study which found that 37% of all apps are vulnerable to password gaming. How can credit unions counter this problem?


“We suggest to apps makers that they use different protocols, and we tell credit unions to set up a penetration testing process when accepting an app,” O’Dell says. “Beyond that, we look for certain online behaviors that denote risk; activities outside a user’s normal patterns. There are certain patterns that occur in man-in-the-middle attacks. We encourage credit unions to create a culture of security awareness that educates members to use strong passwords and not rely on public-access wireless for sensitive transactions.”

Smith says credit unions should educate members to:

  • Install antivirus and malware detection on their devices;
  • Download financial service apps only from the credit union;
  • Exercise caution when opening suspected spam;
  • Refrain from sending account numbers or conducting money transfers via text; and
  • Approach mobile security as they have with other services, such as online banking.

Security best practices

Unfortunately, even the best security measures can’t always thwart fraudsters’ attacks. That’s why O’Dell suggests establishing an incident response process that allows the credit union to:

  • identify, contain, and eradicate threats;
  • recover from them; and
  • determine lessons learned.

In addition, Smith suggests using multifactor authentication, encryption, and timeouts, where devices lock after a certain amount of time.

Q2 offers a multilayered security approach. “Our controls focus on the entire banking session, from login and authentication to transaction submission,” McLaughlin says.

The company uses out-of-band one-time codes or tokens, as well as behavioral scoring models, to detect and prevent anomalies in logins and transactions.

Consider, for example, when a member logs into an online session and successfully completes a multifactor process. At this point a fraudster might step into the session with a man-in-the-middle attack—often the result of a previous infection by malware or a Trojan—and attempt to create fraudulent transactions.

“By enforcing controls such as out-of-band transaction authorization, the fraudster can be stopped from successfully submitting the transaction,” says McLaughlin. “Using behavioral analytics and transaction anomaly detection, the fraudster also may be stopped because the transaction appears to be unusual or anomalous compared to previously known good transactions created by a particular member.”

Among other best practices security vendors recommend, O’Dell advises against using a one-vendor or one-layer solution for defense by, for example, putting all of your resources into prevention but not focusing on detection. “You have to know when you’ve been breached and then have the means to stop it.”

All threats considered, McLaughlin believes credit unions should treat the mobile channel just like any other. “It does have its own set of somewhat unique threats and risks, but the approach to security should be the same: Layered controls deployed to provide a secure banking experience despite the state of the device.”

He adds that education remains an area that can benefit credit union members. “Many members aren’t aware of, or understand, the risks. Credit unions should consider how they can bring their members into the fight against fraud. Often, members are seen as the problem when discussing fraud and rarely thought to be included in the solution.

“Credit unions don’t have much control over mobile devices themselves,” McLaughlin adds. “While there are vendors that have built solutions to secure mobile devices, solely focusing efforts on protecting members’ devices will result in a losing battle. Instead, credit unions should aim to provide a secure banking experience regardless of the device or the state of the device. Assume the device is or will be compromised with malware at some point, and build security in the application itself.”

PATRICK TOTTY is a freelance writer based in Larkspur, Calif.