By Tiffany Riley, vice president
Account holders are asking
their financial institutions (FIs) to offer expanded mobile banking services,
such as remote deposit capture, bill pay, ACH payments, and wire transactions.
At the same time, however, consumers are reluctant to use mobile banking
because of the security risks. For example, a recent IntoMobile study found
that 60% of consumers identified security as the top reason for not using
Mobile banking indeed is particularly
susceptible to fraud, at least in part because of how account holders treat
their smartphones - like phones, not like the computers that they are.
Smartphones hold a lot of personal information - friends, phone numbers,
passwords, online banking links, personal information used in challenge
questions - making the phones very attractive to fraudsters. Account holders are
reasonably well trained in how to use their computer safely, but they're not
translating that behavior to their smartphones. They click on links in text
messages from unknown parties, download apps from unsecure app stores, click on
QR codes that fraudsters place over the original, and give their phones to
children who will download and click on anything.
Accordingly, it should be
no surprise that the volume of mobile malware is exploding. A recent
McAfee study found a 600% increase in mobile malware from 2011 to 2012. Fraudsters
have repeatedly demonstrated not only their technical ability to bypass most security
solutions, but also their creativity. For example, a recent scheme spoofed
alerts from Apple regarding availability of the iPhone 5, which they knew
consumers were anxious to read and therefore, more likely to open.
This presents a unique hurdle between financial institutions and
the compelling opportunity presented by mobile banking. Improving mobile
security will increase customers' comfort with using the mobile channel,
thereby increasing revenue-producing adoption of expanded mobile banking
services. And preventing mobile fraud will keep those account holders as
happy, loyal customers for years to come. But to be successful, FIs must secure
the mobile banking channel with the expectation that the device has been
The best fraud prevention solutions utilize an important strategic
benefit that FIs have over the fraudsters - knowledge of each account holder's
unique mobile banking behavior. Readily available behavior-based anomaly
detection solutions can detect and prevent even the most sophisticated fraud
attacks while enabling FIs to conform to the FFIEC guidance that calls for
anomaly detection for all electronic banking channels, including mobile.
Fraudsters have demonstrated their ability to circumvent security
solutions that focus on log-in credentials, challenge questions, malware
detection, device ID, tokens and OTP, and out of band authentication, to name a
few. But fraudsters cannot mimic the mobile banking behavior of each individual
client. Behavior-based anomaly detection solutions build a model of each
account holder's behavior and then compare all subsequent activity, from login
to logout, for every mobile banking session, to those established patterns.
This enables FIs to detect suspicious or anomalous activity patterns that are
indicative of fraud. By monitoring all electronic banking activity FIs not only
will detect fraud early in the account compromise, reconnaissance and set-up
stages when it's much easier to prevent, they will be in a position to contact
account holders proactively before the money is gone, which is a level of customer
service that goes beyond satisfaction into the realm of delight.
Behavior-based anomaly detection solutions have another
advantage. We know that fraudsters will continue to innovate, developing as yet
unseen schemes for emptying bank accounts through mobile devices and online
banking channels. Cyber criminals continually reinvest their "profits" into new
technologies and work together to share successes and failures. As a result,
they quickly scale successful attacks and modify unsuccessful ones, leaving FIs
with a never-ending barrage of new attacks against which they must defend
themselves and their customers.
Behavior-based anomaly detection solutions don't operate
based on which malware is in being used or how the account was compromised. So,
regardless of the attack scheme, fraudsters will do something unexpected,
something that tips off the FI to the fact that this session for this
account holder indeed may be fraudulent.
FIs are encouraged to assume the mobile device has been
compromised, monitor all mobile banking activity from login to logout, be
proactive in detecting the early stages of fraud, and use behavior-based
anomaly detection to take advantage of their best strategic advantage over the
fraudsters - knowledge of their mobile banking customers' legitimate behavior.
About Guardian Analytics - Guardian Analytics is the pioneer and leading provider of
behavior-based fraud prevention solutions for financial institutions. With
nearly 200 customers, more financial institutions trust Guardian's SaaS
solutions to protect their clients' assets and conform to FFIEC expectations
for anomaly detection than any other solution. To learn more, please go to www.GuardianAnalytics.com.
Riley, Vice President, Marketing
Riley has been Guardian Analytics VP of Marketing for over two years, leading
the company's marketing efforts through a period of tremendous success and
growth. She is a regular presenter are industry events and author of
contributed articles, white papers, and blog posts. Tiffany has over 15 years
of enterprise software marketing and product strategy experience having
successfully delivered market leadership, customer satisfaction and
unparalleled brand awareness in emerging and mature markets. Prior to Guardian
Analytics, Tiffany worked for Market Live, Nextance, Blue Pumpkin Software,
Siebel, Scopus and Sybase.