the double edged sword of mobile...

The Double Edged Sword of Mobile Banking Meeting client demand for mobile services while mitigating escalating fraud threats

White Paper

The Double Edged Sword of Mobile Banking

The Double Edged Sword of Mobile Banking: Meeting client demand for mobile services while mitigating escalating fraud threats

Table of Contents

INTRODUCTION ................................................................................... 1

THE USE OF MOBILE BANKING IS EXPANDING RAPIDLY .................................. 1

MOBILE DEVICES ARE UNDER ATTACK ....................................................... 3

MALWARE-‐INFECTED MOBILE APPS .......................................................... 4

IMPACT ON FINANCIAL INSTITUTIONS ........................................................ 6

FIS ARE INCREASING TECHNOLOGY BUDGETS ALLOCATED TO THE ONLINE &

MOBILE CHANNELS .............................................................................. 7

MOBILE SECURITY STRATEGY .................................................................. 7

FFIEC GUIDANCE SUPPLEMENT – MOBILE IS NOT EXEMPT ............................. 8

APPLY LESSONS LEARNED THE HARD WAY FROM ONLINE BANKING FRAUD ........ 8

ANOMALY DETECTION FOR MOBILE BANKING – DEVICE INDEPENDENT PROTECTION ....................................................................................... 9

FRAUDMAP MOBILE: ANOMALY DETECTION FOR THE MOBILE CHANNEL ........ 11

CONCLUSION .................................................................................... 12

ABOUT GUARDIAN ANALYTICS .............................................................. 12

Guardian Analytics The Double Edged Sword of Mobile Banking Page 1

Introduction Financial institutions (FIs) are facing a difficult challenge – account holder demand for services that are rife with fraud threats. Expand services too quickly and they risk fraud losses. Expand too slowly and they risk losing customers. It’s truly a double-‐edged sword that financial institutions must wield very carefully.

The mobile banking channel is expanding very rapidly, more quickly than was ever seen for the online banking channel. FIs are actively developing and releasing mobile banking capabilities in response to client demand, with risk increasing proportionally to the increased utility those clients are seeking. However, mobile banking users to date have not applied the hard-‐learned lessons from the online channel to mobile banking, engaging in careless behavior that they would never consider with their computer or online banking.

The result is a highly attractive opportunity for fraudsters consisting of a device that contains rich personal information, lax security, and a market that is expanding faster than the rate at which security controls are being deployed.

As financial institutions consider how to secure the mobile channel, they must start with an important premise: the device has been compromised. Smartphone owners’ behavior combined with very rapidly deployed malware has resulted in a very high infection rate, to the point where attempting to draw the battle lines at the device is sure to fail. The good news is that anomaly detection solutions that have proven so effective at protecting the online channel are just as effective at protecting the mobile banking channel.

The Use of Mobile Banking is Expanding Rapidly Consumers and businesses are embracing mobile banking, adopting it at a much higher rate than they did for online banking.

Based on a study by Aite Group, over 50% of consumers already use online banking, and 20% already use mobile banking (see Figure 1). Furthermore, “Mobile Only” users, while currently only 7% of the population, are the fastest growing group as financial institutions deploy mobile banking apps that don’t require clients first to be online banking users.

The escalating mobile banking adoption rate (see Figure 2) is fueled primarily by smartphone penetration. According to Nielsen, nearly half of US adults now have a smartphone.

Fig 1: Consumer Use of Mobile and Online Banking


As consumers dip their toe into the mobile banking waters, they naturally expect the same features and functionality through their smartphone as they are used to getting online, pushing financial institutions to expand services. This has become a further driver of adoption as the rich functionality attracts new users to mobile banking.

Also, tablets blur the line between online and mobile, enabling a richer consumer experience while maintaining mobility, so further speeding the adoption curve.

In response to such growing demand, financial institutions are progressing rapidly along the mobile banking product continuum:

Mobile Banking Services: 1. Balance checking account – very low risk, but limited utility. 2. Maintain account – includes low-‐risk activities such as checking balances; still no

transactions involved. 3. Pay bills – Increased utility, but risk is limited by controlling the list of merchants. 4. Alerts – increased value to consumers while also used for out-‐of-‐band

authentication, so this introduces risk of enabling fraud in other channels. 5. Remote Data Capture (RDC) – Most commonly used for taking a photo of a check in

order to deposit it remotely (more on this later); increasingly deployed both to consumers and small business. Increased risk due to account information stored as part of the check image.

6. Transfer funds – This was just getting started in 2011, but really ramping up in 2012 for point-‐to-‐point retail payments. Now also used in the business-‐to-‐business environment. This is fraudsters’ bread and butter as they use stolen credentials to transfer funds into their own accounts.

7. Mobile payments – Not a lot of financial institutions are offering this yet because of the high level of risk involved, but it is top of mind because they don’t want consumers to be shutting down their FI-‐developed mobile banking app and launching third-‐party apps in order to make mobile payments.

Increasing Customer Utility / Increasing Risk

Fig 2: U.S. Mobile Banking Users 2007 to e2013 (millions)


According to a study conducted by Aite Group in the fall of 2011, both consumer and business banking platforms are seeing mobile banking traction:

Among large financial institutions, all have mobile banking either already available or on the roadmap for business and/or consumer use:

• 47% already have deployed mobile banking for both business and consumers

• 29% have deployed mobile banking for consumers and have business on the roadmap

• 12% have deployed for consumers only • 12% have not yet deployed it but it’s on their roadmap

Among mid-‐size financial institutions, again all have mobile banking either available now or on their roadmap:

• 45% have deployed mobile banking for consumers and have business on the roadmap

• 9% have deployed for consumers only • 45% have not yet deployed, but it’s on the roadmap

Mobile Devices are Under Attack Financial institutions’ key challenge in regards to mobile banking is that consumers do not treat their smartphones like computers. The industry has trained online banking users about what to avoid on their computer. We now need that same level of education on mobile devices.

For example, consumers are willing to go to an app store and download a game, not knowing if it’s the real one or a fraudulent, malware-‐infested knock-‐off. Or they’ll click on a QR (Quick Response) code – those black checkerboard patterns that are showing up everywhere – not knowing with confidence just what will be downloaded. For example, fraudsters have been known to overlay their QR Codes on otherwise legitimate signs and displays.

Smartphones are a very attractive target for fraudsters because they provide easy access to consumers’ personal info:

• Where they’ve been • Who they know • What social networks they use • Where they shop • Where they bank

Smartphones also provide easy access to two common security measures used by financial institutions for confirmation, validations, and other authentication intended to prevent fraud. Access to the smartphone means fraudsters can:

• Forward and delete email – so the victim never sees messages sent by their financial institution when something suspicious is observed


• Forward or redirect SMS messages so they can capture one-‐time passwords sent to the mobile device, with the intent of preventing the very fraud that it’s now enabling

There are three types of mobile banking capabilities, each of which introduces a range of risks:

SMS – These are text messages received on a mobile device. This is currently used for online banking for out of band authentication and one-‐time passwords (mobile transaction authorization numbers). ZitMo (Zeus in the Mobile) is a variation of the well-‐known ZeuS Trojan specifically designed to intercept these text messages and forward them to the fraudster. SMishing (“SMart phone phishing”) also is very common today – good old fashioned phishing that is used to target smart phones. Fraudsters send messages to smart phones with enticing-‐links to malware, and consumers are more than willing to click on these random messages, resulting in malware being downloaded. Indeed, 70% of mobile malware is delivered via SMS messages.

Mobile Web – This is using a smartphone-‐based browser to log into online banking. And all of the same threats that exist with online banking apply here – keylogging Trojans to steal login credentials, malware that changes the payee, and malware that enables the fraudster to completely take over the online banking session from the smartphone.

Custom Mobile Apps – These are apps that financial institutions make available to account holders specifically for the purpose of mobile banking. The feature set can vary widely (see the mobile banking product continuum presented earlier). Fraudsters offer spoofed versions of these mobile apps as well as distribute malware through spoofed everyday, non-‐banking apps that are readily available on mobile apps stores. This topic warrants further discussion.

Malware-‐infected Mobile Apps The App store may be the greatest malware distribution platform ever invented, possibly second only to email.

The Android OS currently is criminals’ new favorite distribution platform. Consider that: • 100% of new mobile malware strains detected in 3Q 2011 were on Android OS

(source: McAfee Threat Report). • From 2010 to 2011, the one-‐year increase in Android-‐based malware was

3,325% (Source: Juniper Networks). • Android users are two and a half times as likely to encounter malware today

than 6 months ago and three out of ten Android owners are likely to encounter a web-‐based threat on their device each year (source: Lookout Mobile Security)


Mobile malware distributed via mobile apps – including but not limited to mobile banking apps – lends itself to a wide range of distribution methods including app stores, social networks (e.g. Facebook), and WiFi networks (see Post Office WiFi Hotspots sidebar).

Malware is used to control the phones, access data stored on smartphones, capture login credentials, and redirect transactions. But the malware doesn’t necessarily have to be used to compromise mobile banking directly. For example, fraudsters can use the installed malware to secure credentials from the mobile banking app, and then use it to log into online banking and commit fraud there.

Some malware strains are starting to take advantage of unique abilities of mobile device. One strain of mobile malware records voice conversations and sends the recording to the Command & Control server for fraudsters to use for spoofing biometrics, social engineering, or other schemes.

The result is a range of fraud schemes that can be carried out directly through the mobile device or elsewhere. The major categories of fraud perpetrated using mobile malware are:

• Identity theft – collecting personal information from the mobile device to be used separately or to be resold to other cyber criminals.

• Mobile fraud – execute directly in the mobile channel, such as using bill pay to transfer funds to a fraudster’s account.

• Cross-‐channel fraud – for example, capturing login credentials from the mobile device and then logging into online banking, or viewing stored check images and then using the routing number, account number and signature to submit wire transfers through customer service.

Online threats still far outweigh mobile risks – there are “only” 1,800 unique strains of mobile malware vs. 75 million known malware strains on computers.

However, mobile malware is increasing at a much faster rate, and as we see increasing functionality deployed to the mobile platform plus the resulting increase in transactions, fraudsters increasingly will be interested in the mobile channel.

One aspect of mobile banking fraud that has risk professionals most scared is that there are new and different capabilities on mobile devices that are not an issue in the online channel, such as the earlier example where the fraudster recorded a voice conversation. Everyone is worried that the bad guys will figure these out first and take advantage of the loopholes before the industry is able to plug them.

Post Office WiFi Hotspots

Here’s an example of how fraudsters already are tapping into unique characteristics of smartphones.

Fraudsters configured smartphones to act as WiFi hotspots with long-‐life batteries. They then mailed the phones to known undeliverable addresses so the phones land in the dead mail bin at the local post office.

As customers wait in line, they notice a WiFi hotspot, and naturally trusting the post office, they check email or access the Internet. As soon as they do so, the fraudster device would download malware onto their smartphone.


Impact on Financial Institutions Among global risk executives, 88% believe that mobile fraud is the next big point of exposure in financial services fraud (source: Aite Group). The number one reason that consumers don’t adopt mobile banking is concern about security (Javelin).

Mobile banking by corporate users is further hindered by security concerns due to the large dollar amounts at risk. Forty three percent of corporate treasurers will not allow corporate banking via mobile devices (Aite Group).

The resulting impact on financial institutions is an overall hesitancy to expand mobile services until they’re confident that fraud threats are minimized and they can avoid the hard lessons learned in the online channel.

Risk exposure is possible on a number of fronts:

• “BYOD” – The “bring your own device” phenomenon is cause for concern, especially in a business environment where the device use is blended with personal use. For example, parents often hand their smartphone (which contains extensive personal information) to a child to keep him quiet during a drive at which time there’s no control over what the child clicks on or downloads, then the parent brings it right back into the office with access to networks, servers, and email.

Also, it’s easier to lose a cell phone – typically with no password protection – than a notebook computer, exposing personal information, images, email and more to whoever happens to find the phone (see Symantec Honey Stick Project sidebar).

• Remote Data Capture (RDC) – A highly visible application of this is using the smartphone to deposit a check by taking a photo and then sending the image into the bank. This is a great consumer service. But banks that are looking to deploy it have a lot to think through. How is the check image stored on the mobile device? Is the transfer secure? Is sensitive information being deleted after it’s sent?

• Mobile Payments – This introduces many different players that don’t have security experience but are involved in point-‐of-‐sale transmissions to their FI through ACH or credit cards. Lots of players + limited security experience = very high risk.

Symantec Honey Stick Project

Symantec conducted a very interesting study that highlights the vulnerability of personal data stored on a smartphone, even when there are no professional cyber criminals involved.

They configured 50 smartphone with custom software that would remotely monitor all activity, and then intentionally lost them. What is interesting is what the finders – random, ordinary people – did with the phones.

Only 50% tried to return the phones, and most did some snooping first.

• 96% of the phones were accessed by the finder

• 60% attempted to access social media info and email

• 43% of finders attempted to access the banking app

• 57% of finders accessed the saved password file


FIs are Increasing Technology Budgets Allocated to the Online & Mobile Channels A survey recently completed by iSMG about banking fraud and conformance with the FFIEC Guidance found that 61% of respondents – more than any other response – said they will invest in fraud detection and monitoring solutions in the next 12 months. It also found that only 20% of financial institutions plan on decreasing (3%) or leaving the same (17%) resources – personnel and budget – dedicated to preventing fraud.

Looking more closely at the fraud prevention budget, according to Aite Group the budget primarily is going to remote channels (see Figure 3).

Three in every four FIs are prioritizing remote channels, putting commercial online business (48%) and online/mobile (29%) at the top of their technology investment priority list. This prioritization is driven by a potent combination of corporate account takeover threats – that could result in financial loss and reputational risk – and compliance mandate as a result of the June 2011 FFIEC guidance. They also recognize that online and mobile channels are where fraud threats are most intensive. 50 percent said that the type of threat that is causing them the most pain is cybercrime and malware (source: Aite Group).

Mobile Security Strategy In developing a strategy for securing the mobile channel, the key question is, how do FIs secure the channel when the device is compromised? You can’t rely on purely device-‐centric solutions because of the high level of vulnerability of the smartphone. And you can’t rely on authentication because criminals have the means to control the phone and thereby defeat many forms of multi-‐factor authentication.

To secure the mobile channel, financial institutions: § Need a layer of security separate from the device § Need to know how customers behave specifically in the mobile channel, without

which they can’t tell if current mobile banking behavior is legitimate or fraudulent.

Fig 3: Business Units with Highest Priority for Fraud Prevention Technology Investments


FFIEC Guidance Supplement – Mobile is not exempt While the title of the Guidance Supplement refers to “Internet authentication,” the definition of layered security used within guidance refers to “electronic banking” and “electronic transactions,” effectively including all online and mobile transactions as subject to the guidance.

This has been confirmed through numerous conversations with examiners that Guidance does indeed apply to mobile channel.

Furthermore, all aspects of the Guidance apply to the mobile channel: • Deploy layered security for the mobile channel • Simple device ID and challenge questions cannot be a primary control • Enhance controls over administrative rights • Complete or update risk assessments as the current threat environment

changes and as new features are deployed • Offer customer education specifically for mobile banking

Apply Lessons Learned the Hard Way From Online Banking Fraud The banking industry has lost a lot of money to fraudsters through the online channel. It’s essential that we all learn from this experience, and not repeat the same mistakes in the mobile channel.

Lessons learned in the online banking channel include: • Don’t store personal identification information locally; store it in the cloud • Apply layered security, understanding that at some point fraudsters will figure

out how to defeat any single security mechanism • Anomaly detection that monitors individual account holder activity has been

proven to be effective at detecting fraud

Supplement to Authentication in an Internet Banking Environment, page 5:

“Layered security controls should include processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to:

• initial login and authentication of customers requesting access to the institution’s electronic banking system; and

• initiation of electronic transactions involving the transfer of funds to other parties.”


Anomaly Detection for Mobile Banking – Device Independent Protection Behavior-‐based anomaly detection for the mobile (or online) channel monitors individual account holder behavior for every mobile banking session.

Referring to the diagram below, the process includes:

1) Monitoring customer behavior to develop a unique profile or mobile DNA for each account holder

2) Looking for anomalies when compared to typical behavior; something taking place in this session that is unusual or unexpected for this mobile banking user

3) Intervening when warranted, including increasing monitoring of other channels for compromised accounts and client outreach (4).

The most effective anomaly detection solutions offer the following key capabilities:

• Monitors individual account holder behavior, instead of comparing session activity to generalized “population” level behavior

• Builds separate account holder profiles for the mobile and online channels (see examples below)

• Monitors all activity, from login to logout, not just the transaction (see Figure 4)


Client behavior is different in online vs. mobile banking. Therefore, mobile and online sessions must be monitored and analyzed separately. For example:

Log-‐in events often occur at different times and from different places: • Online – from a computer at work or home, usually at consistent times • Mobile – from cell phone network at any time of day, including evenings

and weekends

Different activities are possible in online vs. mobile banking: • Online – complete financial management • Mobile – pre-‐defined mobile activities, typically a sub-‐set of the full online

banking site

Different transactions as well: • Online – broad array of transactions • Mobile – typically limited to transfers and bill pay

Behavior-‐based anomaly detection offers benefits beyond just preventing fraud:

Complete protection • Automatically covers 100 percent of account holders with no adoption

issues • Stops widest array of fraud attacks, including newly emerging schemes • Long lifespan – transparent to fraudsters so can’t be studied, and not threat

specific

No impact on customer experience • No action required of account holders; no software to download and

maintain • Doesn’t change mobile banking experience; transparent to users • Customers respond positively with increased trust and loyalty

SaaS solutions are easy to deploy and manage • Fast time to security • Doesn’t require IT resources, and no hardware to purchase, install, and

maintain • Minimal workload for financial institution with a low number of alerts


FraudMAP Mobile: Anomaly Detection for the Mobile Channel FraudMAP Mobile is the first and only behavior-‐based anomaly detection solution purpose built for the mobile channel. It uniquely uses behavioral analytics to transparently monitor every mobile banking session and identify suspicious activity and anomalous transactions in the mobile banking channel.

Using activity data from the mobile banking platform, FraudMAP Mobile monitors all activity for all users—from login to logout—to identify suspicious activity relative to the expected behavior for that user (see Figure 4). And because FraudMAP Mobile is not dependent on pre-‐defined fraud rules or algorithm training, new and emerging threats are detected before the money is gone.

Capabilities: • Monitors all mobile banking activity to develop a mobile banking-‐specific profile

of each user • Develops an overall behavioral fingerprint, taking channel use and preferences

into account • For integrated online/mobile banking platforms, delivers a combined view of

each client’s online and mobile banking activity, distinguishing between the two where needed

• Looks for unexpected mobile activity and suspicious behavior to identify fraudulent account access, reconnaissance, fraud setup, and anomalous transactions

• Prioritizes mobile banking alerts solely based on risk of the mobile banking activity

• Proactively identifies multiple mobile accounts at risk or under attack • Offers search, analysis, and reporting features that are optimized for mobile

banking activity

Benefits: • Implement a layer of security that is completely independent of the device itself • Increase client trust in mobile banking and increase mobile adoption • Enhance mobile banking features knowing that you’re proactively detecting

mobile banking threats

Fig 4: Behavior-based anomaly detection solutions monitor all activity for each mobile banking users, from login to logout


• Automatically protect all mobile banking users • Proactively and accurately detect fraudulent mobile banking account access and

fraudulent transactions • Understand mobile usage and mobile risks • Conform to FFIEC expectations for anomaly detection

Conclusion In response to growing customer demand, financial institutions are expanding mobile banking services. Given the rich personal information available, lax consumer behavior, and increased mobile banking capabilities, mobile devices are becoming increasingly attractive to fraudsters.

Financial institutions must operate under the assumption that the device – a smartphone or tablet computer – has been compromised and implement security strategies that are completely independent from the device. Furthermore, FIs must implement security strategies that recognize the fundamental differences between the mobile and online channels, and how account holders use each.

Behavior-‐based anomaly detection solutions such as FraudMAP Mobile automatically monitor all mobile banking activity to establish user-‐specific profiles distinct to the mobile channel, and then look for anomalous behavior that could indicate fraud. Financial institutions using anomaly detection to secure the mobile channel can expand services with confidence, meeting client expectations while increasing users trust and confidence in mobile banking and in the financial institution.

About Guardian Analytics

Guardian Analytics was founded and is completely focused on fraud protection for financial services institutions. We’re proud to serve banks and credit unions that are taking a proactive step to lead the way in fraud prevention. Our customers take the promise of security very seriously – as an essential element of their brand, reputation and their commitment to protect their institution and their account holders from fraud attacks.

Our behavior-‐based anomaly detection solutions, FraudMAP Online and FraudMAP Mobile, were developed by leveraging our employees’ direct experience and deep expertise in electronic banking fraud prevention – including solving actual fraud cases – built up over many years with extensive investment in intellectual property. www.guardiananalytics.com.

the double edged sword of mobile...

Documents