Mobile security is important as smartphones have become essential to many people's daily lives. However, mobile banking adoption and usage has stalled somewhat due to security concerns. Various threats target mobile devices like malware, phishing scams, and vulnerabilities in operating systems. Fraud committed using mobile devices costs merchants more than fraud through other channels. Banks have been impacted by "spoofing" apps that steal user credentials. Improving visibility, control, authentication, and communication with customers about new security features can help address these issues and better protect mobile users and transactions.
2. Smartphones are everywhere and people are
dependent on them, so much so that Nomophobia
(“no mobile phone” phobia) is a real thing!
Source: http://www.huffingtonpost.com/2015/05/18/nomophobia-smartphone-sep_n_7266468.html
3. 87% of Millennials say their phones
never leave their side
80% reach for their smartphone
first thing in the morning
78% spend more than two hours a
day texting, surfing, talking,
tweeting and — more importantly
for businesses — shopping, banking
and more
Source: http://www.usatoday.com/story/money/personalfinance/2014/09/27/millennials-love-smartphones-mobile-study/16192777/
4. 94% of global conversations are positive
regarding mobile payments
61% of Millennials purchase something on
mobile at least once a month
Apple Pay technology is now supported by
2,500 card-issuing banks, while the number
of locations has tripled to nearly 700,000.
Mobile Payments are Gaining Momentum
http://www.usatoday.com/story/money/personalfinance/2014/09/27/millennials-love-smartphones-mobile-study/16192777/
http://www.emarketer.com/Article/Millennials-Embrace-Mobile-Banking/1012871
http://techcrunch.com/2015/03/09/apple-pay-stats/#.fminlf:YHsv
6. Mobile adoption has recently stalled…
52% of smartphone owners with a bank
account performed at least 1 mobile
banking transaction in 2014 – up from
51% the previous year
Source: http://www.nbcnews.com/business/consumer/why-has-mobile-banking-growth-stalled-blame-hackers-n351851
7. "Security is and will continue to be a
primary concern with regard to mobile
banking.”
-Nessa Feddis
Vice President and Senior Counsel, American Bankers Association
66% of non-mobile banking
adopters cite security concerns
http://www.nbcnews.com/business/consumer/why-has-mobile-banking-growth-stalled-blame-hackers-n351851
http://thefinancialbrand.com/53431/global-mobile-banking-usage-study/
9. The bottom line: Each dollar
worth of fraud committed using
mobile devices costs the
scammed merchant $3.34.
Source: http://www.bloomberg.com/news/articles/2015-02-13/mobile-payment-fraud-is-becoming-a-pricey-problem
“We certainly see a surge in
mobile payment attacks,” says
Tomer Barel, chief risk officer at
PayPal, who says his company
deals with more cases of fraud
on mobile devices than on PCs.
10. Banks Impacted
• Steal user information and credentials
• Ability to uninstall and take the place of the real apps they are spoofing
• Run undetected while obtaining what they are after
4,000 South Korean Android mobile banking customers throughout 2013 and 2014
Social engineering lures like “The Interview” baited victims into installing their fake apps
South Korea Spoofed App Scam
Malware Capabilities
Customers Impacted
Delivery Methods
http://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/south-korean-fake-banking-app-scam
http://www.securityweek.com/cyber-gang-steals-millions-mobile-banking-customers-south-korea
http://www.theregister.co.uk/2014/12/29/interview_banking_trojan/
11. Is Apple Pay Fraud Growing Like a Weed?
• In theory should cut down on fraud, by generating essentially new credit card
numbers for each transaction
• Vulnerability in “onboarding” new credit cards – just need basic information
• Banks desperately wanted to be the default card for Apple Pay, so did not
question information Apple gave them (fear of missing out on initial sign ups)
• Affected users often directed to call centers, who often fall prey to social
engineering
“Leads to a thriving black market where thieves enter stolen credit
card numbers into iPhones, essentially turning the device into a
credit card, and walk out with merchandise.”
– Andrew Sorkin, New York Times
12. Operation Emmental
Mobile as part of the fraud lifecycle – where this would
not be necessarily considered “mobile fraud”
13. “When it comes to mobile devices on your network,
the best advice we have is to strive first for visibility
and second for control. Visibility enables awareness,
which will come in handy when the current
landscape starts to shift. Control should put you into
a position to react quickly.”
Source: http://www.csoonline.com/article/2928190/data-protection/are-some-reading-the-verizon-breach-report-s-mobile-section-all-wrong.html
14. One way to differentiate
and win?
Implement and effectively
communicate your more
secure mobile offering.
15. The Future – Frictionless Security
• Need transparent and frictionless security models
• Best security features are ones the end user doesn’t see or experience
• Complete view of the entire mobile ecosystem
• Security decision out of the hands of the end user
17. External Threat Proactive Monitoring
• Need to understand threats and establish a plan
• Don’t wait for customers to report phishing
• Deploy specific mobile threat technology
• Host File Scanning – prevent pharming
• Monitoring Service to search for Fake Apps
• Scan for mobile malware
18. Real-time visibility key to trust
Data intelligence out of the device
• Jailbroken/Rooted
• Malicious apps
• Geolocation
• DeviceID
• Unsecure Wifi
• Same device for Multiple accounts
Increase ability to decision
• Require further authentication
• Enable additional functionality
19. Understand your users
Predictive models using machine
learning algorithms are already used by
retail giants. Why not other industries?
When do they usually login?
Which location do they usually login?
What type of transaction do they
typically perform?
Understand the customer journey
Use the history of the user across all
channels to optimize mobile usage
acceptance
20. Mobile Authentication
• Need to be Native and App-Like
• SMS OTP, easily and already
comprised
• KBA, high error rate and bad UX
• Don’t get stuck on the idea of “out-of-
band”
• Out-of-channel
• Second channel of communication
• Leverage technologies like push
notification, biometrics (voice, facial)
• Improve User Experience and ability
to deliver more services
21. Now is the time to create your mobile
security strategy
• Target all stages of fraud with one unified approach across
channels, become omni-channel for security too!
• Gain visibility to your out-of-band device
• Deploy transparent and native security
• Start profiling – identify your good users
22. "The security is likely there, and the bankers
are putting a lot of effort into making sure that
it's a secure process, they just need to get that
information out to the consumer.“
-RateWatch marketing manager Kimberly Myszkewicz
Communicate new security features with
customers
Source: http://www.nbcnews.com/business/consumer/why-has-mobile-banking-growth-stalled-blame-hackers-n351851
http://www.usatoday.com/story/money/personalfinance/2014/09/27/millennials-love-smartphones-mobile-study/16192777/
http://www.emarketer.com/Article/Millennials-Embrace-Mobile-Banking/1012871
http://techcrunch.com/2015/03/09/apple-pay-stats/#.fminlf:YHsv
“It is no longer a question if mobile will become a major force of digital disruption in e-commerce and online banking, but rather who is going to is going to step up, do it best, and win.”
http://www.nbcnews.com/business/consumer/why-has-mobile-banking-growth-stalled-blame-hackers-n351851
http://thefinancialbrand.com/53431/global-mobile-banking-usage-study/
“Do they have a point? Let’s examine some new threats targeting mobile devices.”
With 2FA, you almost give the attacker the key. If they don’t see the key,
Mobile banking security has to be far more app oriented, meaning that it will rest upon authenticating the integrity of the app and device – is it safe from malware? Is the device?
This will likely happen with very little involvement required of the consumer. We can authenticate the integrity of the app before the user is allowed to log in. Transparent deployment to end users,
No third-party app for end-users to download, Native integration of strong authentication into applications
Anti-fraud needs to be “baked in”
with cloud-based solutions, SDKs, and Mobile Backend as a service (MBaas), you can execute on your mobile strategy much faster than before.
Many of these solutions allow you to add Threat intelligence, App Behavioral Analysis, device authentication, push notifications, and so on.
Again, it all depends on your situation. But be mindful of the rapid pace of the mobile world!