Banks are offering mobile banking in their droves, a service made increasingly attractive to customers by web-enabled smartphones such the iPhone. But, as 41st Parameter’s Ori Eisen explains to EPI, history has shown that fraud follows payments innovations. Mobile banking will be no exception, he warns.
Banks must prepare for security attacks as fraudsters turn their attention to the mobile channel, warns Ori Eisen, founder and chief innovation officer of US payments security specialist 41st Parameter.
“Regrettably,” he added, while speaking to EPI, “they won’t.”
The pattern has been repeated throughout the past five decades of electronic payments innovation, Eisen stressed.
“Fraud always follows innovation in payments, yet banks have not come to terms with this fact,” said Eisen.
Security must be thought of in advance, but generally this does not happen, he continued.
“Fraud followed in the wake of the rapid uptake of internet banking and we can predict the same will happen with mobile banking,” said Eisen.
A mismatch of priorities poses a significant problem, continued Eisen. Innovative ideas such as mobile banking are initially driven by banks’ marketing departments, he explained, with anti-fraud specialists left to deal with the consequences afterwards.
As in the case of internet banking, fraud losses sustained by banks in the mobile channel will have to reach an uncomfortable level before they act decisively on mobile security, believes Eisen. A big problem, he added, is that banks don’t even know what form mobile banking fraud will take.
Mobiles’ security inadequacies
However, when banks do come to terms with the reality of mobile fraud they face a tough challenge.
Quite simply, said Eisen, when compared to a desktop or laptop computer, internet-enabled mobile phones have limited security capabilities in the areas of user identification and verification. For example, mobile internet phones do not have Adobe Systems’ Flash application which is often use by banks as an additional layer of user identity verification.
Authenticating a user’s identity in mobile banking is as critical as it is with fixed line internet, yet, in reality mobile banking systems are falling at this particular hurdle, he stressed.
Security weaknesses have not gone unnoticed by fraudsters who are turning their attention to what has been the biggest success story yet in the mobile internet market: Apple’s iPhone. In late-2009, almost 3 million iPhones were being snapped up every month by customers of 140 mobile network operators in 90 countries.
Because of this popularity, US security software developer Intego studied Apple computers in November last year. It identified three new items of malicious software (malware) targeting the iPhone. Of the three, what Intego called iBotnet.A was described as “the most sophisticated iPhone malware yet.”
According to Intego, iBotnet.A has the ability to send copies of text messages received or sent by an infected iPhone to a remote server in Lithuania. This, potentially, has massive negative implications for payments services using short message service technology.
Indicating the intent of iBotnet.A’s creators, the malware changes an entry in the iPhone’s host file for a Dutch bank website, leading users to a bogus site, presumably, noted Intego, to harvest user names and passwords.
Rich Cannings, security leader for Google’s Android mobile operating system, shares Eisen’s concerns.
He told delegates at the Usenix Security Symposium held in Montreal, Canada, in August last year: “The smartphone OS [operating system] will become a major security target for malware designers.”
An additional aspect of security highlighted by Eisen is a variation on the requirement placed on banks’ to ‘know your customer’ – knowing what device a customer is using.
A solution offered by 41st Parameter is client device identification (CDI), a security layer that enables banks to identify suspicious transactions.
Eisen explained the CDI solution unobtrusively captures and identifies a device’s characteristics during the login process, thus going beyond simple user names and passwords to detect suspect mobile phones, smartphones and desktop and laptop computers.
He explained that 41st Parameter’s ‘FraudNet for Account Takeover’ solution, which incorporates CDI, differentiates individual devices regardless of past registration, the credentials presented or connection, whether it be a mobile network operator or internet protocol address. Eisen added that these parameters and real-time reporting create a full picture of the user, irrespective of the device being used.
Real-time reporting also enables banks to identify devices that were initially refused admission to a website and that have changed their identity to try and gain access. Eisen noted that studies have shown fraudsters can reattempt entry in a matter of minutes.
Eisen emphasised the challenges of mobile banking security are another manifestation of an overall trend by banks to “push customers further away.” In the 1970s all banking was done in person, and knowing your customer was straightforward. With the introduction of the ATM, customers were first “pushed into the street” and with the advent of internet banking have been “pushed into the data centre basement”, he added.
“The further banks push customers away the less visibility they have,” Eisen stressed.
And Eisen sees increasing risk in the use of the internet for new customer acquisition.
“It is very low at present but growing fast,” he noted. “It is now possible a bank will never meet a customer, only adding to security threats.”
His concerns were highlighted in a report published by US research firm Gartner, Best Practices in New Account Fraud Detection. The report revealed new account fraud in a mainly online environment is at least five times higher than it is when accounts are opened in person.