How to Protect Mobile Banking with Advanced App Security

Ralitsa Miteva,

We regularly host webcasts on topics such as digital transformation, fraud prevention, and mobile security best practices. If you missed our recent webcast, How to Protect Mobile Banking with Advanced App Security, here is the 10-minute summary. The full presentation is available on-demand.

The use of mobile banking continues to soar as a result of the COVID-19 pandemic. In line with this trend, cases of mobile banking fraud have also grown over the last year. 2020 marked a massive spike in the number of identity records compromised, as well as an increase in sophisticated mobile fraud attacks and the rise of crime-as-a-service.

While it was a record year for financial fraud, it’s also worth noting that of the 4.6 billion active internet users around the world, 91% are mobile internet users1. From emerging markets to developed countries, mobile ranks among the most popular banking channels, even compared to online banking. According to Forrester, “In North America and Europe, around half of online adults report that they use their smartphone to conduct their banking at least weekly; and for Australian, Chinese, and Indian online adults, the mobile app is their preferred banking channel.”2

Clearly, mobile is a critical endpoint for financial institutions to secure. In our latest webinar, How to Protect Mobile Banking with Advanced App Security, my colleague Greg Hancell and I discussed the impact of progressive mobile threats and how advanced security protects cell phone users. Here are the highlights.

Common Mobile Banking Threats

Financial service providers and their customers have been victimized by the steady increase in digital crime and compromised identity records over the past year. Globally, some 37 million records were compromised4, accounting for about 10% of the world’s online population. This has a direct impact on financial crime and provides criminals the raw material to perpetrate a staggering amount of fraud, from account takeover to synthetic identity fraud. According to a report by the Aite Group, US Identity Theft: The Stark Reality, identity theft has increased by 42% since the beginning of the pandemic. Virtual onboarding of customers has led to a spike in application fraud, where criminals open new bank accounts remotely with fake or stolen identification.

Compounding this is the December 2020 discovery of an evil emulator farm, which demonstrated that mobile fraudsters can now automate their processes, easily harvest mobile device identifiers, spoof GPS locations, and intercept SMS messages to bypass static authentication. Achieving unforeseen levels of scale and speed of operation, cybercriminals successfully emulated unsuspecting users and mobile devices to drain millions from online bank accounts in record time.

SIM swaps, which combine elements of identity theft and account takeover, also have seen a resurgence. As mobile payments become more popular, the use of mobile banking has provided an opportunity for more SIM swap attacks. In a SIM swap attack, a perpetrator uses the stolen personal information of a victim to have mobile operators activate the victim's number on a new SIM card. Criminals use information from SMS or voice one-time passwords (OTP) to access bank accounts and steal funds. Many victims of SIM hijacking scams have seen online accounts tied their phone number taken over. Social media accounts such as Facebook or Linkedin are one example, since they provide access to sensitive information such as date of birth, which cybercriminals can then use to feed into their SIM swap attacks (they can also use data from social accounts to facilitate classic bank account takeover and identity theft). The recent Facebook and Linkedin data breaches are timely examples.

One of the oldest – and yet, most successful – tactics is phishing. After so many years, there’s a perception that no one could possibly fall for these scams. But time and again, from phone calls to cleverly crafted emails, attackers fool victims into handing over their credentials. 2020 was no different. In fact, COVID-19 created even more opportunities for phishing and smishing in 2020 in comparison to 2019, taking advantage of the heightened focus on the topic.

Smishing attacks are also rampant due to the increased use of mobile devices. These attacks typically resemble SMS authentication requests from banks or an alert that there has been a suspicious activity on the victim’s account. The problem is, they may appear legitimate to the unsuspecting user, but include links that download malware designed to steal information from smartphones.

Mobile Fraud Detection and Prevention Strategies

Against this backdrop, what can financial institutions do to protect their customers?

  • Static credentials (username/password) should never be used for authentication. Nor should they be used for device registration; provisioning or activation of an authentication token; login; transaction authorization; beneficiary/payee creation; or any other process that requires authentication. By modernizing their authentication framework, financial institutions can stay one step ahead of attacks.
  • Use mobile app shielding to protect the security of the mobile app source code itself. This calls for app protection that works from inside the app. This technology is called app shielding. Attackers typically look at opportunities for attack on two sides: the client side and the bank’s back-end (also known as the server-side). Banks have a lot more control over the back-end and can more effectively ensure that their infrastructure meets security standards. Mobile banking apps, however, reside on customers’ devices, which is an environment outside of the bank’s control. And despite efforts to secure the platform, users become the weak link. After all, some users will engage in risky activities including:

    a. Jailbreaking or rooting their devices in order to download free apps (and not always downloading from the official app stores)
    b. Connecting to public wifi hotspots or networks regardless of their trustworthiness
    c. Postponing critical security updates to their operating system
  • Implement a multi-layered cybersecurity strategy. There are extra layers of security that will strengthen your defenses. This includes secure provisioning, secure channel communication, client- and server-side risk analysis, and continuous session monitoring with risk assessment and machine learning.
  • A wealth of mobile data is available to financial organizations to combat the increased number of cyberattacks. Insights from users’ behavior as well as data about their phone (e.g., whether it’s been jailbroken, does it contain malware or indicators of any other security risks, what is the OS version, geolocation, etc.) can be used to predict and detect financial fraud in real time.

Why Data is Important for Mobile Banking Security

Fraud trends have made it clear that relying on a username and password at login is no longer sufficient to guard against fraudulent activity. However, when someone accesses, or attempts to access an account, there is a lot of data that can be used to determine whether or not this is a legitimate customer and whether the transaction requested is legitimate. This includes:

  • User data: The type of authentication method used to login; behavioral profile; etc.
  • Device data: The type of mobile phone they’re using; whether the device has been registered with the bank; jailbreak/root status; etc.
  • App data: App version; language; etc.
  • Device health data: Screenshot detection; code injection alert; overlay alert; etc.

Financial service providers have the data, but they may not be collecting and analyzing it. In fact, mobile is the gateway to a tremendous amount of data but 60% of webinar attendees indicated that they did not have enough insight into users’ behavior and devices. Answering these questions requires banks, credit unions, and other financial institutions to have a risk-based fraud prevention solution to analyze big data in order to understand the actions and attributes of a user’s journey and identify indicators of fraud.

users behavior poll

It would be impossible for fraud analysts or data scientists to process such volumes of data manually. Unlike humans, machine learning possesses the powerful ability to understand massive amounts of data, analyze at scale and within context, and assign a risk score in real-time.

This technology enables a risk-based fraud prevention system to apply the precise level of security, at the right time, through step-up authentication. Machine learning is the only way to effectively fight the fraud attacks that are increasing in scale and complexity.

Ingesting and analyzing all the data available requires a fraud prevention system based on machine learning. Multi-factor authentication (MFA), in addition to machine learning-based fraud prevention, can make committing cybercrimes much more difficult for fraudsters. These methods allow the system to catch instances of fraud and stop them in real-time before significant harm is done. When financial institutions get this right, it not only increases security and digital trust, but also reduces friction in their customer experience.

Recap: Security Measures to Make Mobile Banking Safer

The rapid evolution of mobile banking services means banks are still learning how to deal with digital threats. In summary, here are some of the key steps financial institutions can take to help protect customers and mitigate fraud:

  1. Ensure your banking apps are well secured. Apply app shielding to secure your mobile banking apps since you can’t control the environment they operate in.
  2. Provide your customers with secure and convenient authentication. Use multi-factor authentication (also known as MFA or strong customer authentication). Relying on a username and password at the login stage is no longer sufficient to guard against fraudulent activity.

    Also, replace SMS OTP with a more secure alternative. While delivering one-time authentication codes by text messages is seen as a simple and convenient means to communicate with the end-customer, security experts have been warning about the vulnerabilities of SMS as a method for authenticating user actions (logins, financial transactions, profile changes, mobile banking app registration/reactivation, etc.). In fact, the European Banking Authority (EBA) recently confirmed that SMS OTP does not meet the PSD2 SCA requirements for dynamic linking. There are multiple alternatives to SMS OTP, including:

    a. Push notifications sent directly from a mobile banking app
    b. One-time passcodes generated by a standalone mobile authentication app
    c. Biometrics
    d. Out-of-band transaction signing using technology like OneSpan’s Cronto 

  3. Establish a secure channel between your customer and banking server. This prevents data from being compromised and enables a reliable mobile device profile to be created on the server. This makes life much more difficult for attackers. Technology like OneSpan’s Cronto can help.

  4. Implement a risk assessment solution. Analyzing user behavior and data collected from your digital banking channels can help facilitate better device risk mitigation. By continuously scoring the device with every user action, we can evaluate the level of trust allocated to it in real time. A trusted device can also be used as a secure authentication method for omnichannel banking.
  5. Balance user experience and security. Adaptive authentication is the best way to do that. But in order to adjust the level of authentication to each individual transaction, you need a risk-based fraud prevention system. The underlying concept is simple: by adapting the authentication to the level of risk in a transaction or interaction, a financial institution can both secure and ease the customer experience.

Key Takeaways

The use of mobile banking applications has been accelerated due to the pandemic. As a result, mobile banking has become a frequent target of cyberattacks. Financial institutions need to take steps towards mitigating these attacks, including implementing risk assessment solutions.

Solutions such as One Span’s Risk Analytics fraud prevention system use machine learning to analyze customer data to identify criminal activity in real time. As fraudulent activity becomes increasingly sophisticated, businesses should look towards multi-factor authentication and machine learning-based fraud protection as a highly effective solution for protecting mobile banking customers.

Mobile App Shielding
White Paper

Mobile App Shielding: How to Reduce Fraud, Save Money, and Protect Revenue

Discover how app shielding with runtime-protection is key to developing a secure, resilient mobile banking app.

Download Now

2. The Forrester Digital Experience Review™: Global Mobile Banking Apps Summary, 2020

Ralitsa Miteva is a fraud detection and prevention solutions manager at OneSpan where she advises financial institutions and other organizations about the evolving fraud landscape and helps them to overcome the new prevention challenges during their digital transformation.