Changing Times in Mobile Banking Adoption

In 2019, 81% of the UK adult population used internet banking. In 2021 when the figures are available, this will be much higher. Banks’ ‘mobile first’ campaigns are beginning to get significant traction in the user bases. For LexisNexis® ThreatMetrix®, 85% of internet banking transactions now originate from the mobile device, with the vast majority of these transactions coming from people logging into their accounts. Banks are making their mobile experience more dynamic with biometrics, push notifications and in-app cheque scanning. This low friction path for authentication (generally using device identification and biometrics) means consumers in the UK login to their banks 6 times in every 7 days, on average.

Mobile Banking Fraud - A Changing Situation

Mobile Banking remains the most secure channel for internet banking with a 10x lower attack rate than browsers either from a desktop or a mobile device. The UK Finance 2021 Fraud the Facts Report demonstrated that mobile banking fraud (not including Scams) increased by 41% between 2019 and 2020. Noticed in both Fraud the Facts, and the LexisNexis® Risk Solutions Cybercrime Report, was an increase in fraud targeting younger age groups. This is likely due to younger customers being more care-free with their personal details coupled with the huge increase in fraud being initiated via social media.

Device Registration - A Lesson Learnt

The main point of vulnerability of the mobile app remains device registration: compromise here provides the keys to the kingdom for fraudsters, regardless of how secure the biometrics are for authentication. A good example of this is evident when ApplePay was introduced globally in late 2014. By 2015, there was a deluge of fraudulent activities, despite ApplePay being very secure, with no card details being stored on the device in the clear. Banks, especially in the US, had not fortified their ApplePay device registration controls, meaning it was very simple for fraudsters to register their device with another person’s stolen card details. Physical biometrics, in this case, were completely redundant. Industry consultants estimated the ApplePay fraud on all transactions, was between 6-8% or 60-80 times more likely than regular Credit Card Fraud.

Information Security = The Immune System

While the banking industry did catch up in terms of ApplePay device registration authentication, this teaches us a valuable lesson around fraud on the mobile banking app. A lot of the focus, particularly in the US, has been around vulnerabilities on the mobile apps themselves. The vast majority of mobile fraud comes from Android devices, which is the by-product of an open-source platform versus iOS, which is comparatively locked down. There have been some huge fraud cases, with one example in the US where a fraud gang mimicked phones of more than 16,000 customers using 20 different emulators. Mobile Banking security therefore has its place, particularly as fraudsters and mule herders often want to use single devices to access multiple accounts, and there are widely available Android tools available to do this type of device flashing. We clearly need to defend against these determined and organized hacker crime groups, but the cases are often infrequent, large and remediated by banks completing root cause activities. At LexisNexis® Risk Solutions, the ThreatMetrix product has a suite of mobile protection modules to identify emulators, device flashing, identifying jailbroken devices, malicious apps and even a fraudster remotely controlling the device.

So rather than overly focus on the ‘hacker’ types of fraud, let’s discuss what the vast majority of fraudsters do to compromise mobile banking channels. Fraud is often a value-based game, especially for the bank’s fraud department, balanced against customer satisfaction and the bank’s reputation. These types f fraudsters can easily access ‘How-To’ guides both on the darknet and also the regular internet. They do not, therefore, require a high level of technical knowledge, but rather a good understanding of banks’ controls and human psychology. The ones that understand this best, and do not get greedy, are likely to make a lot of money and not get caught. The flip side for banks and technology vendors is to understand the attack vectors, understand the fraudster behaviors and also understand the behavior of their legitimate customers.

Device Registration - The Keys to The Kingdom

If we now understand that device registration is the main point of vulnerability, let’s quantify what the risk actually is. Device registration can cover a multitude of situations. This could be registration of the mobile app when the customer has never used internet banking before, or re-registration, where a new device is added to existing internet banking credentials. For customers who do not use internet banking, this is a high risk scenario: the first transaction they will ever complete via a digital channel will be the fraudster. Without internet banking, the customer may be waiting for monthly statements to spot the fraud. Although banks can add controls around spending amounts for recent registrations, a patient fraudster or a fraudster who is aware of these limits will simply keep it under the radar.

We have also seen evidence that when banks enable their Mobile App channel to authenticate for cash-withdrawals without a pin required, fraudsters have seized their opportunity to exploit this functionality.

Let’s now consider a ‘re-registration’ event. The fraudster loads the customer details to their phone (stolen or bought on the dark web). This allows them to pass initial authentication challenges using their own device, and then go on to commit fraud against that customer’s account.

Such is the binary nature of device registration or re-registration – once the registration event has occurred, it will always be the case that 100% of the transactions come either from the fraudster or the customer.

Let us examine in a little more detail how fraudsters go about registering a device with another customer’s details:

• Via a SIM-Swap at a Telco Operator, so that any SMS one-time passcode (OTP) for registration goes to the fraudster’s device. This will involve the fraudster socially engineering the Telco Operator into believing they are the legitimate customer via a cleverly worded script.
• The fraudster changes the customer’s telephone number via Internet Banking, Branch or Telephone banking.
• The fraudster calls the customer and socially engineers them to get the OTP that they need to register the fraudster’s device who can then use it for fraud; this is known as a hybrid scam; it has elements of both social engineering and account takeover.

Breaking Down a Problem to Find a Solution

The best way for banks to look at mobile fraud is to break down the problem into three component parts.

In terms of risk assessment, device registration is key. The rule-set used must be different for how you would risk-assess regular login and payment transactions. Here are some of the fraud vectors banks can utilize:

• Multiple customers utilizing the same device.
• Velocities around multiple registrations using the same device location information.
• Jail-Broken/Rooted Devices and evidence of malicious apps.
• Devices which have remote desktop active.
• Unusual behavioral biometrics for device registration.
• Evidence of a SIM-swap.
• Compromise on internet banking such as password reset from new device, prior to new mobile device registration.

From a monitoring perspective, the first 2 weeks following a new device registration should be carefully monitored. Sudden large transactions or suspicious beneficiaries should be risk- assessed with more scrutiny. This must be balanced by not interfering with legitimate transactions. By using a layered approach, banks can flag suspect device registrations, safe in the knowledge that they can intervene at the right point when the case for fraud is compelling.

Finally, every time a mobile banking fraud takes place, the banks can learn more about the fraudulent device registration. What were the factors in the scoring system which allowed this device through? Are there any more digital breadcrumbs that would prevent this in future? This root-cause analysis is incredibly valuable. If there are enough of these frauds, a predictive model be utilized at device registration, helping prevent the fraudster ‘gaming’ the current fraud rules.

The Future Is Mobile – We Need to be Ready Now

The key point of this article is to explore the main vulnerability in mobile banking fraud: the device registration. The introduction of Strong Customer Authentication (SCA) later in 2021 will have less impact on modern mobile phones, which already have inbuilt physical biometrics. For eCommerce, the mobile app will become the lowest friction path for both banks and customers. Authentication using mobile banking apps will then become the most common method to make payments. Banks should not only be looking at securing their digital banking channels, but also have in mind they are securing future CNP payments. Renewed emphasis is required around protecting device registration. Get it wrong and you have a lot of fraud, get it right and you can have a dynamic control framework where customers have low friction, while keeping the fraudsters out. An expert online panel will be discussing this further on the 12th May.