Blog article
See all stories »

Device fraud - a serious threat to mobile banking?

Current predictions show there will be five billion connected devices on planet earth this year, including smartphones and tablets, serving a billion online bank accounts and contributing to US $13trillion in global ecommerce sales and related transactions.

The potential opportunities presented to fraudsters are therefore huge. Evidenced of this has already been seen by the estimated 25 million unique strains of malware, resulting in an 80% annual increase in phishing attacks and the breach of 600 million customer information records.

Apart from obvious at-risk ‘smart’ devices like phones, tablets, laptops and other PCs,  everything from  home routers, CCTV cameras, baby monitors, domestic heating and utility gadgets, thermostats, cloud-based data services, printers, firewalls and video-conferencing systems are also all potentially vulnerable.

There’s already a sophisticated, interconnected, resourceful and growing army of digital fraudsters overseeing the theft, distribution and sale of personal information on an industrial scale. Therefore in developing any anti-fraud strategy, it is better to assume there’s a possibility customer data has already been compromised before any transaction takes place.

Take the recent flap over Heartbleed. The software bug highlighted a critical flaw in software called Open SSL, which is supposed to make it much harder to steal data. Instead, suitably-informed hackers were able to exploit it by remotely prompting the server to hand over small chunks of the data it has just handled - in many cases disclosing log-in details, passwords, or other sensitive personal information.

Since Heartbleed emerged in May 2014, additional fears have been raised over a possible computer hack by Russian criminals alleged to have targeted hundreds of thousands of computers worldwide with malware, enabling the theft of more than US$100m from business and personal bank accounts.

Around the same time, genealogy website - among several others - was intermittently knocked offline following a three-day bout of suspected DDoS (distributed denial of service) cyber-attacks, during which the site was overloaded with traffic and crashed. On this occasion no user information was compromised.

From the recent examples, it’s clear that fraudsters are fast, inventive, adaptable and constantly testing for any potential vulnerability.

Take the UK banking sector for instance, where more and more Brits are moving away from branches in favour of their mobile phones and tablets. According to the British Bankers’ Association, we’ve now downloaded more than 12.4 million banking apps, while the number of transactions made using them has nearly doubled in a year, hitting 18.6 million per week by the end of 2013.

Meanwhile, customers signed up to receive more than 450 million text messages such as balance alerts from their banks in 2013. RBS now claims 5.6 million online banking users, while HSBC says that 72% of all its interactions with customers are now carried over the phone on through the internet. 

While the relative ease and convenience of online banking is great for consumers, it demands constant vigilance from banks’ back-office teams tasked with fighting fraud across multiple channels.

Protecting the keys to the kingdom fundamentally hinges on a layered security strategy underpinned by multiple checks form numerous data sets. Having the tools to fight the fraudsters, which includes device intelligence to block compromised card use, fraudulent enrolments, phishing attacks, hidden measures that assess suspicious activity and multi-set identity verification, will always be worth the investment.

Consumers must also be vigilant to the threat of cyber-crime. Millions of consumers on both sides of the Atlantic regularly put themselves at risk of fraud through avoidable habits such as favouring repetitive online identities often based on a single e-mail address, username and password combination.

Similarly, nearly one in four of the 50 million mobile device users in the UK do not password protect their devices, while only around one in three (37%) have the same passcode or PIN on all mobile devices with just half of those who do (43%) have passcodes/PINs shared them with family, friends or colleagues. Only one in six (17%) of mobile device users say they always accept security updates sent to their mobile device, such as OS updates.  Just over a third (36.3%) say they rarely request support on security tips when using a mobile device. 

Irrespective of the convenience of mobile devices, last year it took an average of 444 days for consumers to discover they had become a victim of identity fraud. For individuals it’s always worth investing in web monitoring services which offer instant alerts if personal details get misused online.




Comments: (1)

A Finextra member
A Finextra member 30 July, 2014, 16:12Be the first to give this comment the thumbs up 0 likes

Some really good points here Derek and agree that a multi-factor approach is required to stem the tide.

As ever so much of this comes down to optimising the customer experience. For example the percentage of users who locked their phone increased significantly with the advent of the fingerprint lock.

When you consider that a lot of people use their ATM PIN to lock their phone this change in behaviour solves more than one problem.


Ultimately educating users to take responsiblity and providing them with easy ways to deploy strong security is the overarching theme.



Now hiring