Preventing Fraudsters from Becoming Upwardly Mobile

Rapid advances in technology over the last 15 years have proved a double-edged sword for many financial institutions. New digital channels offer FIs faster and more cost-effective interactions with customers, but they also lead to increasingly sophisticated security threats.

Mobile has become an important battleground in this fight, and smartphones in particular have enjoyed staggering growth worldwide. Recent International Data Corporation figures showed over 85% of mobile phone users in the US owned a smartphone at the end of 2015.

As more people make the switch to smartphones, the market for mobile payments has increased. Accenture found that 24% of millennials already make mobile payments at least once per week, and 52% of Americans said they are ‘extremely aware’ of this transaction method. This was an increase of nine percentage points between 2014 and 2015.

More on the evolution of digital identity

Forrester Research predicts mobile payments in the country will nearly triple in value between 2014 and 2019, climbing from $52 billion to $142 billion over the six-year period. Customers want anytime, anywhere services, and organizations have endeavored to meet these needs as they develop better omnichannel strategies.

There are clearly significant opportunities for FIs that can leverage mobility to their advantage. However, security remains a top concern for the general public. Inside Secure revealed that 70% of consumers who refused to use in-store mobile payments over the 2015 Christmas holiday period were worried about fraud, identity theft and data privacy issues.

The Cost of Identity Fraud

The recent 2016 LexisNexis True Cost of Fraud Study showed mobile fraud is a large and growing problem for merchants in the mobile commerce channel. But these issues have wider repercussions for the financial industry, as liability for fraudulent transactions doesn’t always fall on businesses.

Last year’s Apple Pay scamming scandal saw crooks circumnavigate the digital wallet’s secure encryption and fingerprint verification system by targeting vulnerabilities in underlying bank’s’ fraud detection.

Criminals used stolen personal information to set up new iPhones, before contacting banks and activating the victim’s card on the Apple Pay account. Once verified, fraudsters were free to use the digital wallet as the authentic consumer would have, and make high-value purchases (with many favoring products from Apple’s own stores!).

“During setup, Apple Pay requires banks to verify each and every card and the bank then determines and approves whether a card can be added to Apple Pay,” an Apple spokesperson told Mashable last year. “Banks are always reviewing and improving their approval process, which varies by bank.”

These fraud losses extend beyond the purely financial; banks also suffer reputational damage and may see customers avoid mobile services as a result. FIs that fail to address such security failings will struggle to retain and attract consumers, especially tech-savvy millennials.

Mobile Banking — An Opportunity and a Challenge

Mobile banking is the fastest-growing segment within many FIs. According to PYMNTS, Bank of America added 910,000 new mobile banking users in the first quarter of 2016. Nearly 20 million people now utilize these services at the bank, with 16% of all deposits made via mobile. This is 33% more than the same period last year. Similarly, JPMorgan Chase revealed 19% year-on-year growth of mobile users, bringing the firm’s total up to 24 million people. Other big name banks have unveiled similar successes in their drive to boost mobile adoption.

Striking a Balance

Obviously, this is a growing market that FIs want to serve, but can they successfully balance the demand for fast, convenient mobile services with the increasing threat of fraud across a rapidly expanding user base?

The Apple Pay scandal is just one example of the shrewd ways fraudsters are manipulating identity verification systems. There are various types of what risk professionals call ‘third party’ and ‘account takeover’ fraud ploys at play.

Mobile users across the world are finding themselves the victims of things like SIM swap fraud. Criminals obtain an individual’s personal details through phishing attacks and other methods, which they use to convince mobile phone operators to cancel an existing SIM and activate a new one. The fraudsters then receive activation codes, notifications and authorizations for money transfers and can even open parallel business bank accounts.

This process gets the fraudsters around some of the more common, yet unsophisticated fraud mitigation practices, such as one-time passwords and out-of-band text messages.

What are options to prevent mobile fraud?

There are a number of measures available to strengthen mobile fraud detection and prevention systems; building a comprehensive strategy requires a multifaceted approach that covers several key areas:

1. Establish an Accountability Framework

Banking and payment processes are often complex, with liability a debatable issue depending on the unique circumstances of the fraudulent activity that has occurred. Recent Kaspersky Lab research highlighted various difficulties banks have when assigning responsibility for fraud.

The organization said FIs struggle to differentiate between legitimate and fraudulent actions, and they often don’t have a cogent accountability structure. Some criticize IT departments, while others feel senior managers or security teams should shoulder the blame.

FIs must therefore establish clear, reliable accountability systems to ensure departments are aware who is in charge of the prevention, detection and identification of fraud risks across the business.

2. Introduce MultiFactor Authentication (MFA) Processes

Identify verification remains a significant problem for FIs. As mentioned, mobile fraud regularly exploits weaknesses in banks’ abilities to spot the difference between genuine and fake account registrations.

The Apple Pay scam took advantage of protocols whereby some FIs simply asked for the last four digits of a social security number to set up new services. Given the many well-publicized data breaches in recent years, this personal information is already routinely in the hands of fraudsters.

MultiFactor Authentication systems are crucial for strengthening fraud detection and prevention. While biometrics identification is becoming more available globally, the Apple Pay example shows this is not a fool-proof solution. Supplementing traditional data verification, which generally relies on conventional ‘credit header’ information, provides a solid solution to ensure people are who they claim to be.

Several new technology platforms offer a better way to understand a more complete picture of a consumer’s digital identity. Solutions that have been particularly effective rely on public and private data that exists electronically, using things like social media profile, device IP, and mobile network operator data.

3. Educate consumers

Ultimately, FIs can only do so much at their end. Consumer behavior is a huge factor in fraud prevalence, which is why organizations must work towards informing their customers of potential risks.

Phishing, malware and skimming are common ways for criminals to obtain sensitive information, so educating consumers on how to recognize and avoid these methods is essential.

FIs should encourage people to keep their software and hardware updated, ignore suspicious emails and contact their provider immediately if they believe fraudulent activity has occurred on an account or device.

4.Daily Reconcile Corporate Accounts

Mobile growth is increasing, as it can enable effective omnichannel services to enhance customer satisfaction, increase revenues and reduce costs. The financial industry sees this as one of its biggest opportunities, but also one of its biggest threats, as new channels open more attack vectors for fraud.

Organizations with the right combination of fraud detection and prevention defenses can avoid their mobile strategies faltering under the weight of identity theft and other criminal activities. This is where clear accountability structures, multifactor authentication processes and consumer education practices bring crucial added protection against fraudsters.