While criminals are successfully executing a number of exploits against financial institutions and merchants, the outlook is actually fairly bright; when security controls are properly applied, the mobile environment has the potential to be more secure than the online environment, according to research by Aite Group.
Nevertheless, criminals have quickly realized that many of their tried-and-true attack methods from the online channel also work reasonably well in the mobile channel, with some minor adaptations. In addition, the unique properties of the mobile device provide additional paths of opportunity.
"Fraud prevention methods need to take an omnichannel approach, as criminals do not limit their attacks against [financial institutions] to a particular product or channel only. So, mobile banking software developers need to integrate information about the users’ current and historical activities across multiple channels to help proactively detect any fraud while preserving a positive user experience," says Julie Conroy, research director in Retail Banking at Aite Group.
In comparison, the security solutions that work online will not be universally applicable to mobile, but Aite Group sees that there are still lessons that can be learned from the online channel. Many of the strategies and technologies that have proven effective online can be applied to mobile, with adaptation to reflect some of the challenges unique to mobile.
Financial institutions and merchants are employing a number of successful strategies as they seek to create a highly secure, user-friendly mobile environment. These include embedded security, which actually gives the app environment the potential to be more secure than mobile browsers since users download the software onto their devices with security already embedded in a number of different ways, as well as extending defenses to the transactions themselves. Effective defensive tools will analyze data about the transaction itself to determine whether it exhibits anomalies indicative of fraudulent behavior.
“With the increasing availability of high-risk transactions from the mobile device, it is important to use technologies such as behavioral analytics that can detect anomalous transaction activity. Financial institutions need to ensure there is embedded security in downloadable apps. They should take advantage of the fact that consumers are willingly downloading a piece of software and embed security to shield it from malware that might already be on the device,” Aite says in its report.
As financial institutions build their mobile strategies, they also need to be mindful of the pace at which mobile technology is progressing, says Aite Group. Investments should be designed with the flexibility to adapt to the rapid rate of progress and be reflective of the fact that devices are deemed outdated and only minimally supported one year from release. This further highlights the importance of a multipronged approach that does not rely exclusively on endpoint protection or device intelligence, but instead takes a balanced approach that incorporates those aspects along with device-neutral intelligence such as behavioral analytics.
"Given the continued rise in mobile channel usage, as well as the increasingly high-risk transaction capabilities that banks and merchants are pushing to the channel, it is imperative that financial services organizations defend against rapidly emerging threats," Conroy says.
Meanwhile, Aite recommends that technology providers hire white-hat hackers to test mobile security. They should perform penetration testing on mobile apps, enabling financial institutions to discover the vulnerabilities before the criminals do. Testing should be repeated any time significant enhancements are pushed to the mobile platform.