Friday, April 15, 2011

Mobile Banking Fraud - Are You Prepared?

By Michael Scheibach, Executive Editor

Today, more than 80 percent of adults in Europe and the United States own a mobile device. According to Forrester Research, some 29 million Americans are doing mobile banking, and this number is expected to pass 50 million in the next three years. The Millennial Generation (18 to 29) is skipping the online banking phase altogether and view mobile banking as, well, "banking."

So what does this all mean for the banking industry? It means banks better be ready to counter the growing fraud threats associated with mobile banking.

Scott Perry, director of authentication and fraud at Entrust, in a white paper titled "Addressing Advanced Fraud Threats in Today's Mobile Environment," writes: "While many safeguards are deployed within financial institutions, criminals are evolving their techniques rapidly. Phishing, smishing and spear-phishing attacks are now designed to deploy malware, which takes over users' browsers and mobile devices to execute malicious transactions."

Perry points out that mobile devices are particularly susceptible to attack for several reasons. At the top of the list is the potential malware threat from downloading third-party apps. In addition, the frequent checking of email from mobile devices and current limitations of mobile browsers make it more difficult to identify fraudulent messages and websites.

Because of the escalating threats to mobile banking and mobile payments, the Federal Financial Institutions Examination Council (FFIEC) is working to strengthen security measures for online and mobile banking.

Perry suggests three areas that should be addressed by banks:

1. Banks should adopt a versatile authentication platform that supports a wide range of options, such as transparent authentication, physical methods of authentication (e.g., tokens or grid cards), and "soft tokens" that leverage mobile devices.

2. Banks should consider out-of-band transaction verification using a mobile application, such as SMS or voice dial-out with a one-time security code.

3. Banks should also explore solutions that actually embed security features of the authentication platform directly into a mobile application.

To learn more about mobile security, visit This is a subject that won't go away.