Banks are offering mobile
banking in their droves, a service made increasingly attractive to
customers by web-enabled smartphones such the iPhone. But, as 41st
Parameter’s Ori Eisen explains to EPI, history has shown that fraud
follows payments innovations. Mobile banking will be no exception,
Banks must prepare for security
attacks as fraudsters turn their attention to the mobile channel,
warns Ori Eisen, founder and chief innovation officer of US
payments security specialist 41st Parameter.
“Regrettably,” he added, while speaking to
EPI, “they won’t.”
The pattern has been repeated throughout the
past five decades of electronic payments innovation, Eisen
“Fraud always follows innovation in payments,
yet banks have not come to terms with this fact,” said Eisen.
Security must be thought of in advance, but
generally this does not happen, he continued.
“Fraud followed in the wake of the rapid
uptake of internet banking and we can predict the same will happen
with mobile banking,” said Eisen.
A mismatch of priorities poses a significant
problem, continued Eisen. Innovative ideas such as mobile banking
are initially driven by banks’ marketing departments, he explained,
with anti-fraud specialists left to deal with the consequences
As in the case of internet banking, fraud
losses sustained by banks in the mobile channel will have to reach
an uncomfortable level before they act decisively on mobile
security, believes Eisen. A big problem, he added, is that banks
don’t even know what form mobile banking fraud will take.
However, when banks do come to terms
with the reality of mobile fraud they face a tough challenge.
Quite simply, said Eisen, when compared to a
desktop or laptop computer, internet-enabled mobile phones have
limited security capabilities in the areas of user identification
and verification. For example, mobile internet phones do not have
Adobe Systems’ Flash application which is often use by banks as an
additional layer of user identity verification.
Authenticating a user’s identity in mobile
banking is as critical as it is with fixed line internet, yet, in
reality mobile banking systems are falling at this particular
hurdle, he stressed.
Security weaknesses have not gone unnoticed by
fraudsters who are turning their attention to what has been the
biggest success story yet in the mobile internet market: Apple’s
iPhone. In late-2009, almost 3 million iPhones were being snapped
up every month by customers of 140 mobile network operators in 90
Because of this popularity, US security
software developer Intego studied Apple computers in November last
year. It identified three new items of malicious software (malware)
targeting the iPhone. Of the three, what Intego called iBotnet.A
was described as “the most sophisticated iPhone malware yet.”
According to Intego, iBotnet.A has the ability
to send copies of text messages received or sent by an infected
iPhone to a remote server in Lithuania. This, potentially, has
massive negative implications for payments services using short
message service technology.
Indicating the intent of iBotnet.A’s creators,
the malware changes an entry in the iPhone’s host file for a Dutch
bank website, leading users to a bogus site, presumably, noted
Intego, to harvest user names and passwords.
Rich Cannings, security leader for Google’s
Android mobile operating system, shares Eisen’s concerns.
He told delegates at the Usenix Security
Symposium held in Montreal, Canada, in August last year: “The
smartphone OS [operating system] will become a major security
target for malware designers.”
An additional aspect of security highlighted
by Eisen is a variation on the requirement placed on banks’ to
‘know your customer’ – knowing what device a customer is using.
A solution offered by 41st Parameter is client
device identification (CDI), a security layer that enables banks to
identify suspicious transactions.
Eisen explained the CDI solution unobtrusively
captures and identifies a device’s characteristics during the login
process, thus going beyond simple user names and passwords to
detect suspect mobile phones, smartphones and desktop and laptop
He explained that 41st Parameter’s ‘FraudNet
for Account Takeover’ solution, which incorporates CDI,
differentiates individual devices regardless of past registration,
the credentials presented or connection, whether it be a mobile
network operator or internet protocol address. Eisen added that
these parameters and real-time reporting create a full picture of
the user, irrespective of the device being used.
Real-time reporting also enables
banks to identify devices that were initially refused admission to
a website and that have changed their identity to try and gain
access. Eisen noted that studies have shown fraudsters can
reattempt entry in a matter of minutes.
Eisen emphasised the challenges of mobile
banking security are another manifestation of an overall trend by
banks to “push customers further away.” In the 1970s all banking
was done in person, and knowing your customer was straightforward.
With the introduction of the ATM, customers were first “pushed into
the street” and with the advent of internet banking have been
“pushed into the data centre basement”, he added.
“The further banks push customers away the
less visibility they have,” Eisen stressed.
And Eisen sees increasing risk in the use of
the internet for new customer acquisition.
“It is very low at present but growing fast,”
he noted. “It is now possible a bank will never meet a customer,
only adding to security threats.”
His concerns were highlighted in a report
published by US research firm Gartner, Best Practices in New
Account Fraud Detection. The report revealed new account fraud in a
mainly online environment is at least five times higher than it is
when accounts are opened in person.