As new mobile banking applications hit the market, Julie McNelley says it will be critical for banking institutions to have cross-channel monitoring to mitigate risks.
"As we see mobile banking rolled out, it's going to represent many of the same threats and risks that online banking [has] in the business environment," says McNelley, a fraud analyst with Aite, during an interview with BankInfoSecurity's Tracy Kitten [transcript below].
"You'll have some of the same opportunities for credential compromises," she says. "Even if you do have the mobile channel locked down, in terms of the types of transactions you can initiate, that still represents a great opportunity for cross-channel fraud."
That risk continually increases with the consumerization of devices, such as iPads.
"We're already seeing these Trojans and all those variants appear in the mobile channel, compromising credentials," she says. "The opportunities for cross-channel compromise are very interesting."
In an interview, previewing a panel discussion she hosted at RSA Conference 2012, held in San Francisco Feb. 27 through March 2, McNelley discusses:
- Successful fraud mitigation strategies that can be taken from online banking to mobile;
- Regulatory guidance banks and credit unions can expect for mobile banking and payments; and
- Why cross-channel monitoring is critical.
At Aite Group, McNelley specializes in banking and payments fraud. She has more than a decade of product management experience, working with financial institutions, payments processors and risk management companies. She formerly served as senior vice president of product management with Golden Gateway Financial. Before joining Golden Gateway, she was vice president of product solutions with Early Warning Services, where she managed fraud prevention services. McNelley began her career as a research analyst at E*Offering, where she analyzed online financial services and risk-management firms.
TRACY KITTEN: What can you tell us about the security of the mobile landscape as it exists today?
JULIE MCNELLEY: Mobile security is highly fragmented today. As we talk to financial institutions and e-commerce providers, many of them have mobile security deployed but it isn't yet as robust as what they have in the online channel because nobody is really feeling a lot of pain. The bad guys aren't really intensively targeting the mobile channel yet, but everybody expects that will change as the volume and value of payments flowing through the mobile channel increases.
We have performed a couple of surveys of financial institution and e-commerce executives on this front, and in November of 2011 we asked 24 global risk-management executives responsible for financial-services organizations, financial institutions or e-commerce platforms. We asked them a variety of questions about the mobile channel. Seventy-five percent believe that the mobile channel poses risk because we don't yet fully understand the threat vectors, and another 88 percent believe that the mobile channel is going to be the next big point of exposure in financial services fraud. It's something that has a lot of people concerned.
Mobile: Still Emerging?
KITTEN: Could you tell me how prevalent mobile banking and mobile payments are? Can you give us some idea about the number of institutions in the U.S., as well as internationally, that are offering some form of mobile banking or payments?
MCNELLEY: We have also performed a couple of different studies on that front and in the North American market the vast majority of large institutions have a mobile-banking presence. Many of them have a mobile-banking presence for both consumers and businesses, and to the extent that the large institutions don't yet have a business presence rolled out, for almost all of them, it's on the 2012 roadmap.
Looking at mid-size institutions, the consumer mobile-banking platform is much more prevalent, I would say, of the mid-size institutions between one and 20 billion in assets that we interviewed. About half of them have a consumer mobile-banking presence rolled out and about a quarter of those have a business mobile-banking platform on the 2012 or 2013 roadmap. From a payments perspective, this is something that we're also seeing a lot of activity in. Consumers aren't yet adopting it in droves, but I think that as we see more of the incentives rolled out for that adoption - the loyalty, the couponing, everything else - I think that we will see that adoption increase.
KITTEN: Is it possible to break mobile banking out from mobile payments? Can you talk at all about which one poses the greater risk?
MCNELLEY: At this point in time it's absolutely mobile banking, because that is where you have more utilization. We estimate that by the end of 2013, we're going to see about 44 million U.S. consumers using mobile banking. That's also where the value is flowing, through there, in terms of transaction value. It's also, in the attack vectors that we're seeing in the online channel, the most easily translatable to that mobile channel. We're already seeing these Trojans, SpyEye Trojans, and all those variants appear in the mobile channel compromising credentials and the opportunities for cross-channel compromise are very interesting. Plus, there are really a lot of interesting things you can do on the mobile channel that you can't do online just because of the unique nature of mobile. We've already seen a couple of Trojans on the Android platform that are recording entire voice conversations and sending them back to command and control for use in spoofing voice biometrics for social-engineering purposes. Obviously, that's not necessarily a scalable attack method but it's pretty unique to the mobile environment.
The Regulatory Landscape
KITTEN: When we talk about the mobile environment, we've talked quite a bit about the fact that there isn't really any guidance from regulators regarding mobile interactions. Do you expect regulatory bodies like the FFIEC to get more involved in mobile initiatives in the near future?
MCNELLEY: Absolutely. I've had conversations with a few individuals from the FFIEC agencies and they have indicated that they do have working groups working on mobile specifically. They also have indicated that because of the language that defines the current online authentication guidance to be for electronic transactions, they believe that the current set of guidance does have applicability to mobile. Now, as you read through it, there are obviously some things that are very specific to online, and there's recognition that mobile will require its own unique set of guidance, but for the time being people should be using that existing FFIEC guidance for online as kind of their place holder.
KITTEN: It has been suggested that perhaps other bodies and associations, such as NACHA, might be able to play a role here when it comes to guidance for enhanced mobile security. What role do you see some of these organizations playing to help financial institutions as they implement and move along the mobile channel?
MCNELLEY: To the extent that they can help to socialize best practices that they have some enforcement mechanisms to help institutions to stay ahead of the fraud curve, I think that's all very helpful, just so long as we don't get kind of a patchwork environment out there that makes it very difficult to comply and to innovate in this environment. I think that one of the really valuable things that came out of the last FFIEC guidance was the requirement that institutions perform ongoing, periodic risk assessments at a minimum on an annual basis, or when new functionality is rolled out to the remote channel. That right there forces institutions to have a discipline in place that makes them continue to look at what they're doing both from an innovation perspective and a fraud mitigation perspective relative to the threat environment. I think to the extent that the industry can self-police and it doesn't require guidance to respond to the threats, that's all good news from both the industry and consumer's perspective.
KITTEN: Let's talk a little bit about how all of these things kind of come together. The FFIEC online authentication guidance was something that came about because of increases in ACH and wire fraud. When it comes to mobile, and I guess I would be talking about mobile payments specifically here, how concerning is ACH fraud?
MCNELLEY: Today, it's not at all. We're not seeing any of that in mobile, but as we do see mobile business banking rolled out, it's going to represent many of the same threats and risks that online banking [has] in the business environment. You'll have some of the same opportunities for credential compromises, and even if you do have the mobile channel locked down in terms of the types of transactions you can initiate, that still represents a great opportunity for cross-channel fraud, and especially as we see the increasing consumerization of devices and people using their iPads for both business and personal, letting their four year old play their latest games on it, it just represents such an increase in the risk environment that having an integrated mobile and online strategy will be critically important, particularly in that business channel.
RSA: Financial Fraud and Mobile Risks
KITTEN: During the peer discussion that you'll be leading at RSA, which takes place March 1, you'll touch on mobile security and financial services. Can you give us some highlights?
MCNELLEY: Sure. It's going to be a round-table discussion where we'll bring together some stakeholders and experts and we'll just be looking to explore where the industry is today. Where are the points of pain that we're feeling today? What are the things that are keeping people up at night? And so it's not all doom and gloom, we'll talk about some of the successful strategies and ways in which institutions and organizations are being proactive in addressing the threats that are coming up. The goal is to not only have a good sharing of ideas but also have people leave with some actionable ideas that they can bring back and apply in their own shop.
KITTEN: What about RSA, generally? How prominent do you expect mobile security to be during the conference overall?
MCNELLEY: Every year, as you know, you see a theme at RSA. Everybody is coming together around the same concept. Last year the cloud seemed to be one of those, the big concepts. This year I fully expect that mobile will be one of the hot topics because leading up to RSA that's absolutely something that's top of mind for all of the folks that I speak to across the value-chain from financial institutions to the vendors to the e-commerce companies, and to the security companies. I think mobile will absolutely be the theme of this year's conference.
KITTEN: Then what about other topics that may be of interest during this year's conference?
MCNELLEY: I think we'll definitely see some conversation around EMV and secure payments along those lines, because that's certainly something that's a hot topic in the U.S. market. Cloud has been a consistent theme over the last couple of years. I expect that to be no different. Again, this is nothing new, but it's something that's pervasive and ongoing - PCI I expect to have a lot of discussion as well as just other network security types of initiatives.
KITTEN: Before we close, what final thoughts about mobile security and RSA would you like to leave our audience with?
MCNELLEY: I think mobile security is like everything else, that as I speak with individuals and institutions, in many cases we're seeing folks that plan to spend but are kind of waiting to either incur some losses that will help them justify their business case or they're waiting to see what kinds of threats develop. In one of our surveys, we actually asked that question: what are your spending plans relative to mobile security and fully 25 percent of respondents plan to increase their spending but they're waiting to see where the threat vectors materialize. To the extent possible, I think people are going to need to be a lot more proactive because as we're seeing, the threats are coming fast and furious and the bad guys are innovating very rapidly, and you can't be taking a wait-and-see approach. We need to bring some of the learning from the online environment over to mobile. There are a lot of successful strategies from online that can help to mitigate some of the emerging threats that we're seeing in mobile. To the extent possible, people need to be proactive, otherwise they're going to be the ones that are going to be exposed, and the bad guys are always very quick to capitalize on that.