2014 has seen an explosion of mobile banking demand and services. But as the channel grows, so do the threats against it. What are today's top threats, and how can institutions offer more secure mobile banking?
David Duncan, Chief Marketing Officer of mobile security vendor Webroot discusses the latest trends and solutions.
"The biggest change of all in the industry is that most financial institutions have come to realize that mobile banking is a fundamental customer requirement," Duncan says. Mobile is no longer just an option, and neither is security - but security cannot come at the expense of the user experience.
"As we deal with consumers and mobile banking transactions, we have to ensure security, but put more priority around the convenience of the banking transaction itself."
In an interview about the latest mobile banking services and threats, Duncan discusses:
- The evolutions of mobile services and risks;
- Today's top threats;
- How banking institutions can offer customers a more secure mobile experience.
Duncan, Chief Marketing Officer of Webroot, brings 30 years of senior marketing and security experience. Most recently, he was responsible for developing and leading the CyberSafe secure storage go-to-market product strategy for Imation Corporation, having joined Imation after the acquisition of EncryptX in 2011, where he was founder, president and managing director for 10 years. Duncan also served on McAfee's embedded solutions advisory committee.
Evolution of Mobile Banking Services
TOM FIELD: How have the services and adoption of mobile banking services evolved in 2014?
DAVID DUNCAN: There's been a lot of change. The biggest change of all in the industry is for most banking and financial services institutions; they've come to realize that mobile banking is a fundamental customer requirement. It's not an optional service anymore, and frankly it's not a service that many banks have a lot of success individually charging for. That's been a big step forward in 2014.
We've also seen that, when it comes to these transactions and mobile banking in general, convenience is much more valued over the security aspect. We want to enable users to conduct transactions via their mobile devices. In the old days, and certainly on the commercial side of the house, we've had better overall security. As we deal with consumers in mobile banking transactions, we have to ensure security, but put more priority around the convenience of the banking transaction itself.
FIELD: How do you see that mobile threats have evolved this year?
DUNCAN: Back in 2011, the entire industry was tracking less than 1,000 known mobile threats and malware variants out there. Today, we're well over 100 times greater than that number in 2011. The attack surface has shifted because of mobile devices being valued in terms of convenience over security, and users are downloading a lot more apps on these devices. Some of the other risks associated with mobile threats and how they've evolved is...they're getting onto these devices because users use mobile devices on unsecure public wireless connections.
We're storing a lot more data on these devices, and very few of these devices actually deploy some form of encryption. They may have passwords, pass codes, [or] PIN codes in a mobile banking transaction, but it doesn't mean that the underlying data itself is safe, just that there's a basic authentication mechanism built onto that. As these threats have evolved, and as we see cybercrime continuing to increase dramatically, we are seeing more and more of the targeted attacks going after mobile devices. They're easier for the buyers and malware writers to get to.
FIELD: What are the most common threats targeting mobile users today?
DUNCAN: There are three or four common types of attacks right now. There's certainly more man-in-the-middle attacks using some type of browser injection. Basically, [they are] trying to catch you using your browser on a device, and trying to capture the login credentials you're using so that those credentials can be used to take your information, or money out of your bank account.
We also see a rise in SMS premium malware. That's trying to monetize paid SMS messages. Either you're going to have to pay the cost of that, or your service provider is going to have to. There's a lot of malware out there that create premium SMS messages that the user doesn't authorize.
We have also seen specific new malware kits that have been developed and sold on the black market, like Perkele, a new crimeware kit for mobile malware targeting Android users. Today, the Trojans that are being generated out of Perkele have infected users in over 69 countries. Basically Trojans get on your mobile device and intercept the mobile transaction authentication number, what's called the M-TAN. This type of malware is actually stealing that code and using that to monetize on a transaction for financial fraud.
There are other types out there. Bankum is an interesting form of mobile malware because it replaces your legitimate banking app with a fake one. It looks like the real thing, but it's capturing your information and credentials to steal your information and money. Obviously we still see a lot of spear-phishing attacks. They continue to increase both in volume and velocity, because users are more and more susceptible to these things, even with all the education out there. It's easy for a user to get a spear-phishing attack through a Facebook or LinkedIn request. They click on that URL, and next thing you know, they've got malware on their mobile device.
Significant Risks to Users
FIELD: What are some of the other risks posing significant threats to mobile users?
DUNCAN: Mobile users are very concerned about their privacy and personal information. A lot of users are not realizing that if they download apps, they're downloading more apps that are either side-loaded, or what we call potentially unwanted apps. These are things that get onto your device. Maybe you're downloading a game or something like that...you don't realize that there's something getting on your device along with that that may be tracking your personal information for monetization purposes. At Webroot, we're tracking just under 10 million mobile apps today; of that, about 16 percent of those apps had been categorized as unwanted or malicious in nature. So these PUAs, potentially unwanted apps, are the most prevalent method that virus writers are using today to get information or malware onto your device, and monetize it.
Offering a Secure Mobile Experience
FIELD: How can banking institutions offer a more secure mobile experience to their customers?
DUNCAN: Provide a banking application that is authenticated and certified, and use a strong security certificate associated with that from a well-known certificate authority. The second thing is, the banking app needs to integrate security in a very seamless and transparent way to the user. It can't get in the way of the user's job of trying to initiate a transaction. We need an application that allows the bank to do a bunch of different things: analyze the device itself; determine if the device is rooted or jail broken; understand that there's malicious apps on that device; and it has to do [that] in under five seconds to be effective. Users on mobile devices are not willing to wait around and download something, or wait for a 30-second security scan. It needs to be quick, lightweight, can't suck down the battery or memory, and it has to allow the bank to tailor what they do based on the data that's received from that device in a way that meets their risk scoring or bank risk profile.
FIELD: How are your customers responding to these threats, and what do you see as business results they're getting from this?
DUNCAN: Webroot offers a mobile banking software development kit that integrates inside of a bank's application. The user doesn't see it; it's completely transparent to them. It gives the bank a number of different modules that they can implement in the banking app...like an active protection service, a scanner service that gives you information on the applications that are running on the device itself, and information about the device. It provides all of that information to them, and a very flexible risk scoring methodology that allows the bank to tailor the risk score based on the geographies of the customers they're dealing with.
These are large banking customers that are multinationals; it's much more common to have rooted or jail broken devices, as an example, in Asia. If you have that in America or other countries, that would give you a very poor risk score for the device, versus, in Asia, where it's more common. They need to have a solution that can be flexible and configurable to the geography of the mobile banking user that they're dealing with. They also need to be able to customize that risk score into their own risk and fraud engines to determine whether or not it's a "go" on that banking transaction.
Our customers see a significant reduction in fraud and threats presented by mobile users, because our mobile SDK is seamless, lightweight, and provides a flexible risk-scoring methodology. Also, our technology doesn't use signatures; it's always using a cloud-based model for understanding what the risks out there are, in the wild and real-time. It's not downloading a bunch of stuff onto the users' mobile devices, which would further degrade the user experience. Overall, the [results are] happy customers, more secure banking transactions and reduced fraud.
FIELD: What tips would you offer to institutions to begin improving the security of their mobile services?DUNCAN: Integrate a solid security technology into your mobile banking application. Make sure that that application can ensure whether or not the device is jail broken or rooted. It can scan and understand if the applications on that device are PUAs or malicious. Also, make sure that you can provide for that user if they're going to login directly through the web browser, or through some type of identity shield that will protect them against man-in-the-middle attacks. Make sure you have a set of flexible security modules that you can deploy based on the different profiles, types of devices and geography of where your users are. You have to understand that in dealing with mobile banking risks and users, one size doesn't fit all. So you need a lot of flexibility.