Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Mobile banking fraud: Vulnerabilities of mobile devices

Scott Zoldi | Aug. 10, 2011
While mobile devices provide more conveniences for consumers, they also come with greatly increased risks.

Mobile devices are changing the payments landscape.  More mobile devices are becoming equipped with near-field contactless capabilities and apps that allow for the purchasing of goods and services.  While this provides a number of conveniences for consumers, mobiles also come with greatly increased risks related to payments. Case in point, malware instances on Android phones grew 400 percent between summer 2010 and spring 2011, according to the "Malicious Mobile Threats Report" by Juniper Networks.

The increased risk stems from the fact that mobile devices typically lack the firewalls and other security measures that are more standard on home computers. This make mobiles ideal for launching malicious software that tracks key strokes and compromises sensitive personal information, usernames, and passwords. To make matters worse, app purchasers are often much less discerning about downloads to their mobile compared to a home computer. 

Beyond malicious apps and downloads, there is additional concern about the security of the networks used by the phone. Many phones are wi-fi capable, and although the public has become conditioned to not connect to unknown wi-fi networks using personal computers, there is less discretion when using mobile phones. In particular, the public has been systematically targeted at airports and other aggregation points by malicious wi-fi networks. 

Even when users are careful selecting a wi-fi network, they can be prey to "Man in the Middle" attacks on mobiles. Here, a fraudster will target MAC addresses associated with a particular brand of phone and redirect transactions through the fraudster's computer. This allows the fraudster to launch a tool like SSL strip to remove security protocols, and capture usernames and passwords used in payments, online bank access, e-mail, etc.  Although this is easily done on wi-fi networks, the same attack exists on mobile networks such as GSM, where a fraudster can impersonate a GSM base station. 

Advanced analytics

These vulnerabilities demand advanced analytics that monitor mobile device usage to detect fraud.  These range from malicious apps, to network security issues, to targeted man in the middle attacks.  So what can be done to counteract these vulnerabilities?

One option is to look to fraud detection residing on the mobile itself. You could monitor phone behaviour patterns-in terms of calls made, time/day of week patterns, apps accessed, and browser behaviour-to determine whether there is a change in usage patterns indicative of someone else using the phone or a malicious app. 

However, this would require coordination between all apps to access all usage transactions in a single application monitoring for misuse. Furthermore, usernames/passwords and sessions could still be captured and compromised in the network. 

For better fraud ROI on the mobile device itself, improve virus detection and firewalls to prevent compromise of information, and look to capturing unique and hard-to-reproduce biometric information that could be attached to banking and payment transactions.


1  2  Next Page 

Sign up for Computerworld eNewsletters.