Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BLOG: Mobile banking fraud: Vulnerabilities of mobile devices

Scott Zoldi | Aug. 10, 2011
While mobile devices provide more conveniences for consumers, they also come with greatly increased risks.

Access device

A mobile device is an access device to a payment account and channel. Before funds are moved, say from a credit account or DDA account, the request for payment should be assessed for fraud risk. This is similar to when a payment is made via online banking or an online card-not-present credit card transaction. Here, the transaction is marked as from an online channel, and fraud risk is computed based on this transaction and the history of transactions made on the account. Monitoring would include day/time patterns, typical transaction amounts, common merchants / destination accounts for P2P, etc.  

In addition, there would be value in capturing the mobile device ID (IMEI), Browser/Operating System details, and the above mentioned biometric information. Monitoring at the payment account is essential given that malicious apps may take over the device, or the payment details may be compromised and changed in flight through man-in-the-middle attacks.

The final piece of a solution is recognition that mobile banking/payments are evolving, and the acceptance of them as a legitimate payment and banking media is starting to take hold. There will be various changes in the services and apps marketed to the users of mobile devices, and to the security defences attached to phones. 

As a result, hard-to-change rule sets or static analytic models are not recommended because the transaction activity and risk of the mobile channel will evolve constantly over time.  More dynamic fraud detection is essential.

In these situations, an adapting analytic technology is best. Quantification of fraud risk should be based on self-calibrating outlier techniques, where what is considered an outlier payment transaction is compared both to the specific mobile user's typical behaviour/transactional patterns through a transaction profile but across the segment of customers that the mobile user belongs. These self-calibrating techniques should-in real-time-compute the distribution of the fraud feature variables to indicate what features of the mobile device transaction profile are considered outliers, and by how much, in order to allow a computation of a fraud score.

Scott Zoldi is vice president - analytic science, FICO.

 

Previous Page  1  2 

Sign up for Computerworld eNewsletters.