Mobile Banking Security Risks and Consequences iovation2015

MOBILE BANKING
SECURITY
Risks and Consequences

2
© 2013 The Corporate Executive Board Company. All Rights Reserved.
CEB TowerGroup Retail Banking
ROADMAP FOR THE PRESENTATION
Mobility, Privacy,
& Security
What’s in an
Identity?
Assessing Risks,
Whether High or
Low

3
HOW DO YOU DEFINE “IDENTITY”
We tend to view identity
in the sense of a
collective set of
information that informs
a single entity, but each
data point has identity as
well.
i-den-ti-ty
1. The collective aspect of the set of characteristics by which a thing is definitively
recognizable or known.
2. The set of behavioral or personal characteristics by which an individual is recognizable as a
member of a group.
3. The quality or condition of being the same as something else.
4. The distinct personality of an individual regarded as a persisting entity; individuality.
5. Information, such as an identification number, used to establish or prove a person's
individuality, as in providing access to a credit account.
Source: www.thefreedictionary.com/identity

4
USER-CENTRIC VIEW OF IDENTITY
Know Your Customer, or
“KYC” is a fundamental
component of service
delivery and security,
and helps maintain
various ways of
establishing user
identity.

5
ATTRIBUTE-CENTRIC VIEW OF IDENTITY
Persistent and non-
persistent identities can
be relatable to different
people, devices, and
financial instruments.

6
DEVICE-CENTRIC VIEW OF IDENTITY
Devices have as many
identifiable
characteristics and
history of activity as their
users do.
Phones, desktop PCs, mobile devices and other technology enablers have their
own history.

7
MOBILE-DEVICE CENTRIC VIEW
Highly mobile,
personalized, easily lost,
extremely capable
devices have identities
as complex as
individuals.

8
Mobility, Privacy,
& Security
What’s in an
Identity?
Assessing
Risks, Whether
High or Low

9
EVOLVING FFIEC GUIDANCE LAYERED SECURITY
EXPECTATIONS
FFIEC is a catalyst for
adoption, not for
development.
 2001 Guidance provided a
framework for risk-based
analysis of electronic
commerce, but made no
specific recommendation.
 2005 Guidance update
replaced the 2001 document
and further reinforced the
need for 2-factor
authentication and increased
customer education.
Authentication in an Electronic Banking
Environment
August 8, 2001
Authentication in an Internet
Banking Environment
October 12, 2005
Supplement to
Banking Environment
June 28, 2011
• The 2011 Guidance Supplement states that a “layered
security program will contain the following two elements,
at a minimum.”
– Detect and Respond to Suspicious Activity
• At login and authentication
• At initiation of transactions involving transfer of funds
– Control of Administrative Functions
• Business, or multi-user accounts require enhanced controls
and tools for permission delegation

10
WHERE DO YOU DRAW THE LINE?
Not Fraud Might be Fraud? Definitely Fraud
?
The measure of
responsibility is based
on the FSI’s
implementation of
“commercially
reasonable” controls, but
also should be based on
customer ease of use.
How do your risk assessments account for transactions that require
additional security?

11
NORMAL V. ABNORMAL
What does an identity
typically do? Previous
activity, frequency, and
relationships with other
identities are key to
consider.
What does an identity typically do?
FFIEC – “Fraud detection and monitoring systems that include consideration of customer history and behavior“
Debit $100 Known
Location
Known
Device
Associated
Recipient
Debit $100 Known
Location
Unknown
Device
Unassociated
Recipient
ACH $10K Known
Location
Unknown
Device
Associated
Recipient
ACH $10K Unknown
Location
Known
Device
Unassociated
Recipient
Credit $3500 Unknown
Location
Known
Device
Associated
Recipient
Credit $10K Unknown
Location
Known
Device
Associated
Recipient

12
HIGH V. LOW-RISK
Not all transactions are
equal, and the type,
amount, origin,
destination, and other
factors can be used to
determine risk.
Which transactions deserve increased analysis and decisioning?
Debit $100 Known
Location
Known
Device
Associated
Recipient
Debit $100 Known
Location
Unknown
Device
Unassociated
Recipient
ACH $10K Known
Location
Unknown
Device
Associated
Recipient
ACH $10K Unknown
Location
Known
Device
Unassociated
Recipient
Location
Known
Device
Associated
Recipient
Credit $10K Unknown
Location
Known
Device
Associated
Recipient

13
EXPECTED V. UNEXPECTED
Using only a specific
history of activity can be
too limiting, as
infrequent but legitimate
transactions occur, and
introducing additional
security is unwarranted.
How do you accommodate new spending patterns without impeding the
customer?
Debit $100 Known
Location
Known
Device
Associated
Recipient
Debit $100 Known
Location
Unknown
Device
Unassociated
Recipient
ACH $10K Known
Location
Unknown
Device
Associated
Recipient
ACH $10K Unknown
Location
Known
Device
Unassociated
Recipient
Location
Known
Device
Associated
Recipient
Credit $10K Unknown
Location
Known
Device
Associated
Recipient

14
Mobility,
Privacy, &
Security
What’s an
Identity?
Assessing Risks,
Whether High or
Low

15
CEB TOWERGROUP RETAIL BANKING
MOBILE BANKING MATURITY CURVE
Financial institutions are
focused now on building
the first versions of mobile
banking, adding
functionality to attract
users.
Mobile Banking
Maturity Curve, 2012-2015
Source: CEB TowerGroup
• With higher than
expected adoption
rates occurring at most
banks, it is now time to
push for the return on
investment both by
enabling strategic
marketing and
measuring profitability
and retention.
• While some first mover
institutions are
currently testing
biometric
authentication and
ATM integration, 2015
is the forecasted date
for large-scale
deployment of these
features.
Achieving Critical Mass Creating A Preferred Channel
2012 2013 2014
• Basic Banking in Apps
• Comprehensive OS/Device
Deployment
• Text Banking
• Critical Mass of Users
• Marketing & Sales Enablement
• Multi-Channel Integration
• Recognizable Security
Adoption
• Loan Origination & Servicing
• ATM Integration
• Biometric Authentication
2015

16
HOW WILL GUIDANCE CONTINUE TO EVOLVE?
With many organizations
still striving to
accommodate provisions
under 2011 FFIEC
supplement, the
possibility for another
update is real, and likely
needed.
Authentication in an Electronic Banking
Environment
August 8, 2001
Banking Environment
October 12, 2005
Supplement to
Banking Environment
June 28, 2011
• Update to accommodate mobile on its way?
• While current guidance applies to mobile banking as
well, mobile devices are referenced more as an out-of-
band authentication method for online banking
Authentication in a Highly Mobile
Internet Banking Environment
2014?

17
AS OF 2013, FFIEC IS OUT-OF-DATE
Since 2011, mobile
services, big data
analytics, and fraud
management services
have evolved further still.
Current Guidance – Capability Gap Analysis
How do you respond to NON-suspicious activity?
 “High-risk” transactions may deserve special focus, but “low-risk” transactions
should be considered as well.
 Risk-based approach should require more authentication for high-risk,
and an easier transaction path for low-risk.
 Streamlining the process for lower risk transactions alleviates staffing
and can increase customer satisfaction.
The guidance takes a very user-centric view of identity
 Recognizes device identification as an authentication method.
 Is inclusive to other measures not specifically called out.
Mobile devices are not excluded or exempted, but special recognition is
required.
 Mobile devices are still Internet-enabled and monitoring protections extend to
them, so they are covered under the 2011. But with the evolution of mobile
banking services, the guidance is incomplete.

18
CEB TOWERGROUP RETAIL BANKING
EVERY CHANNEL IN YOUR POCKET
Fully-integrated
peripherals and a shared
platform provide
opportunities for real-
time individual and
collaborative service
delivery.
Fully Integrated Peripherals and Shared Platform Provide
Functions & Services and Integrated Peripherals, 2013
Source: Mobile is an Opportunity for a More Secure Channel, CEB
TowerGroup, May 2012
• There are single-point
solutions, but mobile
users will interact with
FSIs through a single
communications device.
• A customer servicing
strategy must strive for a
consistent experience
and all mobile access
points.
• All access points must be
individually and
collectively secured.

19
PRIVACY ≠ ANONYMITY
Consumers understand
some of their information
will be tracked, and
expect the information to
be used to service and
secure their accounts.
Consumer Desired Mobile Functions
41%
43%
44%
46%
51%
54%
Sending automated bill pay reminders
Depositing a check from my mobile phone
Transferring money to accounts outside of my
account
Sending notice of a low balance
Making a payment on a loan or a bill
Sending notice of irregular account activity or
changes to account notification
Source: Mobile Banking Survey Report, Varolli Corporation, January 2013

20
PRIVACY POLICIES MAKING THEIR WAY TO MOBILE
The White House, FTC,
and EU Justice
Commission, among
others, are pushing for a
consistent definition of
privacy practices, and
mobile devices garner
special focus.
UI Composition Example for Mobile App Transparency Proposal
Source: National Telecommunications and Information Administration (NTIA)

21© COPYRIGHT • IOVATION
WE HELP BUSINESSES KNOW
WHO TO TRUST THROUGH
DEVICE REPUTATION.
WHAT WE DO

DEVICE REPUTATION PROVIDER FOR:
iovation, a
recognized
global leader

ISSUE TARGET DAMAGES
New Account
Origination
• Bank
• Consumer Identity
• Merchant
 Financial Loss
 Operational Expense
 Brand Damage
 Customer Churn
Risk-Based
Authentication
• Bank
• Customers
 Account Takeover
 Breach Notifications
 Loss of Trust
 Customer Churn
Mobile Security • Bank
• Customers
 Phones Compromised
 Account Takeover
 Customer Churn
 Market Share
FINANCIAL SERVICES: TOP FRAUD ISSUES

• Consumers buying smartphones
• Convenience of mobile banking
• Timing coincided with bank
starting to offer the service
MOBILE BANKING ADOPTION
Source: Federal Reserve System, Consumers and Mobile Financial Services, March 2013
THE PRIMARY DRIVERS

MOBILE BANKING ADOPTION
“The use of mobile banking has
increased by more than a third in the
past year, and it appears likely to
continue to increase as more and more
consumers use smartphones.”
- FEDERAL RESERVE SYSTEM

ACCESS METHODS
• Mobile web browser
• Text messaging
• Mobile app
POPULAR ACTIVITIES
• Checking balances and recent transactions (33%)
• Transferring money between accounts (21%)
• Depositing checks (17%)
• Receiving text message alerts from bank (17%)
• Making bill payments (17%)
MOST COMMON BANKING ACTIVITIES

• Banking needs met without mobile usage (54%)
• Concern about security (49%)
• No reason to use it (47%)
• Do not own a smartphone (40%)
• Lack of trust in technology to process transactions properly
(14%)
• Cost of data access on mobile phones (11%)
• Small size of mobile phone screen (10%)
• I don’t do the banking in my household (5%)
GENERAL REASONS FOR NON-ADOPTION

SPECIFIC REASONS
• Hackers accesses their phone remotely (30%)
• Losing their phone or having it stolen (11%)
• Experiencing data interruption by a 3rd party (9%)
• Companies misusing personal information (3%)
• Malware or viruses being installed (2%)
MOST COMMON RESPONSE
• Concerned with all of these security risks (44%)
MOBILE SECURITY CONCERNS

INDUSTRY 2012 JAN – JULY JULY
All 15% 17% 19%
Financial Services 11% 18% 20%
Dating / Social 14% 25% 30%
Retail 7% 12% 14%
IOVATION’S VIEW: 2013 MOBILE USAGE GROWTH

IOVATION SERVICES
Find Who’s Bad. Know Who’s Good.

1. IDENTIFICATION
Has this device been seen before?
WHAT WE DO

Tie together fraud that
may be happening on the
web.
Implement iovation’s
SDKs into your mobile
banking apps to uncover
related devices in
iovation’s global shared
network.
ASSOCIATING RELATED DEVICES

• Business Rule
• Triggers when the device does not have iOS or
Android as its native operating system
MOBILE EMULATION DETECTION

1. IDENTIFICATION
2. EVIDENCE
WHAT WE DO
Has anyone had a bad experience?

FRAUD & ABUSE EVIDENCE TYPES
FINANCIAL
• Credit Card Fraud
• ACH/Debit Fraud
• Friendly Chargeback
• Insufficient Funds
• Potential Fraud
• Shipping Fraud
• Counterfeit Money Order
• Click Fraud
• Affiliate Fraud
• First Party Fraud
• Loan Default
MISCONDUCT
• Chat Abuse
• Spam
• Abusive to Support
• Promotion Abuse
• Policy Violations
• Customer Harassment
• Inappropriate Content
• Profile Misrepresentation
• Solicitation
• Code Hacking
• Arbitrage Betting
• Gold Farming
CHEATING
• Collusion
• Chip Dumping
• All-in Abuse
• Trading Restriction
ID THEFT
• True Identify Theft
• Synthetic Identity Theft
• Phishing
• Account Takeover
B2B FINANCIAL
• Business Identify Theft
• Fictitious Business
• Business Takeover
• Dealer Fraud
• Payment Evasion
• Business Misrepresentation
OTHER
• High Risk
• Under or Over Age
• Requested Exclusion

VALUE OF SHARING
Sharing automatically
gives you access to
fraud evidence placed
by other iovation clients.
3X INCREASE IN
FRAUD CATCH
4X INCREASE IN
FRAUD CATCH

Financial Services
bad device crossover
with other industries:
VALUE OF CROSSOVER
Bad devices are 2X
as likely to be seen by
other online sites.
57%

1. IDENTIFICATION
2. EVIDENCE
3. ASSOCIATIONS
WHAT WE DO
Does the device have connections?

NORMAL ASSOCIATIONS: GOOD GUY
GOOD ACCOUNTS
DEVICES

ABNORMAL: REPEAT OFFENDER
GOOD ACCOUNTS
DEVICES
BAD ACCOUNTS

ABNORMAL: FRAUD RING
GOOD ACCOUNTS
DEVICES
BAD ACCOUNTS

1. IDENTIFICATION
2. EVIDENCE
3. ASSOCIATIONS
4. ANOMALIES
WHAT WE DO
Have any anomalies been found?
Does the device have connections?

POWERFUL RULES ENGINE: MAKE IT WORK FOR YOU
Geolocation Evasion Evidence Velocity
Evaluate location by
country, region, city,
ISP. Peer through
proxies with Real IP.
Analyze device
characteristics
to flag users
attempting to skirt
recognition.
Tap millions of fraud
records such as credit
card
fraud or account
takeover attempts.
Set thresholds to
detect excessive
activity such as
creation of multiple
accounts.

1. Evidence Exists (known fraud)
2. Country List (high risk &/or
sanctioned countries in both real
and stated IPs)
3. Accounts per Device
4. Geolocation Mismatch
5. Age of Account/Device Pair
6. ISP Watch List (high risk ISPs)
BUSINESS RULES FOR ACCOUNT TAKEOVER ATTEMPTS
Result REVIEW
Rule Set Payment
Rule Geolocation Mismatch
Score -1
Account 180155824
Device 3000000003169400

NORMAL & EXPECTED
Normal user activity from known devices, Geolocation
and good reputation.
EXAMPLE: Paying an established payee from a known
mobile device from a known Geolocation.
LOW RISK

ABNORMAL & EXPECTED
Unusual user activity from devices known to the
account and appropriate Geolocation.
EXAMPLE: Applying for multiple credit cards
in a short time period but from a known
device and appropriate Geolocation.
MEDIUM RISK

NORMAL & UNEXPECTED
Normal user activity but from new devices
or unusual geolocations.
EXAMPLE: Checking your credit card
balance from a known device but from
an unusual geolocation.
MEDIUM RISK

ABNORMAL & UNEXPECTED
Atypical user activity from devices with reputation,
suspicious Geolocation, behavior pattern concerns.
EXAMPLE: Multiple credit card applications come
through on the same device, but for different people.
HIGH RISK

Mobile Banking Security Risks and Consequences iovation2015

Recommended

Recommended

More Related Content

What's hot

What's hot (10)

Viewers also liked

Viewers also liked (17)

Similar to Mobile Banking Security Risks and Consequences iovation2015

Similar to Mobile Banking Security Risks and Consequences iovation2015 (20)

More from TransUnion

More from TransUnion (20)

Recently uploaded

Recently uploaded (20)

Mobile Banking Security Risks and Consequences iovation2015