COVID-19 forced the acceleration of digital enablement at banks and put online and mobile banking in the spotlight. With most parts of the globe now experiencing a second and third wave of the pandemic leading to limitations on assisted services, banks globally are encouraging customers to register for mobile banking to fulfill their common banking needs. A 2020 mobile banking survey by JD Power shows that 37% of retail banking customers are now using mobile banking more frequently than before. At the same time, security threats to mobile banking apps have also seen a significant increase during this period. Kaspersky’s 2020 Q2 statistics on IT threat evolution show that of the 1.2 million+ malicious mobile installers detected, close to 39,000 were related to mobile banking trojans, highlighting the amplification of attacks on mobile banking apps globally.
There are broadly three areas of mobile banking that require reinforced identity verification and authentication.
One of the best practices to prevent fraudulent mobile banking usage is to bind the device, the app, and the phone number used to access the service by leveraging mobile intelligence data. Legacy registration methods use a combination of card details and an SMS-based one-time-passcode to authenticate the customer. This approach, however, results in inadequate binding between the device and the phone number weakening the security of subsequent transactions such as mobile banking login. A fraudster likely having access to the customers’ access codes secured via phishing malware can gain unauthorized access to their mobile banking account.
It is, therefore, important to check for Possession at the time of both registration and subsequent access to mobile banking services. Modern identity authentication methods such as Mobile Auth connect to mobile networks and leverage mobile data intelligence to ensure that the device used to access the service is indeed linked to the phone number being used for the service. Using mobile auth for authentication and device binding also removes the dependency on SMS-based one-time-passcodes, which are increasingly being compromised through various means such as OSR attacks, SIM swaps, and SMS malware.
Mobile banking apps are also highly susceptible to SIM swap attacks. SIM swapping, also known as ‘SIM splitting’ or ‘SIM jacking,’ is a fraudulent activity where a fraudster takes complete control of users’ phone accounts by either porting or cloning their SIM without their knowledge. A common menace in the US for many years now, SIM swap has been on the rise in the UK in the last five years, where approximately half of the country uses mobile for banking activities. Fighting SIM swap requires the Reputation of a phone number to be established in real time. Mobile intelligence data gives credible insights into SIM swaps and other usage attributes and events. This data can then be combined with behavioral patterns and historical data from other authoritative sources to score the trustworthiness of a transaction algorithmically. Every instance of login or a financial transaction on the mobile banking app can be assessed for a Trust Score™ before approval.
While the need to secure mobile banking apps is beyond debate, doing so at the cost of ease of use, speed, and convenience hampers adoption and usage. Therefore, it is essential to strike an optimal balance between security and user experience to ensure growth in mobile banking usage. Apart from the obvious intent of strengthening security, a combination of Mobile Auth and Trust Score™ also helps significantly improve customer experience by reducing the need to subject users to exceptional flows. A higher score implies a higher confidence level and hence better pass rates. A frictionless customer experience is known to reduce dropouts, improving mobile banking signups and frequency of subsequent usage.