Dear banks: It’s time to take mobile fraud (more) seriously

Mobile fraud is already more than half of the average high-risk traffic according to NuData analysts.

Earlier this week, security firm Positive Technologies released its annual report that looks at vulnerabilities in financial applications. Interestingly, the number of vulnerabilities discovered has fallen, which means banking apps and websites are getting safer.

But, despite this encouraging trend, security shortcomings remain a menace for banks and clients with two thirds of online banking systems still containing at least one critical vulnerability. The report showed that high-risk vulnerabilities were found on 90 percent of systems in 2015; by 2016, this number dropped to 71 percent; and, in 2017 it dropped further to 56 percent.

Each e-banking system they analyzed in 2017 contained, on average, seven vulnerabilities; this is up from six in 2016. However, high- and medium-risk vulnerabilities made up a smaller portion, yet only a third of online banks were free of critical vulnerabilities in 2017, whereas in 2016 all financial web applications (except one) had at least one.

The most common online bank vulnerabilities in 2017 were cross-site scripting (75% of systems) and poor protection from data interception (69%), allowing attacks such as reading cookie values or stealing customer credentials. Over half of online banks (63%) had “insufficient authorization;” a critical vulnerability that enables an attacker to obtain unauthorized access to web application functionality intended for privileged users.

Thanks to the omnichannel experience, users can jump to and from the web and mobile applications. Fraudsters can do the same, looking for the path of least resistance to commit fraud, which is why now mobile fraud is growing. More than 50% of the account takeover attacks across NuData clients come in via native apps and enterprise APIs. This is the biggest risk point today, much more than desktop.

While fewer critical vulnerabilities is good news, this doesn’t mean customer accounts are protected. All the exposed data – due to the endless breaches – makes it easier to find working username and password combinations. Today, a fraudster doesn’t need to break a system to access sensitive data.

One way for financial institutions to protect their customers’ accounts – and, in turn, their business – is to implement security tools that don’t rely on the data provided by the customer.

Multi-layered solutions that include passive biometrics such as NuDetect are providing enhanced account protection that doesn’t rely on static data. Passive biometrics monitors the user’s inherent behavior such as how they type or hold the device – making this information impossible to steal or replicate by bad actors. This way, even if the static data has been stolen, decrypted, and is ready to be used, bad actors can’t take over the account.

Related to this post: Cash It or Trash It: The Millennial Banking Mantra