Banks will feel the pain from mobile payment fraud

Register now

Although the popularity of mobile technologies has greatly simplified day-to-day financial operations for end users, it has given attackers a new opportunity for attack. The costs of dealing with cybercrime incidents have reached the point where spending is now a major threat to the corporate bottom line.

The mobile technology payment market is expected to reach approximately $3.4 trillion by 2024, at a CAGR of 60% between 2018 and 2024 alone, according to Zion Market Research. A report by Worldpay says that in the U.S., mobile wallets are expected to surpass the use of both credit and debit cards by next year.

Banks lost $16.8 billion to cybercriminals in 2017, and given the high potential financial losses and potential reputational damage associated with software-based attacks and payments crime, it is crucial that firms take concrete steps to ensure mobile-application integrity.
The introduction of smart mobile devices for payments and financial services has created a new, target-rich environment for criminals to exploit. This means companies must now wage a never-ending battle, employing new techniques that tackle the persistent threats that infiltrate networks, with perimeter security slowly disappearing to be replaced by endpoint security. The connected world has changed the face of business, and almost every industry, especially the financial sector, must adopt a mobile strategy to address their customers’ security needs.

For decades people who needed to do any kind of banking transactions had to go to the local branch and do business in person. People can now choose to do their banking, payments and other financial transactions online via mobile phones and tablets. The advantages of a mobile application over a physical visit to a bank are obvious — mobile banking is faster and more convenient to the user.

Security has been lagging behind, compared to the speed at which mobile banking services have evolved. Partly this is because mobile financial services is still a very young industry, without clear standards and significant regulation. To avoid financial losses, legal liability and damaged brand reputation in the long run, it is critical that financial companies take application security seriously and implement it right.

Although one might claim that mobile application attacks have not yet captured the same publicity as traditional major breaches, it would be unwise for security teams to delay or limit investment in a mobile security program. The No. 1 concern for mobile payment users is that their device will get hacked or their data will get intercepted, and there is a sound basis for these concerns. Given the ever-increasing use of mobile devices for mobile banking, it is inevitable that mobile security breaches will become the next headline.

For example, according to a Ponemon Institute report, 63% of organizations admitted that a security incident resulted from insecure mobile applications. Because mobile applications are very lucrative targets, there is little surprise that financial services have become a particularly threatened sector. In fact, no industry has a higher cost of cybercrime than financial services.

In the current threat environment hackers can easily disassemble and attack mobile apps if proper application shielding methods are not being used. Alongside our customers’ ongoing concerns around security and fraud, the onus is now firmly on financial institutions to protect their customer’s personal information and money, as well as their own brand reputation.

Banks have no choice but to embrace mobile devices and channels to remain competitive; however, the trust of their customers is on the line in this digital transformation. Maintaining that hard-earned trust means they must have the ability to identify their digital users, and that they need a reliable way to determine the integrity of mobile devices and apps, all in an effort to ensure transactions are secure and private.

Since firms have a great deal more control over their back-end systems, they generally are able to achieve compliance with security standards when it comes to their in-house IT infrastructure. On the front end, however, mobile apps present vulnerabilities that are hard to control and offer a lucrative target for bad actors.

Certain behaviors have become particularly crucial risk vectors, with bank customers sometimes rooting or jailbreaking their devices, which serves as an invitation to cybercriminals much like leaving your front door open for passersby to see. However, most vulnerable activities are mistakes that stem from poor security hygiene, such as using weak passwords, delaying software updates or logging on to unsecured networks to conduct financial transactions.

Banks must mitigate these risks while also maintaining the convenience and security of the mobile experience, and have turned to a variety of software and hardware-based approaches. While this has been effective in some cases, embedding security directly into mobile applications themselves, sometimes referred to as application shielding or runtime application self-protection (RASP), provides a unique framework for mobile application security in the banking and financial services sector.

For reprint and licensing requests for this article, click here.
Payment fraud Mobile payments Banking Risk ISO and agent