Mobile Banking Security Risks and Consequences iovation2015

MOBILE BANKING SECURITY

Risks and Consequences

2© 2013 The Corporate Executive Board Company. All Rights Reserved.

CEB TowerGroup Retail Banking

ROADMAP FOR THE PRESENTATION

Mobility, Privacy,

& Security

What’s in an

Identity?

Assessing Risks,

Whether High or

Low


HOW DO YOU DEFINE “IDENTITY”

We tend to view identity

in the sense of a

collective set of

information that informs

a single entity, but each

data point has identity as

well.

i-den-ti-ty

1. The collective aspect of the set of characteristics by which a thing is definitively

recognizable or known.

2. The set of behavioral or personal characteristics by which an individual is recognizable as a

member of a group.

3. The quality or condition of being the same as something else.

4. The distinct personality of an individual regarded as a persisting entity; individuality.

5. Information, such as an identification number, used to establish or prove a person's

individuality, as in providing access to a credit account.

Source: www.thefreedictionary.com/identity



USER-CENTRIC VIEW OF IDENTITY

Know Your Customer, or

“KYC” is a fundamental

component of service

delivery and security,

and helps maintain

various ways of

establishing user

identity.



ATTRIBUTE-CENTRIC VIEW OF IDENTITY

Persistent and non-

persistent identities can

be relatable to different

people, devices, and

financial instruments.



DEVICE-CENTRIC VIEW OF IDENTITY

Devices have as many

identifiable

characteristics and

history of activity as their

users do.

Phones, desktop PCs, mobile devices and other technology enablers have their

own history.



MOBILE-DEVICE CENTRIC VIEW

Highly mobile,

personalized, easily lost,

extremely capable

devices have identities

as complex as

individuals.




Mobility, Privacy,

& Security

What’s in an

Identity?

Assessing

Risks, Whether

High or Low



EVOLVING FFIEC GUIDANCE LAYERED SECURITY

EXPECTATIONSFFIEC is a catalyst for

adoption, not for

development.

2001 Guidance provided a

framework for risk-based

analysis of electronic

commerce, but made no

specific recommendation.

2005 Guidance update

replaced the 2001 document

and further reinforced the

need for 2-factor

authentication and increased

customer education.

Authentication in an Electronic Banking Environment

August 8, 2001

Authentication in an Internet Banking Environment

October 12, 2005

Supplement toAuthentication in an Internet

Banking Environment

June 28, 2011

• The 2011 Guidance Supplement states that a “layered

security program will contain the following two elements,

at a minimum.”

– Detect and Respond to Suspicious Activity

• At login and authentication

• At initiation of transactions involving transfer of funds

– Control of Administrative Functions

• Business, or multi-user accounts require enhanced controls

and tools for permission delegation



WHERE DO YOU DRAW THE LINE?

Not Fraud Might be Fraud? Definitely Fraud

?

The measure of

responsibility is based

on the FSI’s

implementation of

“commercially

reasonable” controls, but

also should be based on

customer ease of use.

How do your risk assessments account for transactions that require

additional security?



NORMAL V. ABNORMAL

What does an identity

typically do? Previous

activity, frequency, and

relationships with other

identities are key to

consider.

What does an identity typically do?

FFIEC – “Fraud detection and monitoring systems that include consideration of customer history and behavior“

Debit $100 Known

Location

Known

Device

Associated

Recipient

Debit $100 Known

Location

Unknown

Device

Unassociated

Recipient

ACH $10K Known

Location

Unknown

Device

Associated

Recipient

ACH $10K Unknown

Location

Known

Device

Unassociated

Recipient

Credit $3500 Unknown

Location

Known

Device

Associated

Recipient

Credit $10K Unknown

Location

Known

Device

Associated

Recipient



HIGH V. LOW-RISK

Not all transactions are

equal, and the type,

amount, origin,

destination, and other

factors can be used to

determine risk.

Which transactions deserve increased analysis and decisioning?

Debit $100 Known

Location

Known

Device

Associated

Recipient

Debit $100 Known

Location

Unknown

Device

Unassociated

Recipient

ACH $10K Known

Location

Unknown

Device

Associated

Recipient

ACH $10K Unknown

Location

Known

Device

Unassociated

Recipient


Location

Known

Device

Associated

Recipient

Credit $10K Unknown

Location

Known

Device

Associated

Recipient



EXPECTED V. UNEXPECTED

Using only a specific

history of activity can be

too limiting, as

infrequent but legitimate

transactions occur, and

introducing additional

security is unwarranted.

How do you accommodate new spending patterns without impeding the

customer?

Debit $100 Known

Location

Known

Device

Associated

Recipient

Debit $100 Known

Location

Unknown

Device

Unassociated

Recipient

ACH $10K Known

Location

Unknown

Device

Associated

Recipient

ACH $10K Unknown

Location

Known

Device

Unassociated

Recipient


Location

Known

Device

Associated

Recipient

Credit $10K Unknown

Location

Known

Device

Associated

Recipient




Mobility,

Privacy, &

Security

What’s an

Identity?

Assessing Risks,

Whether High or

Low



CEB TOWERGROUP RETAIL BANKING

MOBILE BANKING MATURITY CURVE

Financial institutions are focused now on building the first versions of mobile banking, adding functionality to attract users.

Mobile Banking

Maturity Curve, 2012-2015

Source: CEB TowerGroup

• With higher than

expected adoption

rates occurring at most

banks, it is now time to

push for the return on

investment both by

enabling strategic

marketing and

measuring profitability

and retention.

• While some first mover

institutions are

currently testing

biometric

authentication and

ATM integration, 2015

is the forecasted date

for large-scale

deployment of these

features.

Achieving Critical Mass Creating A Preferred Channel

2012 2013 2014

• Basic Banking in Apps

• Comprehensive OS/Device

Deployment

• Text Banking

• Critical Mass of Users

• Marketing & Sales Enablement

• Multi-Channel Integration

• Recognizable Security

Ad

op

tio

n

• Loan Origination & Servicing

• ATM Integration

• Biometric Authentication

2015


HOW WILL GUIDANCE CONTINUE TO EVOLVE?

With many organizations

still striving to

accommodate provisions

under 2011 FFIEC

supplement, the

possibility for another

update is real, and likely

needed.

Authentication in an Electronic Banking Environment

August 8, 2001

Authentication in an Internet Banking Environment

October 12, 2005

Supplement toAuthentication in an Internet

Banking Environment

June 28, 2011

• Update to accommodate mobile on its way?

• While current guidance applies to mobile banking as

well, mobile devices are referenced more as an out-of-

band authentication method for online banking

Authentication in a Highly Mobile Internet Banking Environment

2014?



AS OF 2013, FFIEC IS OUT-OF-DATE

Since 2011, mobile

services, big data

analytics, and fraud

management services

have evolved further still.

Current Guidance – Capability Gap Analysis

How do you respond to NON-suspicious activity?

“High-risk” transactions may deserve special focus, but “low-risk” transactions

should be considered as well.

Risk-based approach should require more authentication for high-risk,

and an easier transaction path for low-risk.

Streamlining the process for lower risk transactions alleviates staffing

and can increase customer satisfaction.

The guidance takes a very user-centric view of identity

Recognizes device identification as an authentication method.

Is inclusive to other measures not specifically called out.

Mobile devices are not excluded or exempted, but special recognition is

required.

Mobile devices are still Internet-enabled and monitoring protections extend to

them, so they are covered under the 2011. But with the evolution of mobile

banking services, the guidance is incomplete.



CEB TOWERGROUP RETAIL BANKING

EVERY CHANNEL IN YOUR POCKET

Fully-integrated

peripherals and a shared

platform provide

opportunities for real-

time individual and

collaborative service

delivery.

Fully Integrated Peripherals and Shared Platform Provide

Functions & Services and Integrated Peripherals, 2013

Source: Mobile is an Opportunity for a More Secure Channel, CEB

TowerGroup, May 2012

• There are single-point

solutions, but mobile

users will interact with

FSIs through a single

communications device.

• A customer servicing

strategy must strive for a

consistent experience

and all mobile access

points.

• All access points must be

individually and

collectively secured.


PRIVACY ≠ ANONYMITY

Consumers understand

some of their information

will be tracked, and

expect the information to

be used to service and

secure their accounts.

Consumer Desired Mobile Functions

41%

43%

44%

46%

51%

54%

Sending automated bill pay reminders

Depositing a check from my mobile phone

Transferring money to accounts outside of myaccount

Sending notice of a low balance

Making a payment on a loan or a bill

Sending notice of irregular account activity orchanges to account notification

Source: Mobile Banking Survey Report, Varolli Corporation, January 2013



PRIVACY POLICIES MAKING THEIR WAY TO MOBILE

The White House, FTC,

and EU Justice

Commission, among

others, are pushing for a

consistent definition of

privacy practices, and

mobile devices garner

special focus.

UI Composition Example for Mobile App Transparency Proposal

Source: National Telecommunications and Information Administration (NTIA)


21© COPYRIGHT • IOVATION

WE HELP BUSINESSES KNOW

WHO TO TRUST THROUGH

DEVICE REPUTATION.

WHAT WE DO


DEVICE REPUTATION PROVIDER FOR:

iovation, a

recognized

global leader


ISSUE TARGET DAMAGES

New AccountOrigination

• Bank

• Consumer Identity

• Merchant

Financial Loss

Operational Expense

Brand Damage

Customer Churn

Risk-BasedAuthentication

• Bank

• Customers

Account Takeover

Breach Notifications

Loss of Trust

Customer Churn

Mobile Security• Bank

• Customers

Phones Compromised

Account Takeover

Customer Churn

Market Share

FINANCIAL SERVICES: TOP FRAUD ISSUES


• Consumers buying smartphones

• Convenience of mobile banking

• Timing coincided with bank

starting to offer the service

MOBILE BANKING ADOPTION

Source: Federal Reserve System, Consumers and Mobile Financial Services, March 2013

THE PRIMARY DRIVERS


MOBILE BANKING ADOPTION

“The use of mobile banking has

increased by more than a third in the

past year, and it appears likely to

continue to increase as more and more

consumers use smartphones.”

- FEDERAL RESERVE SYSTEM


ACCESS METHODS

• Mobile web browser

• Text messaging

• Mobile app

POPULAR ACTIVITIES

• Checking balances and recent transactions (33%)

• Transferring money between accounts (21%)

• Depositing checks (17%)

• Receiving text message alerts from bank (17%)

• Making bill payments (17%)

MOST COMMON BANKING ACTIVITIES


• Banking needs met without mobile usage (54%)

• Concern about security (49%)

• No reason to use it (47%)

• Do not own a smartphone (40%)

• Lack of trust in technology to process transactions properly

(14%)

• Cost of data access on mobile phones (11%)

• Small size of mobile phone screen (10%)

• I don’t do the banking in my household (5%)

GENERAL REASONS FOR NON-ADOPTION


SPECIFIC REASONS

• Hackers accesses their phone remotely (30%)

• Losing their phone or having it stolen (11%)

• Experiencing data interruption by a 3rd party (9%)

• Companies misusing personal information (3%)

• Malware or viruses being installed (2%)

MOST COMMON RESPONSE

• Concerned with all of these security risks (44%)

MOBILE SECURITY CONCERNS


INDUSTRY 2012 JAN – JULY JULY

All 15% 17% 19%

Financial Services 11% 18% 20%

Dating / Social 14% 25% 30%

Retail 7% 12% 14%

IOVATION’S VIEW: 2013 MOBILE USAGE GROWTH


IOVATION SERVICES

Find Who’s Bad. Know Who’s Good.


1. IDENTIFICATION

Has this device been seen before?

WHAT WE DO


Tie together fraud that

may be happening on the

web.

Implement iovation’s

SDKs into your mobile

banking apps to uncover

related devices in

iovation’s global shared

network.

ASSOCIATING RELATED DEVICES


• Business Rule

• Triggers when the device does not have iOS or

Android as its native operating system

MOBILE EMULATION DETECTION


1. IDENTIFICATION

2. EVIDENCE


WHAT WE DO

Has anyone had a bad experience?


FRAUD & ABUSE EVIDENCE TYPES

FINANCIAL• Credit Card Fraud

• ACH/Debit Fraud

• Friendly Chargeback

• Insufficient Funds

• Potential Fraud

• Shipping Fraud

• Counterfeit Money Order

• Click Fraud

• Affiliate Fraud

• First Party Fraud

• Loan Default

MISCONDUCT• Chat Abuse

• Spam

• Abusive to Support

• Promotion Abuse

• Policy Violations

• Customer Harassment

• Inappropriate Content

• Profile Misrepresentation

• Solicitation

• Code Hacking

• Arbitrage Betting

• Gold Farming

CHEATING• Collusion

• Chip Dumping

• All-in Abuse

• Trading Restriction

ID THEFT• True Identify Theft

• Synthetic Identity Theft

• Phishing

• Account Takeover

B2B FINANCIAL• Business Identify Theft

• Fictitious Business

• Business Takeover

• Dealer Fraud

• Payment Evasion

• Business Misrepresentation

OTHER• High Risk

• Under or Over Age

• Requested Exclusion


VALUE OF SHARING

Sharing automatically

gives you access to

fraud evidence placed

by other iovation clients.

3X INCREASE IN

FRAUD CATCH

4X INCREASE IN

FRAUD CATCH


Financial Services

bad device crossover

with other industries:

VALUE OF CROSSOVER

Bad devices are 2X

as likely to be seen by

other online sites.

57%


1. IDENTIFICATION

2. EVIDENCE

3. ASSOCIATIONS


WHAT WE DO


Does the device have connections?


NORMAL ASSOCIATIONS: GOOD GUY

GOOD ACCOUNTS

DEVICES


ABNORMAL: REPEAT OFFENDER

GOOD ACCOUNTS

DEVICES

BAD ACCOUNTS


ABNORMAL: FRAUD RING

GOOD ACCOUNTS

DEVICES

BAD ACCOUNTS


1. IDENTIFICATION

2. EVIDENCE

3. ASSOCIATIONS

4. ANOMALIES


WHAT WE DO

Have any anomalies been found?


Does the device have connections?


POWERFUL RULES ENGINE: MAKE IT WORK FOR YOU

Geolocation Evasion Evidence Velocity

Evaluate location by

country, region, city,

ISP. Peer through

proxies with Real IP.

Analyze device

characteristics

to flag users

attempting to skirt

recognition.

Tap millions of fraud

records such as credit

card

fraud or account

takeover attempts.

Set thresholds to

detect excessive

activity such as

creation of multiple

accounts.


1. Evidence Exists (known fraud)

2. Country List (high risk &/or

sanctioned countries in both real

and stated IPs)

3. Accounts per Device

4. Geolocation Mismatch

5. Age of Account/Device Pair

6. ISP Watch List (high risk ISPs)

BUSINESS RULES FOR ACCOUNT TAKEOVER ATTEMPTS

Result REVIEW

Rule Set Payment

Rule Geolocation Mismatch

Score -1

Account 180155824

Device 3000000003169400


NORMAL & EXPECTED

Normal user activity from known devices, Geolocation

and good reputation.

EXAMPLE: Paying an established payee from a known

mobile device from a known Geolocation.

LOW RISK


ABNORMAL & EXPECTED

Unusual user activity from devices known to the

account and appropriate Geolocation.

EXAMPLE: Applying for multiple credit cards

in a short time period but from a known

device and appropriate Geolocation.

MEDIUM RISK


NORMAL & UNEXPECTED

Normal user activity but from new devices

or unusual geolocations.

EXAMPLE: Checking your credit card

balance from a known device but from

an unusual geolocation.

MEDIUM RISK


ABNORMAL & UNEXPECTED

Atypical user activity from devices with reputation,

suspicious Geolocation, behavior pattern concerns.

EXAMPLE: Multiple credit card applications come

through on the same device, but for different people.

HIGH RISK

Thank You

Mobile Banking Security Risks and Consequences iovation2015

Software

Transcript of Mobile Banking Security Risks and Consequences iovation2015