Mobile banking is an easy target for criminals. Bernard Rono from NetGuardians outlines how banks and their customers are exposed, and sets out what to look for in a solution
With retail mobile banking (mbanking) payments of around $507bn last year, it is clear that banks will continue to mine the rich seam of mobile technologies for new business. But as the services offered over mbanking grow, so too does the threat of fraud – exposing banks to new reputational risks, and their clients to devastating losses.
When it comes to mbanking, the task of protecting accounts is complex because customers have full control over where and when they initiate mbanking transactions – for example, whether they choose to use private (encrypted) or public Wi-Fi networks to conduct business.
Often, customers don’t know when they are putting themselves at risk, and this lack of awareness is probably the biggest problem bank face. In reality, all stakeholders need to be on board in the fight against fraud, and include the banks themselves, aggregators and third-party vendors, and clients. By educating all stakeholders and looking across every aspect of their behavior, fraud-monitoring services become holistic and more effective.
So how are fraudsters breaching traditional risk controls in mobile services, and how can they be stopped?
While digitization can reduce fraud because digital money trails are easy to track, it is also the case that mbanking has created new opportunities for fraudsters to access bank accounts. In addition, the large volumes of data generated by mobile banking are in themselves valuable to criminals.
Fraudsters’ activities fall into three broad categories based on where the fraud has been committed: transaction fraud, channel fraud, and internal fraud. By far the biggest driver of fraud in mbanking is identity theft, which extends across all three.
The first category includes events such as return/reverse fraud, where a customer asks to reverse successful transactions; phishing and SIM-switching frauds, where the fraudster gathers personal details such as account numbers and personal identification data from phone calls or text messages; and sending fake texts to make a customer believe a transaction was successful, often accompanied by a reversal request.
Channel fraud includes false transactions, where agents fail to transfer funds into customer accounts; account takeover, in which a SIM swap or stolen account details are used to perform transactions; virus and malware attacks; and split transactions, where agents bump up their commissions by dividing large sums into several smaller ones. Finally, internal fraud includes identity theft and collusion.
In each of these cases, prevention is better than cure – so educating customers on how to keep their identities and transactions safe while using mbanking services is not only sensible but vital to combating fraud. For banks and their staff, education means keeping up with the fraudsters’ ever-changing methods. It’s a constant game of cat and mouse, with banks pre-empting the criminals before they find new ways to attack.
A relatively new and increasingly prevalent fraud, for example, is where fraudsters target banks’ instant inter-bank money transfers on mbanking platforms. A typical scenario goes like this: the fraudster gets hold of a customer’s details, including their mobile phone number, and performs a SIM swap. With the phone number in place, the fraudster can download the mbanking application before calling customer care to reset the password and using the stolen customer data they are able to pass all customer care checks.
Armed with a new password, they have access to the bank account, which they empty, transferring the cash to new, hard-to-trace accounts. In some instances, money is moved out of the country using electronic fund transfers such as SWIFT, or cashed out using agency banking and mobile money services.
Banks’ traditional static rules and post-transaction alerts have proven unable to stop this type of fraud. This is because such systems look for a single anomaly associated with a transaction to raise an alert. But when a fraudulent transaction doesn’t look suspicious against static rules such as password protections, it is allowed to go ahead. The fraudster has long gone, along with the cash, by the time an alert is raised.
But that’s not the only problem with the rules. Because they are static, they don’t anticipate or accommodate customers’ changing behavior – traveling abroad, for example. This leads to unacceptably high rates of false-positive alerts, which have to be investigated. This wastes staff resources and adversely affects the customer experience.
Far more effective is a system that correlates in real time multiple variables such as time and location of transaction, the destination, the device language, whether the transaction is singular or one in a series, and many more, to give each transaction a risk score. This, together with machine learning, allows the bank to build up accurate, dynamic, 360-degree customer profiles.
Any transaction with an unacceptably high risk score is deemed fraudulent and blocked on a real-time basis. This is how NetGuardians’ enterprise risk-management platform works and it’s proven itself successful.
According to our research, the number of false positives is dramatically cut – by up to 80 percent – and the bank protects customers’ funds by spotting fraud before it is completed. Banks also see a 60 percent drop in fraud and spend 93 percent less time dealing with alerts. The results are clear. Banks can offer customers far more effective protection against mbanking fraud, using intelligent systems that are constantly checking multiple variables in real time. Just like mbanking users, fraudsters do not keep still, and neither should a bank’s risk controls.