The COVID-19 pandemic has accelerated digital enablement at banks through online and mobile banking. With most countries worldwide now experiencing a second and third wave of the pandemic, leading to limitations on assisted services, banks globally are encouraging customers to register for mobile banking to fulfill their common banking needs. A 2020 mobile banking survey by JD Power shows that 37% of retail banking customers are now using mobile banking more frequently than before. At the same time, security threats to mobile banking apps have increased significantly. Kaspersky’s Q2 2020 statistics on IT threat evolution show that of the 1.2 million+ malicious mobile installers detected, close to 39,000 were related to mobile banking trojans, highlighting the amplification of attacks on mobile banking apps globally.
Broadly speaking, the following three areas of mobile banking require reinforced identity verification and authentication:
- Mobile banking registration
- Financial transactions
One of the best practices to prevent fraudulent mobile banking usage is to leverage mobile intelligence to bind the device, the app, and the phone number used to access the service. Legacy registration methods use a combination of card details and an SMS-based one-time-passcode to authenticate a customer. This approach, however, results in inadequate binding between the device and the phone number, weakening the security of subsequent transactions such as mobile banking login. A fraudster likely having access to customers’ access codes secured via phishing malware can gain unauthorized access to their mobile banking account.
Checking for the Possession of the phone at the time of registration and subsequent access to mobile banking services are crucial. Modern identity authentication methods such as Mobile Auth connect to mobile networks and leverage mobile data intelligence to ensure that the device used to access the service is indeed linked to the phone number being used for the service. Using Mobile Auth for authentication and device binding also removes the dependency on SMS-based one-time-passcodes, which are increasingly being compromised through malicious activities such as OSR attacks, SIM swaps, and SMS malware.
Mobile banking apps are also highly susceptible to SIM swap attacks. SIM swapping, also known as ‘SIM splitting’ or ‘SIM jacking,’ is a fraudulent activity through which a fraudster takes complete control of users’ phone accounts by either porting or cloning their SIM without their knowledge. A common menace in the US for many years now, SIM swap has been on the rise in the UK for the past five years, where approximately half of the country uses mobile for banking activities. The Reputation of a phone number must be established in real time to fight SIM swap. Mobile intelligence data provides credible insights into SIM swaps and other usage attributes and events. This data can then be combined with behavioral patterns and historical data from other authoritative sources to score the trustworthiness of a transaction algorithmically. Every instance of login or a financial transaction on the mobile banking app can be assessed for a Trust Score™ before approval.
While the need to secure mobile banking apps is beyond debate, doing so at the cost of ease of use, speed, and convenience hampers adoption and usage. An optimal balance between security and user experience is essential to ensure growth in mobile banking usage. In addition to strengthening security, a combination of Mobile Auth and Trust Score™ helps significantly improve customer experience by reducing the need to subject users to exceptional flows. A higher score implies a higher confidence level and, hence, better pass rates. By reducing dropouts, a frictionless customer experience improves mobile banking signups and the frequency of subsequent usage.