By Michael Lynch, chief strategy officer, InAuth
In April, the Federal Financial Institutions Examination Council released updated security guidelines for mobile banking and payments.
The 18-page update, Appendix E: Mobile Financial Services is a marked contrast from the previous update to the FFIEC IT Examination Handbook in June 2011. Unlike that entry, which was criticized as being vague, Appendix E is extremely detailed and loaded with specific guidance for financial institutions to ensure that their mobile transactions are secure.
The clear signal is that regulators recognize mobile as the future of banking. According to Javelin Strategy & Research, the use of mobile banking surpassed branch banking for the first time in 2015.
The same report projects that 81 percent of U.S. adults will use mobile banking by 2020. According to Daniel Van Dyke of Javelin, "Mobile is on a growth path to unseat PCs to become the 'first screen' through which bank customers interact with and judge their primary financial institution."
While the FFIEC guidance does call attention to serious mobile threats, the good news is that mobile devices can actually be more secure than PCs. There are a number of sections of the FFIEC recommendation where next generation device intelligence technology can enable FIs to mitigate risk in the mobile channel and satisfy these recommendations.
For example, the report discusses risk identification (AppE.3). The new guidance outlines specific vulnerabilities of mobile-enabled web sites, warning that mobile web browsers are common starting points for malicious attacks, redirection to malicious URLs, and malware infections.
However, mobile banking apps incorporate more attributes for identification purpose than the browser on a desktop or laptop. These include the determination of access times, SIM card changes, and approximate locations.
As these attributes can be used to establish a higher degree of device trustworthiness, FIs should drive customers to the mobile banking app rather than a desktop or laptop browser in order to better assess the riskiness of the device and realize stronger security advantages.
Operational risk is addressed in AppE.3.b of the guidelines. It's critical for FIs to have a mobile security platform that leverages device intelligence and includes comprehensive malware and crimeware detection and identification should be a high priority, specifically for financial fraud. These additional controls are necessary in order to allow customers to access their accounts and transact online. Identifying when malicious tools are in use and preventing access can ensure the privacy of customer information and identity as well as to protect FIs from financial losses.
Section AppE.3.b(i) discusses SMS technology risk. This is another area where device intelligence technology can be innovatively used to enhance mobile security. Fraudsters know that a common added challenge mechanism—the "step up authentication"—often uses SMS messages to send one-time codes.
When a customer is engaged in a PC browser session, SMS risk can be avoided by utilizing secure messaging within their mobile app—communicating from the bank server to the application—without any external communication. Not only is this method more secure due to encryption, it delivers a superior user experience.
If an SMS to a mobile device is the only available option, FIs need to ensure that there is no malware, such as key loggers or SMS forwarders, that can intercept an SMS and take action in a hidden session. It's important not to include account information or other sensitive information in this transmission, as well as educate customers on the specific type of SMS messages they will send and on the different phishing techniques employed by fraudsters via SMS.
In Section AppE.3.b(iii) of the FFIEC addendum, the guidelines address mobile application risk and the challenge of rooting and jailbreaking a device. Rooting or jailbreaking a mobile device removes the default operating system controls placed on the devices by the OS providers. Breaking the OS controls makes devices more susceptible to malicious programs from third-party app stores or phishing attacks and allows the installation of criminal tools. Criminals have also discovered that FIs are now checking for root status and are attempting to hide the fact that the devices are rooted or jailbroken so they remain undetected.
Rooting or jailbreaking a device doesn't necessarily mean it's a bad device or a bad user on the other end, but it is a very important fraud/risk signal for device integrity. Users cloaking root or hiding jailbreak for the purpose of evading detection is a clear signal of heightened risk. Since a customer can be vulnerable to downloading and interacting with a malicious application that is impersonating a bank's application—particularly on a rooted or jailbroken device—application validation is necessary to confirm the integrity of the bank's mobile app by identifying any potential tampering. Device intelligence platforms can help both with rooting and jailbreaking detection and provide application validation for your mobile application platform.
Section AppE.5.b cites operational risk mitigation. To mitigate operational risk, FIs need to support a layered security approach and validate the riskiness of a device by including more suspicious activity indicators — such as velocity, anomalies, integrity, location, and device reputation — as part of their device risk assessment.
Also critical are transaction monitoring and geolocation techniques to identify anomalous activity. FIs should broaden their focus on anomalous activity to a range of factors such as unusual customer access times, location inconsistencies, SIM card changes, analysis on make, model, and OS version and other criteria.
The most powerful authentication capability to establish trust with mobile customers is a permanent device ID. Unlike a persistent ID, a permanent ID ensures that once the device is registered, it is always recognized and quickly authenticated when a trusted customer returns for business. Moreover, a permanent device ID survives whether or not it has been wiped or reset to factory settings.
Bottomline: What FIs need to know
The new FFIEC addendum, with its detailed recommendations, makes clear that mobile banking security can no longer exist as an afterthought.
The risks associated with mobile financial services are different than traditional PC-based browser access and require the adoption of defenses specific to mobile devices. FI security professionals should consider their mobile strategy as a completely separate initiative from other online banking programs.
With an "always on" public and with faster payments on the horizon, FIs need to ensure that real-time risk assessment capabilities move to the front of the decision process in order to protect the mobile channel from fraudulent activity.
Advanced device intelligence capabilities can provide a path to do this. Organizations should assess whether they have such technology in place to enable compliance with the new, more complex FFIEC requirements.
Innovative organizations that can meet these challenges will ultimately become the leaders in their markets, and will be positioned to fully leverage the lucrative mobile channel to drive new revenue opportunities and realize dramatic cost-savings.
Michael Lynch is Chief Strategy Officer at InAuth, a provider of mobile-first products for authentication and fraud prevention, where he leads new products strategy, and develops key domestic and international partnerships. Prior to joining InAuth, Lynch served as senior vice president responsible for authentication strategy at Bank of America. During his 14-year tenure at the bank he held various leadership roles in technology, customer protection, and online and mobile security strategy.