Mobile Security Requires a Multi-Prong Strategy
We have extensively discussed the rise of mobile payments in our previous blogs. With an increase in usage comes an increase in fraud. Criminals look for any opportunity to exploit a payments system, and mobile is no different. In a new report, the U.S. Public Interest Research Group, a policy and research organization, noted a steady rise in mobile payments fraud. A spike of 970 complaints made in April 2021 is almost double the previous peak in 2020. Let's examine the two key types of mobile fraud and ways to mitigate their risks.
What to Watch Out For
1. SIM Swapping
This is a fast-growing type of fraud where mobile phone carriers are targeted. By way of phishing attacks, dark web acquisition, or even social media content, criminals get their hands on enough customer information to approach a phone carrier. The criminal requests a transfer of a customer's SIM details into a new phone or mobile device via an upgrade or an insurance claim for a lost/stolen device. The new device can then be used to access that customer's accounts since they are now in possession of the tool needed to bypass the two-factor authentication used for security purposes.
Imagine one day your perfectly good phone suddenly stops working. You try the usual shutdown, reset, and if you're desperate enough, restore the factory settings to hopefully resolve the issue. When the traditional troubleshooting routines do not work, you call your carrier. Your carrier informs you that an upgrade was made to your account and asks how you are enjoying your new phone with all the bells and whistles. The carrier also informs you that you made a wise choice by adding a five-year insurance plan to your account. Of course, when you state that you did not request this upgrade, you are asked to visit your closest phone carrier store to "resolve" the matter.
After explaining your situation to a store representative, the employee deactivates the fraudulently upgraded device and returns your SIM details to your current phone. But during the time between when the new device was issued, and when finally rectified the situation at the store, criminals had ample time to access your accounts and use mobile payments to rack up fraudulent charges.
When this chain of events happens to a member of your credit union, the member will have to spend countless hours reviewing their account activity for fraud. The member then has to report the fraudulent activity on accounts at your institution with the hopes of recovering the funds. In any event, mobile fraud can result in substantial losses for both parties. Most consumers are unaware of SIM swapping, so including it in your member security education content is a prudent action.
2. Fraudulent Apps
Another way that fraudsters attempt to use a member's mobile device for fraud is through the creation of fraudulent mobile apps. In this type of fraud, the criminals clone your institution's mobile apps to look exactly like the apps that you currently have in the app store. When your member downloads the malicious app and enters their credentials, the fraudsters have the information they need to access the account and initiate fraudulent payments. Members are aware of fraud attempts to steal their login credentials through phishing emails, but a rogue mobile app, on the other hand, is a lot more difficult to identify. Educating your members on how to identify and download your legitimate mobile apps is another critical education campaign.
Your Multi-Layer Defense System
Connect’s Emerge mobile banking platform has many anti-fraud options available to protect your members’ accounts. The most pervasive mobile security feature is two-factor authentication, where a member receives a code texted to them upon login. Keep in mind that if the fraudster has the account credentials and the mobile phone number in a SIM swapping situation, they receive the code on the hacked device.
To increase the level of mobile security, a device’s identification information can be used to verify the device. In this scenario, the security system keeps track of the device’s identification information, such as the phone's unique device ID and SIM card number. When a mobile login attempt is made from a device that does not match the historical device identifiers, the login is rejected. Of course, there are situations where a member upgrades their device or changes a SIM card due to a malfunction of the current card. In these situations, the member should contact the credit union to legitimize these changes. Including these steps in your education campaign reduces a potentially frustrating situation for your members and staff.
Finally, to prevent the download of fraudulent apps, a mobile application takedown service is available. This service constantly monitors app stores for apps with your credit union's name which do not have the legitimate mobile app parameters provided by your credit union to the takedown service. When a potentially fraudulent app is detected, the provider contacts you to determine if you want the app taken down.
As with any security prevention system, a multi-layered approach is the best way to protect your members. Two-factor authentication, real-time identification of device parameters, and the takedown of fraudulent mobile apps are fraud solutions available for your Connect Emerge mobile application. Important considerations should be taken when designing your member security awareness campaigns to include mobile fraud prevention tips. For more information about any of the Emerge mobile platform security options, please contact your Connect account manager.