MY TAKE: Account hijackers follow small banks, credit unions over to mobile banking apps

By Byron V. Acohido

As long as cyber attacks continue, financial institutions will remain a prime target, for obvious reasons.

Related: OneSpan’s rebranding launch

Outside of giants JP Morgan, Bank of America, Citigroup, Wells Fargo and U.S. Bancorp, the remainder of the more than 10,000 U.S. firms are comprised of community banks and regional credit unions.

These smaller institutions, much like the giants, are hustling to expand mobile banking services. Yet, they are much less well equipped to detect and repel cyber attackers, who are relentlessly seeking out and exploiting the fresh attack vectors spinning out of expansion of mobile banking.

I had the chance at RSA 2019 to discuss this war of attrition with Will LaSala, director of security services and security evangelist at OneSpan, a Chicago-based provider of anti-fraud, e-signature and digital identity solutions to 2,000 banks worldwide. The good news is that OneSpan and other security vendors are innovating to bring machine learning, data analytics and artificial intelligence to the front lines. For a drill down on our conversation, give a listen to the accompanying podcast. Key takeaways:

Shifting risks

We’ve seen a shift in bank fraud, especially for small banks and credit unions, over the past couple of years. In the not-so-distant past, banks dealt with online and account takeover fraud, where hackers stole passwords and used phishing scams to target specific individuals.

Now this fraud has moved into the mobile space because nearly every financial institution now has an app, changing the fraud landscape. Organizations like OneSpan now analyze bank fraud through the mobile app landscape through areas like social engineering attacks, screen captures, or changing SIM cards, LaSala told me.


All these fraud analytic components need to be analyzed, but not just in mobile, but across all channels, like ATMs and phone banking. “For example,” said LaSala, “we saw in the online banking channel that fraud was essentially ‘I go out and steal users’ credentials. I could set up a fake website, and people would go to the website.’”

In the mobile world, it’s fake applications that ask for credentials. But now not only are you providing the fake username and password, but you’re providing all this information about the phone itself.

“All of these data points are logged and captured and can be used to analyze the risk associated with the transaction,” said LaSala.

Although Google is making an effort to take down apps that are stealing permission, LaSala quickly pointed out that this isn’t just an Android problem.

“Even though the Apple system is a bit more closed, you don’t see it as much, but it does exist.”

The fraud here often comes in the way of screen scraping and rogue keyboards that are taking information as the user types it in.

In the past, the solution to fraud cases was a one-size-fits-all solution – everybody got the same fix no matter what the level of risk was of the fraud; you got an SMS with a one-time password to log in.

That’s finally advanced. With technologies like AI, you can now measure the risk across the entire digital channel and user base. All of the information gathered on this transaction or user can be used to measure the type of risk the user is up against.

By measuring this risk – say an anomaly in the amount of money the user wants to withdraw – the security system can require an additional layer of authentication, like a biometric solution.

Defenses are thus becoming for flexible and adaptive. A solution will recognize that the user is always using the same device and allows for a more seamless authentication path. But if the user has a new phone, it will be alerted to a possible new risk. It’s all about improving the user experience and applying the precise amount of security, at the right time, into each unique customer transaction based on the level of risk – no more, no less..

Covering all channels

Security capabilities are branching out beyond mobile banking into corporate cash management applications and retail channels. This is the new space that allows for combining these channels in banking. This means if there is fraudulent activity in one area of an account, say ATM, the technology can measure the fraud risk across other channels, like mobile.

Artificial intelligence really does a great job of analyzing the potential fraud across channels. A human would never be able to pick out all of these patterns, especially when channels are combined. AI will start to analyze issues like how a user could be on the website using a laptop at the same time they are at the ATM using a mobile phone.

“The name of the game is balancing user convenience with security,” said LaSala. “The more we can do to make it easier for users, the more banks can attract them to their platforms. And that allows us to do more security awareness.”

It’s good to see security solutions getting baked in like this. This is just the beginning, and consumers still carry a big responsibility to reduce their digital footprint and use mobile banking services judiciously. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone