Mobile banking adoption rates may be on the rise, but so is mobile banking fraud. A 2016 Guardian Analytics research survey on mobile banking fraud found that of all instances involving mobile banking apps, a whopping 72 percent included remote deposit capture and use of fraudulent checks.
“RDC fraud is the latest example of fraudsters merging the old and the new – in this case, committing classic social engineering and check fraud over modern banking channels and technology,” noted Guardian Analytics President and CEO Laurent Pacalin. “Use of mobile banking and RDC is skyrocketing, which puts banks and their customers at greater risk.”
Mike Carter, VP of digital banking at Strategic Resource Management, suspects credit unions are reflecting on “similar trends” around respective RDC offerings. To this end, he said, FIs have introduced measures to limit the impact of fraud in this area by lowering deposit amounts, as well as introducing new security technologies and methodologies.
“The [RDC] service itself is so popular with consumers that development of further countermeasures are much more likely than any scenario involving limiting or discontinuing the feature,” said Carter. The Memphis-based firm has served approximately 350 credit union clients.
One executive, however ,downplayed any talk of fraud trends. Mike Morris, a systems partner with accounting and advisory firm Porter Keadle Moore, said “outside of the occasional fraudulent double depositing of items using mobile deposits,” he we hasn’t seen “too many cases” of mobile fraud. The Atlanta-based firm counts more than 150 financial institutions as clients, including 10 credit unions.
“Most FIs have to review and approve members for mobile deposit prior to providing them with access and then set daily dollar limits that are relatively low,” said Carter.
Security app issues
A 2016 IBM Mobile Security & Business Transformation study found that 58 percent of financial institution security experts ranked “security concerns” as a leading reason for mobile app aversion.
Security concerns withstanding, Carter said mobile banking fraud “pales in comparison” to other fraud threats financial institutions face.
Among areas where industry experts say concerns should be focused is on the increasing number of consumers using mobile banking apps and how these statistics might impact fraud attacks moving forward. For example, a 2017 Kaspersky Cybersecurity Index found that between the first six months of 2016 and the same period in 2017, smartphone online banking increased from 22 percent to 35 percent, while the use of smartphone online payment systems increased from 14 percent to 29 percent.
“There is a significant perceived risk related to mobile banking, at least among those who do not use this particular channel,” said Carter.
When asked what common missteps credit union executives make when analyzing respective mobile banking app, Morris said a leading issue is “not understanding which security features should be available before selecting a platform.”
Since most credit unions use a third party vendor for mobile apps, Morris added that credit union executives must implore that their vendor offers “due diligence information” on its products, such as SOC reports, cyber-resilience reports and business continuity planning.
“They should explain what security features are embedded to help protect their members from fraud,” said Morris.
Carter added that whether an app in developed in-house or with a vendor, it is crucial for credit unions to remember that security starts with the CU’s “gateway” or API. Securing access and not exposing unnecessary business logic, he said, must be the top priority.
“Care must be taken when designing apps not to store unnecessary information, such non-public information/personally identifiable information,” said Carter. “Some application builders get sloppy on how much data they store and how much information they leave lying around – think backup to the cloud, security vulnerability at the mobile OS.”
Morris recommended that a CU’s mobile security platform be analyzed frequently, internally or otherwise.
“This should be done annually or quarterly, depending on the nature of the activity the member can perform on the device,” said Morris. “IT should be involved along with the departments that are involved with the management of the service, such as deposit ops.”
Ensuring that back office technologies are secure and forward-leaning is critical, but so is mobile banking education. Carter, however, said education has to be handled carefully so as not to scare away new users.
“Members expect their CU to keep them secure and deliver optimal convenience in online and mobile banking,” said Carter. “A recent survey from Harris indicated that FIs are not typically achieving the latter in most cases, so adding layers of security that create friction would further frustrate members.”
Morris also said it’s important for credit unions “in today’s environment” to educate members on current fraud and cyber-risks that might affecting them, “such as malware/ransomware, social engineering of credentials and the risks of losing their mobile devices.” He added that the latter likely does not have passcodes enforced.
“Members should also understand the security options the CUs are providing, such as dual-factor authentication and email/text alerts of account activity,” said Morris.