How to stop scammers from exploiting mobile banking apps

The world of internet banking has come a long way since its inception in the late 1990s. Following the internet trend, the convenience of the world going mobile led to the world’s first fully functional mobile banking app (first for Apple and Blackberry devices, and eventually Android), introduced by the Royal Bank of Scotland (RBS) in 2011. Just over ten years later, and with global smartphone ownership continually growing, every major bank in the world now offers mobile banking apps to their customers. Unsurprisingly, security concerns are always at the forefront of every transaction, with media coverage frequently raising concerns about social engineering scams and how scammers successfully target online banking customers. There are, of course, effective ways to stop scammers and ensure mobile banking apps are as safe as they can be. And it’s all thanks to machine learning models.

We’ve been banging on quite a lot about mobile application fraud of all types over the last few years or so, and with good reason - global fraud rates are on the increase, and with more people than ever before owning smartphones, online payment and transaction fraud are going mobile. Where cybercriminals see low-hanging fruits, they will most certainly try to pick them, which is why mobile device users are increasingly being targeted.

With open banking and the introduction of the European Union's PSD2 directive requiring strong customer authentication (SCA) for all eCommerce payment transactions, there were dragged-out consultations across the EU to allay fears of friction being caused through invasive authentication processes. The answer was to provide frictionless customer experiences without drops in security. The same principles of preventing customer friction apply to banking services. Having to deal with SMS codes and PINs can be frustrating, despite the best intentions of the banks to secure their customers’ transactions. The need to maintain security can be achieved much more efficiently as basic security measures are often easily exploited by scammers - in ways that may appear surprising, though effective!

By far the most effective way for scammers to successfully defraud victims of mobile banking apps is to use social engineering techniques to convince users to do half their work for them. But how? Mobile application fraud can be performed using phishing emails, SMiShing (SMS messages) and vishing (voice calls) that will aim to persuade customers to either provide login details to their accounts, PINs etc. or download malicious malware or fake banking apps (imitations of the actual versions) that can skim all personally identifiable information (PII). Armed with these details, scammers aim to quickly transfer funds to their own accounts and potentially make large payments for high-value goods that can later be resold for profit, or sell stolen details in darknet markets.

Online banking frauds have been occurring more frequently than ever before. The reason? If fraud attempts are successful, they can be very lucrative for a cybercriminal. Transfers of money can be made to other accounts, or potentially converted into cryptocurrencies in order to make funds irretrievable. Fraud attempts are made easier as more online users turn to mobile banking apps, including people that are not fully aware of the dangers of the online environment. This surge in users was aided by COVID-19 pandemic lockdowns, forcing people online if they wished to continue to use banking services.

Scammers now have an opportunity to target victims while being masked by the sheer volume of global transactions that take place on a daily basis. By the time they are discovered, scammers can be long gone with their ill-gained funds. Part of the solution is for customers to employ safe digital hygiene by using strong passwords, encrypted password managers and keeping all software/apps and operating systems up to date to ensure the latest security features are applied to devices. Education about online threats posed by scam emails is also beneficial. User participation in maintaining personal security should always be encouraged, in all walks of online life. But this is just one part of the online security lifebelt.

Banks too must play their part in ensuring the use of the latest fraud solutions to fight fraud. Despite FinTech companies increasing innovation and safety of online banking services, many banks still choose to send SMS as an additional layer of security in the Two-factor authentication (2FA) process. As we have previously highlighted, text messages provide neither integrity nor confidentiality of information, as seen below.

Over the past few years attacks known as SIM swapping have been increasing as have phishing attacks based on social engineering scams, that can bypass 2FA. There is an increasing trend for banks to verify payments and transactions via banking apps that prompt customers for verification by typing in their app PIN or authorisation code. This is an improvement, and still better than SMS-based verification, but if a scammer has breached a user’s account or device and gained access to passwords/PINs etc. this may not be enough in itself to prevent a fraudulent transaction. Users should never be lulled into a false sense of security while using mobile banking apps.

Banking using apps is more secure than online banking done through a desktop browser. The security protocols are often strong, which can give users peace of mind when using them. This is not to say that any security measures are 100% safe - an air of caution should always be maintained. As for mobile banking apps and how financial institutions secure them, it is essential to deploy advanced fraud solutions powered by machine learning models. What are the benefits?

First and foremost, using digital fingerprinting and behavioural biometrics to analyse 5,000+ data points, it is possible to understand every single user behind a transaction. Weed out automated bots from humans, and stop scammers from succeeding in account takeovers (ATO) and detect their efforts to use a whole host of social engineering techniques (Remote Desktop Attacks, SIM swapping etc.). All this is possible while preserving the online experience for genuine customers. Every single tap, swipe and physical movement of a mobile device is automatically analysed in real-time, but most importantly, this is done passively - completely unnoticed by users.

It is therefore possible to ensure maximum security without frustrating customers with 2FA or MFA as all the authentication requirements are met with advanced fraud detection and prevention solutions such as those offered by Nethone. It all seems beautifully simple - it is, but the simplicity offered to financial institutions and customers is powered by some highly advanced tech. It’s already available and ready to help you stop scammers in their tracks.