Fraud Goes Mobile

It seems like yesterday when I first saw an ATM and had to be taught how to use it. When my bank sent the piece of plastic to me called a debit card, I was ever so hesitant to use it.  And forget about online banking;  my fraud investigations experience would in no way enable me to use my computer to perform my banking transactions. For baby boomers like me, we have seen a dramatic shift in the way we perform our banking, especially with online and mobile banking. It appears that the face of banking is an ever changing frontier. From a consumer’s viewpoint, all of these changes make things easier. But as a fraud professional, I am very nervous about the implications.

With this evolution in the way we do banking comes new threats. Modern trojans and viruses that may infect not only our computers but our mobile devices are alive and thriving.  Just as I graduated from my old flip phone to my new high tech smartphone, I heard about a variant of the ZeuS Trojan that runs on the Android phones. According to researchers at Fortinet, Zitmo (which stands for “ZeuS In The Mobile”) is a new form of mobile malware.  According to Brain Krebs of Krebs on Security, the “Zitmo variant, disguised as a security application, is designed to intercept the one-time passcodes that banks send to mobile users as an added security feature. It masquerades as a component of Rapport, a banking activation application from Trusteer. Once installed, the malware lies in wait for incoming text messages, and forwards them to a remote Web server.” 

You too may have read recently that Microsoft released fixes to address unusual Bluetooth vulnerabilities that could let ‘nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network’. So does that mean it is possible that some trojan or worm could spread from one Bluetooth-enabled PC to another?  So now we have to be on the lookout for tainted ads and drive by downloads?  Do they have an app for that? 

As banks continue to develop and deploy new delivery channels especially in the smartphone application (i.e. apps that provide p2p payments, RDC and bill pay), we will continue to see the apps getting smarter and more enabled. Just as the apps get smarter, so will the needs and expertise levels of the financial fraud analysts and investigators.  Fraud analysts and investigators need to embrace this evolving fraud threat across all products and platforms. They need to incorporate preventative layered security  approaches (as recommended by the FFIEC ), work fraud cross channel and perform root cause analysis. In addition, fraud experts should always be included on the team that develops not only the mobile banking products, but all emerging products offered by the bank.  Keep in mind, a mobile device is just one more channel through which a customer can become a victim of identity theft and/or account takeover.   Prevention and mitigation needs to be first and foremost in their minds and they must never get complacent.

Analysts and investigators need to be trained and up to date in their mobile fraud mitigation efforts. Taking educational classes and or attending industry training seminars are great ways to stay abreast of the changes in the mobile space. A prime example is the upcoming training seminar sponsored by the IAFCI, to be held in Charlotte, NC where some of the sessions will have experts speaking about the mobile banking space.

Questions to ask yourselves:

• How has your organization addressed risk in the mobile space?

• Are you prepared to mitigate and investigate fraud in the mobile space?

• Do the fraudsters have your number?

Make a Comment

* = Required

* Name:

* Email:

Website:

* Comment:

*

Fill in the code shown on the left