Customer adoption of mobile financial services (MFS) is increasing rapidly. In many cases, these are now some of the most popular services available via a mobile device. It is therefore only to be expected that these services, together with the mobile platforms that deliver them, will attract ever greater attention by criminals. The increase in adoption, together with the possible financial gain is proving to be an attractive draw for fraudsters everywhere.
Financial Institutions wishing to offer MFS are facing an increasingly complex mobile ecosystem. They need to develop applications for multiple (versions of) operating systems and many flavours of mobile devices. In addition, they need to acquire specialist knowledge about the wide variety of security threats if they are to implement proper risk mitigation measures, all the while maintaining a delicate balance between user convenience and security.
Threats to the mobile device cannot be considered in isolation. A modern smart phone is only the “user facing component” of a much wider ecosystem of app stores, services and content providers. This interconnectivity exposes both the mobile device and its applications to increased risks.
The architecture of the mobile device operating system leads to specific security threats. Particularly, Android stands out from the others (Apple iOS, Windows Phone) in that it is dependent on a Java “virtual machine” to run native applications coded in Java. This is necessary due to the open nature of Android, requiring applications to be run on different hardware
This report, the first of two parts, uses a standardised risk management approach to provide financial institutions with an overview of risk management in MFS, relative to the mobile device environment. To assist with risk evaluation it describes the identified threats and classifies them into twelve categories. An analysis of the risk level is then provided for each category based upon likelihood of its occurrence together with its anticipated impact.
The report contends that one of the highest risks still resides with the end user, the customer. Techniques that target the person rather than the device, such as social engineering and phishing, are often used by criminals to gain (sensitive) information that enables subsequent attacks to be launched, leading to fraud. Impersonation of the customer during the registration for or installation of a mobile financial service or during the mobile financial service transaction itself is also
highlighted and examined.
Mobey Forum is now developing a second accompanying report, providing guidance to financial institutions on mitigation measures and best practices to reduce the risks identified.