PINs and passwords are failing to protect customers from sophisticated mobile fraud, a consumer study has demonstrated.
The recent study by the fraud detection service provider Aspect into online banking fraud, found that 88% of customers (who had been victims of fraud on their bank or credit card account in the past year) recalled needing to use a password, PIN, or some combination of characters and symbols in order to log in.
A total of 500 UK consumers who had all experienced one incidence of banking fraud in the past 12 months were surveyed. 38% of victims mainly used mobile apps to access their bank accounts, while 36% mainly used web portals or tablet apps.
Passwords continue to be the most popular method of securing the first layer of authentication for online and mobile banking. But they are a moot point, said Keiron Dalton, Global Program Senior Director, Aspect Verify.
“Any kind of password is practically a comfort blanket,” he commented. “We’re so used to them, but in between social engineering and sophisticated fraudsters, they’re near enough useless at protecting our money.”
As mobile banking has taken off, Aspect has seen a rise in sophisticated mobile fraud designed to target personal bank accounts, such as SIM Swap.
Since some banks use one-off SMS codes to verify the identity of the victim, criminals have taken advantage of a weak spot by impersonating and convincing mobile network operators in the contact centre to ‘swap’ the SIM of the victim with a new one. After this happens, the fraudster can access these one-time codes via SMS and when combined with information they already have, such as PINs, passwords and personal details, can clean someone’s account out in minutes online.
“You could theoretically add more layers of security – say, to a mobile banking app – but all you’re doing is placing restrictions on users, forcing them to jump through hoops just to do something that a mobile app should let them do quickly and easily. They’ll get frustrated pretty quickly and you’re more likely to lose them as a customer down the line,” Dalton said.
Aspect predicts that developments between mobile network operators, banks and technology providers have meant they are well on their way to finding a frictionless way of stopping social engineering fraud at the start of a compromise. Before that point is reached however, “the industry needs to come together and harvest information in order to build battlefront”, the company argues.
The promising technology “leverages publicly available data to help banks to step up authentication by determining variables such as geo-location of the user, call divert and SIM Swap detection, reducing customer friction and providing both enhanced security and extra flexibility for the modern digital citizen.”
Aspect’s 2017 survey found that all but 15% of consumers did not disapprove of publicly available data being used in this way.
Dalton added: “Currently, an automated voice call is all that’s needed to authenticate a transaction for us to know whether it’s genuine or not.
Aspect claims to have saved a UK bank £10 million with this service via its Aspect Verify platform.
“Eventually, the verification will be imperceptible and won’t interrupt a genuine user experience. A fraudster could be making an ‘omni-channel’ attack where they have already taken over someone’s mobile device, and is being talked through a process to transfer money on a separate channel while the automated call is taking place. It has been very successful in practice,” Dalton said.