All money will soon be digital

Mobile Wallets: A benefit to consumers or another weak link for security and compliance in an already vulnerable ecosystem?

The rapid advancement of technologies such as analytics, Blockchain, cloud, mobile and social media have created major opportunities to drive a better customer experience for financial service providers but are also spawning headaches when it comes to security and compliance. At the centre of this customer-centric innovation is the mobile wallet, which is a terrific way for consumers to shop card- or cashless and effectively manage their banking and financial planning tasks while on the go. Per Statista “Chart of the Day” based on Ericsson’s most recent Mobility Report, the number of mobile subscriptions. chartoftheday_4022_mobile_subscriptions_and_world_population_n Sales of mobile devices outnumber the world’s population and will continue to raise as underpinned by Statista “Chart of the Day” this will have a positive impact on investments and infrastructure for mobile wallets moving forward.

Weighing in on the advantages and disadvantages

"A stick has two ends", a Russian idiom, meaning that when you fight with a stick be careful not to strike yourself when attempting to strike the opponent. At one end of the stick mobile services offer many benefits to both financial service providers and consumers such as:

  • Streamlining of processes are cost-effective and efficient
  • Pairing of operational and administrative tasks can lower costs
  • Meeting the fast-paced demands of consumers anywhere and anytime
  • Reaching underserved or underbanked segments with new services
  • Consumers can win precious time dealing with transfers, payments, and purchases or other banking relevant tasks while in transit

At the other end of the stick is the bad, the mean and the ugly:  

  • Infrastructure complexity increases as the ecosystem of users continue to expand so do the vulnerabilities
  • Risky user behaviour, especially with a mobile device. For example, 70% of smartphone users have never installed an anti-virus program on their mobile device
  • Mobile devices are connected to a network 24/7
  • WI-FI networks and Bluetooth technologies making it easier for attackers to carry out a financial crime campaign
  • Rogue mobile applications, repacking of apps and ransomware are on the rise
  • Advance Malware & Viruses for online as well as mobile devices continue to increase

In Q2 2106, Kaspersky Lab detected 3,626,468 malicious installation packages – 1.7 times more than in the previous quarter

Number of detected malicious installation packages (Q3 2015 - Q2 2016) 

An ecosystem of complexity

This ecosystem of complexity is beyond what any single financial service provider can feasibly control, everyone in the ecosystem is at risk and dependent on the other to help minimise those risks.  Per a 2014 report from Alcatel-Lucent's Motive Security Labs, 16 million mobile devices worldwide have already been infected with malware. Criminals treasure complexity it offers the perfect camouflage. In the case of the Carbanak malware, the malware was installed and sitting on the bank’s computer systems for months, sending back vital information about how the bank carried out business critical tasks. That left 100 banks compromised to the sum of $900 million USD. Mobile channels pose an additional layer of complexity to an already complex ecosystem.  Currently, the data on mobile fraud isn’t as robust as with other channels to build reliable mobile fraud models without jeopardising the customer experience. For example, we all have received either a call from our credit card issuer when we attempted to use our credit card, in a city, we never visited before or worst the transaction was refused. The credit card issuers fraud systems generate a red flag when a transaction is considered outside of the normal pattern and this normal pattern is based on a robust set of profile data collected.

“Mobile transactions being newer don’t offer enough good data to build reliable fraud detection models without jeopardising the customer experience”

The complexity of the merchant system landscape offers a perfect hiding place for malicious activity. Mobile commerce merchants tend to sell through multiple channels, each with its own nuances for monitoring potential fraud and for fraud mitigation. Mobile commerce is also a prime target for international fraud. Though international transactions make up a similar proportion of transactions for mobile commerce as for eCommerce, mobile transactions have a 20 percent higher occurrence of fraud.

The geography of mobile threats as presented by Kaspersky

[caption id="attachment_5137" align="aligncenter" width="945"]The geography of attempted mobile malware infections in Q2 2016 (percentage of all users attacked) The geography of attempted mobile malware infections in Q2 2016 (percentage of all users attacked)[/caption]

The financial crime campaign

There are recognisable patterns and steps that attackers use before and during their malicious financial crime campaigns: Step 1 Planning = Gathering information from corporate websites and social media pages to study and understand product offerings, workflows, customers and eventually steal the brand. Step 2 Striking = Gathered information can now be used to develop malicious crime kits that include infected mobile apps, fake web pages, fake text messages, etc.  These kits can be used directly by their creators or sold on the dark web or at rogue mobile app stores for others to use. Step 3 Checking-out = This is where attackers attempt to get the money out of their victims’ accounts. Step 3 is the stage where most financial institutions will concentrate most of their efforts in trying to monitor transactions in real-time. However, financial institutions are at a real disadvantage when it comes to monitoring financial crime. Criminals will be using cutting edge technology against financial institutions whom many still rely on legacies systems to process transactions. It’s common for a fraud to start in one account and end at another account.  Again, financial institutions with their complex organisational structures operating in silos make detecting a financial crime moving from one part of the organisation to another that much more difficult to detect. A majority of the software systems on the market for combating financial crime were built on outdated BI technology and designed for doing business performance look-backs. They were never meant to work in real-time much less monitor and detect fraud in real-time. Therefore, financial institutions should also invest resources to proactively monitor step 1 by screening the internet, underground markets and the dark web for possible infringement of their logos and any financial crime kits with their branding.  Because the longer consumers are exposed to a threat the more victims you will have. It will become more difficult to prevent financial crime as the digital payment ecosystem continues to grow in numbers and complexity and we all know attackers will always direct their crime campaigns towards the weakest link of this chain.

About the Author

Paul Hamilton Paul Hamilton is a business development specialist for financial technology. After playing professional basketball in Europe, his focus turned to financial services and ultimately to financial technology where he gains 15 years of experience working for global players, an SME and a start-up. His enthusiasm and excitement for marketing and developing new market opportunities have always been his passion going as far back as his first job as a broker selling investment products. Since then, he has worn many hats and as a consultative salesperson, he has worked with financial service providers across EMEA and Asia to help them achieve their business goals. Paul is also group moderator and founder for the financial crime blog site AML Knowledge Centre. To read his and member blogs go to . Paul enjoys connecting with people so if you want to talk about business, financial technology, or sports and fitness, he’s your person:-). My-LD-Profile-logo