Mobile Fraud: More needs to be done
Mobile financial service applications are spreading rapidly and are generally secure. However, I don’t see evidence of institutions monitoring and protecting the mobile channel as diligently as other channels.
Hackers will certainly start targeting mobile banking and mobile stock trading applications as adoption increases. Furthermore, there are more opportunities for exploits because of mobile platform fragmentation.
When a major attack happens, it will be well publicized and it will likely slow adoption while the public reconsiders their safety. I will be purposefully vague here to avoid providing any roadmaps or ideas to bad guys.
For example, many organizations use fraud detection software on web applications to look for suspicious activity and limit both losses and risk. Often fraud detection software also preserves evidence in the event the fraud is real. For web sites, this type of software is almost as commonly deployed as firewalls and routers.
Organizations have been suspiciously silent on the protections they’re deploying, which is unlike historical ecommerce behavior. Are companies actively monitoring the traffic from mobile enabled accounts to ensure new types of fraudulent activity aren’t occurring?
TD Ameritrade provides a third-party stock trading application (Mobitrade) that optionally lets you save your username and password in the application, thus providing access without a username and password. (E*Trade pictured here, requires a password to see account data). While this option is convenient, the risks are bound to outweigh the reward.
In the case of TD Ameritrade, users can’t execute trades using the Mobitrade application. However, account balances, positions, stocks owned and watched are all sensitive information thieves can use to commit crimes through other channels.
Providing separate applications on separate platforms also increases the effort required to keep security holes plugged. Many institutions are considering supporting mobile applications on iPhone, Android, Blackberry and potentially other mobile operating systems in addition to their mobile web and SMS-based systems. Each production release of each product version runs the risk of containing a vulnerability. It’s all just software.
Organizations must keep the details of their security infrastructure secret to prevent circumvention of those protections. However, organizations need to perform detailed risk assessments of the mobile channel and deploy protections that are at least as strong as protections to online and ATM channels. The security vendors usually ensure the world knows what companies are using their technology.
The silence on mobile security is deafening.
(Disclosure: I have accounts with both TD Ameritrade and E*Trade. I own TD Ameritrade stock (NYSE: AMTD) and have done work for them in the past. This article DOES NOT imply that E*Trade, TD Ameritrade, or any other company are lacking any particular security measure or that I have knowledge of their specific security measures.)