4 mobile threats credit unions must neutralize

by Kevin Christensen, Shazam

Credit Unions are required to perform initial and ongoing risk assessments on products and services to ensure every possible threat is recognized and controlled. With new mobile products from a host of developers coming on the scene nearly daily, credit unions leaders evaluating these emerging products must understand both the inherent and emerging risks they pose.

As credit unions onboard new mobile products and services, there are four areas in particular to which they should pay attention to offer the safest and most valuable tools to their members.

Mobile Threat #1: False Identity

This occurs when a person masquerades as someone else at the time of enrollment for the mobile product. The perpetrator is then able to obtain the unsuspecting member’s deposit account balance information. While the threat of knowing someone else’s account balance or transaction alerts may not pose a huge risk to your institution, as technology evolves and more features are added to these products (such as person-to-person payments), the threat will also evolve. Therefore, it is best to build in the proper controls initially to prevent future threats down the line.

The enrollment process should involve multiple-factor controls (e.g. something the person knows, like a password, and something the person has, like a debit card). For example, the SHAZAM BOLT$ mobile product controls the threat through either debit card enrollment or PIN enrollment. In addition, the mobile product should have a methodology to control excessive enrollments. For example, the product could obtain and remember the devices registered through the Unique Device Identifier (UDID).

Mobile Threat #2: Data on the Move

Unsecured transmissions to and from mobile banking and payments applications can allow perpetrators to see the data being transported. These criminals use scanning technology to steal sensitive information, which ultimately allows them to steal identities and conduct a series of financial assaults on a victim. Although typically isolated, the threat can cause long-term trouble for your member. It may also be a signal to law enforcement that scanning technology is being used in your area.

Encryption is your credit union’s best bet against vulnerability to scanners. Check with the developer of your mobile solution to be sure the app utilizes secure socket layer (SSL) encryption. This technology ensures the sign-in process and the transfer of member information is encrypted at all times, and is therefore, of no use to a scanner-toting thief.

Mobile Threat #3: Hackers

When an external hacker penetrates the internal local area networks (LANs) that contain a mobile application’s technology, the perpetrator has access to sensitive member information. As you may imagine, this can lead to identity theft or other devious exploits causing your members stress and financial losses, and your own financial or reputational damage.

Much of the prevention of LAN attacks will come during your credit union’s due diligence period. As you evaluate and compare the mobile-solution providers you trust, ask a lot of questions. For example:

Does the provider have several security layers in place? These may include perimeter firewalls or 24×7 intrusion detection.

Do they perform ongoing and independent testing of those security layers? Don’t be afraid to ask for the details of the provider’s security controls.

When was the last time an independent consultant performed a vulnerability and penetration test of the mobile app’s system? Did the consultant find material issues?

Mobile Threat #4: Dummy Apps

Today’s mobile app users are intelligent and savvy. Yet, they are also early adopters. This means they may be vulnerable to fraudsters preying on tech newbies. With unfortunate regularity, smartphone owners download bogus applications from popular app stores. Falling for the download is easy to do, as most of these bogus apps are look-alike imposters designed specifically to steal sensitive data and information from the smartphone user.

Once users enter their information (e.g. user IDs, passwords, etc.) into the fake application, fraudsters use that information to access other resources tied to the members. Often the ultimate goal is to steal the user’s information.

Your first step when evaluating any mobile banking or payments app for rollout at your credit union is to be sure the app has been certified by the app store provider(s). After launch, instruct your customers to download the app only from the location to which you direct them (rather than searching for it in an app store).

It’s also a best practice to provide educational information to customers pertaining to phishing and social engineering scams, as they continue to improve and become more effective at their nefarious deeds.

Any time a new banking technology is introduced, new challenges are typically not far behind. According to the Federal Reserve’s Consumers and Mobile Financial Services study, security worries are the No. 1 reason consumers don’t adopt mobile payments. To put your members truly at ease, you have to be at ease yourself. Performing sound risk assessments on your mobile solutions will help your leaders feel comfortable so they can encourage the same among your members.

Kevin Christensen

Kevin Christensen

Kevin Christensen is Vice President of Audit for the SHAZAM Network. In this role, Kevin oversees SHAZAM’s audit and compliance programs, as well as its risk management program. Kevin ... Web: www.shazam.net Details

Featured