The difficulty in recognizing anomalous behavior is because all mobiles look alike. “Not just physically,” explains Etay Maor, fraud prevention solutions manager at Trusteer, “but also their device fingerprint. When a user browses to a website from his native mobile browser (let’s take an iPhone and a Safari browser as our example), the device characteristics are identical to almost all other iPhones: same hardware, same browser, same fonts.” It is, he says, “a criminal’s dream come true.”
This is because anomalous device behavior is a key part of the banks’ fraud detection. When account access details are used from a different computer an alarm is triggered by the detection software. This is relatively easy to detect via a PC. However, since all mobiles look alike, it is more difficult for the software to differentiate between different mobiles – between that owned by the account holder and one owned by a fraudster. “The criminal’s login attempt will not trigger any risk indicators and a fraudulent transaction is just a matter of time. This is exactly where security silos fail,” says Maor.
The silo approach to security is the second problem: security on PCs is not joined up with security on mobiles. Account credentials are being stolen by malware on PCs. But while “an AV/anti-malware/anti-fraud solution may be aware that credentials are stolen,” says Maor, “it does not report crucial information to the criminal’s next stop – the login authentication system.”
In this increasingly popular scenario, the users’ bank credentials are first stolen from the PC and then sent to the hacker. The actual ATO fraud is then performed via a mobile device. “The bank cannot uniquely identify the device because the criminal’s iPhone looks exactly like the victim’s iPhone (or like any other iPhone for that matter),” he explains.
The solution, suggests Maor, is a fraud detection system that combines and correlates fraud indicators across desktop and mobile channels, and over time. “If this type of risk engine had visibility to the fact that the victim’s PC was infected with malware (with a client or client-less detection solution) and that shortly after the credentials associated with that account were used from a mobile device – fraud would have been stopped.”