Device Takeover.... The Rise of the Machines
For many years, financial institutions have been cognisant of the threat associated with account takeover: essentially the practice of a fraudster assuming the identity of a consumer, or at least compromising sufficient credentials to facilitate access to his or her financial records, and then performing changes to and plundering funds from the consumer’s account. In a world where remote servicing is increasingly de rigeur, the credentials that a fraudster typically tries to capture and recycle to perform account takeover are now frequently those associated with the device from which the account is being accessed.
To inform risk-based decisions, banks are adopting ever more sophisticated means of determining whether the device location and characteristics are reflective of what they would expect from the consumer. For example, is the IP address showing as coming from Eastern Europe whilst the consumer is supposedly in the UK? Or is the language setting on the device set to something different than the native tongue of the customer?
These, and many other similar questions, are regularly posed as part of the identification and verification protocols when a customer is accessing on-line banking and initiating remote payments. A “good” device (one that is believed to relate to the consumer) is often used as a means of capturing, communicating or validating one-time passwords or out-of-band authentication.
But what if the device itself is compromised? It’s not as unlikely as you might think. See a blog post from an industry colleague of mine, who presented some months ago at the UK Card Fraud Conference on the very fraud threats now raised by the European Network and Information Security Agency. Interestingly, at this conference attended by eminent anti-fraud industry professionals, the consensus was that stronger security was vital. For example, most consumers made no effort to house anti-malware on their smart phone, and would not think twice about downloading a (real or malicious) application (including “banking” ones) and actively entering and divulging credentials.
Technology and consumer convenience are, at times, driving beyond the anti-fraud headlights. This should be a real concern to us all.