Free WiFi is now a given in many public spaces such as coffee shops, airports and hotel lobbies. Most people don’t think twice about quickly accessing an open network, even to check a bank balance or pay a bill. But appearances can be deceiving, and not all networks are legitimate. It is now common to have skilled fraudsters, or even casual hackers, set up dummy networks that ensnare unsuspecting patrons and capture sensitive information, such as banking passwords. Criminals sitting next to you, or in the parking lot 100’s of feet away, can intercept data—and there is no way to pick them out of a crowd.
In a perfect world, everyone would understand that sending user names, passwords and sensitive financial data via an unencrypted public network is a bad idea. The reality is that bank customers do not always take precautions. Wireless routers, laptops, tablets and smartphones are basically radio transmitters, so anyone in range of an unsecured WiFi device can retrieve unprotected information. Banks have become very sophisticated in providing encryption layers and authentication measures to secure customer access points to their websites. However, none of this will eliminate vulnerability if a customer is accessing her or his account via an unsecured public network.
Banks are extremely motivated to maintain an active dialogue with their customers. In the past, their opportunity to leverage their brand and build relationships was through monthly statements and customer visits to branch locations. Through internet and mobile banking, financial institutions are able to pursue an ongoing, interactive, and in many cases, daily interaction with their customers. Mobile banking apps and always-on internet-enabled devices are creating an opportunity for banks to move their relationships to the forefront of customer mindshare. Even if there were an easy technical solution to enforcing WiFi security, banks are not highly motivated to impose limits on customer access to their accounts through mobile devices.
Customers are motivated to leverage mobile banking for its convenience. Banks are motivated to promote mobile banking for the opportunity to extend their brand equity. The solution from a fraud perspective is diligence on the part of both parties. Customers need to be wary of their use of mobile networks (and many banks are working to educate customers on appropriate online and WiFi security precautions).
The solution for security on the bank’s end is proactive session and transaction monitoring. This entails having a meaningful detection and identification/authentication system in place.
For example, FICO works with banks to help them profile and leverage both online usage and customer logon characteristics. When something seems out of the ordinary (e.g., geographic location), the bank can reach out to the customer to check for fraudulent activity. Monitoring typically also takes into account customer behavior and tracks for suspicious transactions, such as uncharacteristically large withdrawals, funds transfers or even uncommon account viewing.
Banks also need to pinpoint any instances of compromise at lightning speed in order to minimize losses. Time is of the essence because the faster a bank can intercede and stop the fraudulent activity, the sooner a criminal will stop targeting that financial institution. In certain cases, some damage may already be done, but additional damage has been prevented.
Fraudsters are not going away anytime soon. The only choice for banks is to stay one step ahead of them: anticipate compromises, eliminate vulnerabilities, and in some cases, detect instances of fraud even before the customer does.