Despite the recent FFIEC guidance which calls out mobile malware as a material risk, I’ve been hearing from some folks that it isn’t a major concern.  In fact, mobile banking Trojans have been compared to Bigfoot – all hype and no substance.  Yet looking at how consumer banking behaviors have changed and the effect this change in banking behavior has had on the evolution of crime, there should be little doubt that FIs must bolster their abilities to mitigate this very real threat.

In 2001 online banking was in its infancy – used by only 21% of US households.  Branches were king for the consumer and from a criminal’s perspective they were “where the money is”, which is why one bank was robbed every 52 minutes that year.  Only 6 years later, 53% of US households were banking online, and as consumers changed their focus so did criminals.  In 2007 the Zeus banking Trojan made its way onto the scene – bank robbery went virtual and there was no looking back.

Fast forward to 2016 and more than half of US consumers are now using mobile banking.  Criminals didn't stand still over the last seven years – they saw which way the wind was blowing and evolved their tools to compromise mobile banking.  Hackers cut their teeth adapting variants of traditional online banking Trojans, such as Zeus and Citadel, to target mobile devices (compromising one-time-passwords sent via SMS).  Today there is more specialized malware, such as Acecard and Slembunk that are designed specifically to glean mobile banking credentials. And while FIs must actively manage for this risk, they shouldn’t expect much help from consumers – less than one in every three uses anti-malware on their mobile device (which is down from the previous year).

The stories we hear about mobile banking Trojans instill just the right amount of fear, but many bankers aren’t convinced that they’re anything more than make-believe or some evolutionary footnote.  In fact, they are the natural evolution of stagecoach stickups and bank heists, where firearms and disguises have been replaced with one’s and zero’s. 

Last year there was one bank robbery every 131 minutes.  Branches have rarely been safer.  Mobile banking on the other hand. . .


About Al Pascual

An accomplished industry analyst, market researcher, and financial industry practitioner, Al Pascual is Javelin’s Senior VP of Research and Head of Fraud & Security. As SVP of Research, he oversees the firm’s operations and ensures that Javelin’s research content provides the innovative perspectives that clients expect from the firm.

As Head of Fraud & Security, Al provides clients actionable insights on a variety of fraud and security issues, acts as a partner in developing strategies for managing risk, and identifies and raises awareness of future threats and solutions. Al researches a range of topics, including the applicability of biometrics in banking and payments, the effect of data breaches on the integrity of consumer identities, the relationship between identity fraud and loyalty, and the best methods for securing data and transactions.

Al has presented findings from Javelin’s rigorous, industry-leading research at conferences around the world, including BAI, CARTES, Money20/20, NACHA, and RSA. Al has provided commentary on fraud and security issues to media outlets such as American Banker, Bloomberg, CNNMoney, Fox Business, Reuters, The New York Times, The Wall Street Journal, The Washington Post, and Wired.

Previously Al held risk management roles at HSBC, Goldman Sachs, and FIS. He is a member of the Association of Certified Fraud Examiners, the International Association of Financial Crimes Investigators, and the Federal Reserve Secure Payments Task Force. He earned a Bachelor of Arts degree in History from the University of South Florida.

Stay in Touch!