Despite the recent FFIEC guidance which calls out mobile malware as a material risk, I’ve been hearing from some folks that it isn’t a major concern. In fact, mobile banking Trojans have been compared to Bigfoot – all hype and no substance. Yet looking at how consumer banking behaviors have changed and the effect this change in banking behavior has had on the evolution of crime, there should be little doubt that FIs must bolster their abilities to mitigate this very real threat.
In 2001 online banking was in its infancy – used by only 21% of US households. Branches were king for the consumer and from a criminal’s perspective they were “where the money is”, which is why one bank was robbed every 52 minutes that year. Only 6 years later, 53% of US households were banking online, and as consumers changed their focus so did criminals. In 2007 the Zeus banking Trojan made its way onto the scene – bank robbery went virtual and there was no looking back.
Fast forward to 2016 and more than half of US consumers are now using mobile banking. Criminals didn't stand still over the last seven years – they saw which way the wind was blowing and evolved their tools to compromise mobile banking. Hackers cut their teeth adapting variants of traditional online banking Trojans, such as Zeus and Citadel, to target mobile devices (compromising one-time-passwords sent via SMS). Today there is more specialized malware, such as Acecard and Slembunk that are designed specifically to glean mobile banking credentials. And while FIs must actively manage for this risk, they shouldn’t expect much help from consumers – less than one in every three uses anti-malware on their mobile device (which is down from the previous year).
The stories we hear about mobile banking Trojans instill just the right amount of fear, but many bankers aren’t convinced that they’re anything more than make-believe or some evolutionary footnote. In fact, they are the natural evolution of stagecoach stickups and bank heists, where firearms and disguises have been replaced with one’s and zero’s.
Last year there was one bank robbery every 131 minutes. Branches have rarely been safer. Mobile banking on the other hand. . .