Trusteer has announced the Mobile Risk Engine to protect financial institutions against mobile and PC-to-mobile (cross-channel) attacks. Trusteer Mobile Risk Engine detects and stops account takeover from mobile devices by conclusively identifying criminal access attempts. It also identifies devices that are vulnerable to compromise by malware and those that have been infected. Mobile malware is commonly used to bypass strong authentication methods such as SMS One-Time Passwords (SMS OTP).
According to a recent report by Javelin Research, mobile banking is now used by 33% of mobile consumers, up from 24% in 2011. Of the top 25 US financial institutions, about half are offering mobile person-to-person transfers and mobile remote deposit capabilities, a figure that has more than doubled since 2011. This steady increase in adoption is putting the mobile channel in the crosshairs of account takeover attacks that are launched using credentials stolen from customers via phishing and malware attacks. The FFIEC guidance for electronic banking requires layered security, continuous risk assessment and complex device fingerprinting to reduce the risk of fraud, and clearly includes the mobile channel.
“Mobile banking is an attractive target for criminal account takeover due to the rapidly growing number of users and limited fraud detection and prevention capabilities. It is also being exploited to circumvent strong authentication systems that use mobile text messages to validate high risk transactions,” said Yishay Yovel, vice president of marketing for Trusteer. “Trusteer Mobile Risk Engine combines a web-based service and dedicated mobile client components with real-time account risk data from Trusteer Pinpoint Malware Detection and Trusteer Rapport to prevent sophisticated mobile and cross channel fraud.”
Trusteer Mobile Risk Engine and its client-side components provide the following mobile fraud risk detection capabilities:
* Complex Device Fingerprinting for Mobile Devices: calculates a persistent device ID that uniquely identifies each mobile device. It also collects multiple device attributes such as geo location and user behaviour data to enable accurate detection of risky or suspicious access.
* Account Takeover Prevention from Mobile Devices: correlates risk factors such as new, spoofed and known fraudster devices with evidence of account credentials compromise. This real-time capability prevents cybercriminals from using stolen user credentials acquired via Phishing and malware attacks to access the mobile banking channel.
* Compromised Mobile Device Detection: analyses device vulnerabilities to mobile threats (such as jailbroken/rooted state) and detects devices compromised with mobile malware. This enables financial institutions to restrict access or transaction capabilities for high risk devices.
* Global Fraudster Database: maintains a global repository of known fraudster devices (PC, Mac and Mobile) that have been used to attempt fraud across hundreds of Trusteer protected financial institutions.
Trusteer Mobile Risk Engine is a web-based service that includes the following client-side components:
* Trusteer Mobile SDK: a security library that is embedded in a native mobile banking app and generates a device ID and device risk factors that are fed into the risk engine.
* Trusteer Mobile App: a secure browser that is built on top of the SDK and provides device ID and device risk factors for mobile web access to online banking. By securing both the native app and requiring web access via a secure browser, financial institutions can ensure all mobile access and transactions are evaluated for fraud risk.
* Trusteer Mobile Out-of-Band Authentication: a secure login and transaction verification solution that is used to ensure access to sensitive operations are initiated by the genuine account holder.
* Mobile Risk API: allows mobile device risk data collected by banking applications to be integrated into the Mobile Risk Engine without deploying a Trusteer client-side component.
Trusteer Mobile Risk Engine can also be integrated with 3rd party authentication systems (to drive step-up authentication for high risk access) and other risk engines.