Julie Conroy

The same vulnerabilities that have made the online banking channel an easy target for fraudsters also will soon plague mobile banking, says Julie Conroy of the consultancy Aite.

Fraudsters are using cross-channel methods to compromise accounts, says Conroy in an interview with Information Security Media Group [transcript below]. And weak usernames and passwords have allowed attackers to easily perpetrate cross-channel and cross-vector schemes, because consumers too often use the same credentials across multiple sites and online relationships.

"We're seeing the institutions taking account takeover-based losses in the mobile channel," says Conroy, who recently spoke at Information Security Media Group's Fraud Summit. "The e-commerce merchants are taking the brunt of it right now because the banks tend to have their mobile channel a little bit more tied down with rules and controls."

The criminals are taking the time to study their targets, she says. Once they see technologies and policies deployed to the online channel to mitigate fraud risks, the fraudsters will move over to the mobile channel, Conroy predicts.

"As they see that basic lifecycle flow, they will time their attacks and, as the opportunity dries up online, they will move to mobile and maximize their opportunity there until those opportunities dry up as well," she says.

Fraudsters are also taking advantage of mobile's unique properties, developing malware that's specifically designed to capitalize on mobile.

"In many cases, unfortunately, they're finding some of the loopholes before we do and seal them up," Conroy says.

During this interview, Conroy discusses:

How fraudsters are combining technology with in-person social engineering to compromise accounts; Why the same vulnerabilities that have made the online channel an easy target also will soon plague mobile; and How fraudsters are monitoring e-mail traffic for communications between banks and their customers.

Conroy has more than a decade of product management experience, working with financial institutions, payments processors and risk management companies. Before joining Aite, she was the senior vice president of product management with Golden Gateway Financial, where she developed and managed new financial services lines of business. Previously, she was vice president of product solutions with Early Warning Services, where she managed a suite of fraud prevention services. Conroy also formerly led operational process improvements for NextCard, where she identified points of compromise and implemented solutions to reduce fraud and operational expenses. She began her career as a research analyst at E*Offering.

Outdated Authentication Methods

TRACY KITTEN: How have outdated authentication methods impacted account takeover fraud trends in the last 12 months for banking institutions and e-commerce merchants?

JULIE CONROY: To the extent that anyone was considering username and password an authenticator, right there is a key point of vulnerability. The use of username and password as an authentication tool is dead. It's a great database lookup mechanism, but that's about it. Part of that is just the weakness of the passwords themselves, but most of that is the fact that 55 percent of consumers use the same set of credentials across all of their online relationships. They get compromised in one place and that basically gives the keys to the kingdom to the bad guys to make use of them across the Web. The myriad database breaches that we've seen over the last 18 months or so, credentials were compromised and in many cases they were just stored in a very basic hashed format, making it very easy for the bad guys to decrypt them. As soon as they do that, they load them into their bots and dress them against as many properties as they can, trying to see where they're going to work. That's a key reason why, as I talk to e-commerce merchants, many of them have seen account takeover-related fraud eclipse stolen card fraud as their greatest source of pain over the last year.

Changing Account Takeover Attacks

KITTEN: How have account takeover attacks adapted in the last 12 months to circumvent some of the new security controls that institutions have put into place?