As Mobile Fraud Rises, The Password Persists

Mobile banking and finance apps got a big boost during COVID. But so did mobile banking fraud. Still, the vast majority of financial services and banking apps still rely on passwords to secure mobile apps, according to a new study by the company Incognia. 

The COVID-19 Pandemic spurred a huge increase in the use of mobile financial applications, and an even bigger surge in mobile application fraud. But that hasn’t lessened the banking and financial service industry’s heavy reliance on a venerable, but flawed security technology: the password. 

Out of a group of twenty-seven mobile applications that offer financial services, twenty-six of them still rely on passwords as the primary form of authentication, even though the technology offers weaker security and more overhead (or “friction”) for users, according to a new survey by the company Incognia. In the same group of apps, just 70% of them supported multi-factor authentication, despite widespread recognition that the technology greatly reduces instances of account hijacking, the study found. 

Weak passwords are the thread that ties together both sophisticated and unsophisticated cyber attacks. As we now know, the Darkside ransomware group gained access to the network of Colonial Pipeline by exploiting a weak VPN password. At the other end of the scale, weak passwords were the culprit in an attack on NurseryCam, a webcam service for daycares in the UK, which exposed personal account data used by thousands of their customers. 

Spotlight Podcast: Breaking Bad Password Habits to Fight Advanced Threats

Financial Apps At Risk

Nowhere is the risk of weak passwords more acute than in the financial services sector, where a password may be all that separates cyber criminals from liquid assets like cash and stock portfolios. Incognia’s Mobile App Friction report (PDF) tested these twenty-seven financial applications’ authentication methods. The company compared the methods of the applications to determine each method’s security strength, as well as measure the friction a user must undergo when using each method, according to Incognia founder and CEO André Ferraz. “We were trying to understand how these companies are approaching this problem (and) who’s been able to deliver a good user experience while also being able to secure users’ accounts,” Ferraz told The Security Ledger 

André Ferraz is the CEO of Incognia.
André Ferraz is the CEO of Incognia.

A Cultural Shift

The issue of mobile banking security has taken on new importance thanks to the COVID-19 Pandemic. According to Ferraz, the Pandemic “was a very relevant cultural shift in terms of people who were not comfortable using online platforms to manage their finances,” but because of the Virus, “they are certainly way more comfortable now.”

Investing and trading apps alone saw an 88% increase in use from January to June in 2020, and at the same time, fraud losses have grown, with the rate of account takeover showing an increase of 20% last year. It’s clear that with an increase in use, comes an increase in risk: 

“Last year, we saw that mobile fraud in general was growing faster than mobile businesses overall. There is certainly a disconnect here… fraud is growing faster,” Ferraz said.

A Delicate Balance

Ferraz noted that measuring user “friction” – for example: how much time it takes for a user to complete an authentication or conduct a password reset – is indicative of the amount of convenience a user experiences. More time spent resetting a password is equivalent to more inconvenience (or greater friction) for the user.

To measure user friction overall, Incognia created a Password Reset Friction Index. The Index is made up of three factors: the time it took a user to complete the reset, the number of screens required to complete a reset, as well as the number of fields a user is asked to fill out when attempting a reset. In regards to time, Klover had the fastest time at 0:29, and SoFi had the slowest time at 3:37. For the number of screens, the majority of apps (fifteen) were tied at just four screens, but the app that had the most was Capital One, with a total of ten screens. Lastly, when measuring the number of fields, Klover led the pack with just two fields required. However, three of the apps, which included E*Trade, were tied at the bottom, each with a total of seven fields.

Russian Cyber Criminal Named as Source of Massive Collection 1 Data Dump

According to Incognia, studies have shown that users are more likely to choose convenience over security. Ferraz noted that “as consumers, we never think these accounts that we hold are the ones that are going to be attacked.” User friction is just as important to pay attention to as security strength is, because at the end of the day, convenience motivates consumers much more than security does, Ferraz said.  

We’re Not There Yet

The bigger conclusion the Incognia study yields is clear: passwords are far from dead. Incognia concluded that the traditional alphanumeric password is still the most popular authentication method for banking and financial services apps, even though it has the highest user friction and the least amount of security when compared to other methods. 

“If each person has dozens of accounts and we’re asking them to develop strong passwords… people are just not capable of storing all of this information in their heads,” said Ferraz. “It’s not a natural thing. We’re asking people to do something that is not natural.” 

Adding a second factor to traditional password authentication has been shown to improve security outcomes. But 30% of the mobile apps Incognia tested did not support MFA. It’s hard to say why some companies are not using MFA and some companies are,” Ferraz said. Some of the applications may be using other authentication methods that do not require user interaction, which Incognia could not capture.

Do What Feels Natural

The problems Ferraz’s team identified in banking and financial services applications are likely to exist in other categories of applications, he said. And, as time progresses, the risks posed by an overreliance on passwords will grow. “We are approaching a pretty significant shift in technology (which will) enable the growth of the Internet of Things,” he said. 

Blaming the victim for poor password hygiene isn’t the right approach, he said. Instead, companies need to take on the responsibility of balancing security strength and user friction when implementing authentication methods. “All companies have an important role in educating society on these things,” he said. 

Improving cyber literacy among banking and financial services customers will help, but it will also take time. “The cyber literacy problem is not something that will be solved anytime soon,” according to Ferraz. However, companies that balance user friction and security strength when creating authentication technologies will be the winners in the long term. Ferraz made it known that in the eyes of businesses, “the goal should be, which types of technologies are natural enough where they don’t depend on educating my user.”