Risks are increasing with 55 times increase in such transactions over the past three years, says a Assocham-PwC report
The volume of mobile banking transactions has risen from around Rs 1,819 crore (Rs 18.19 billion) in 2011-12 to over Rs 1.01 lakh crore in 2014-15. Being an easy and convenient mode of transacting, there has been a 55 times rise in value usage of mobile banking and 5.5 times rise in the volume of transactions between FY12 and FY15.
There are two types of mobile financial services that are currently offered in the Indian market mobile banking and mobile wallets. After the recent changes to RBI policy, customers of semi-closed pre-paid instruments (PPIs) can now do the following:
1) Load up to Rs 100,000 in wallets.
2) Transfer money from their wallet to any bank account. This move, on one hand, enhances the convenience and adoptability of a mobile wallet and on the other, makes it more susceptible to fraud risks, says a recent report by Assocham-PricewaterhouseCoopers titled 'Current fraud trends in the financial sector’. The report lists important risks associated with mobile banking and mobile wallets:
Mobile banking
Mobile banking application being mapped to an incorrect mobile number: For bank customers who do not use mobile banking, an employee of the bank could attach an associate’s mobile number to the bank account and install a mobile application on his mobile device. The customer’s account is compromised by the associate and he or she does not get any notification about the same.
Creating fake and non-existent users on the mobile financial services platform: Most of the banks appoint a third party vendor to develop a mobile application, to be integrated with their core banking system. The vendor may create two unauthorised users with rights to initiate and verify transactions, and transfer funds from the organisation to his associates’ wallets, effectively stealing money from the bank.
SIM swap: If a fraudster manages a swap, he or she can carry out numerous fraudulent transactions using the mobile number of the victim. For instance, the valid Mobile Station International Subscriber Directory Number (MSISDN) is moved to another handset. The user has no access to their account and hence will receives no notification. The user with the other handset, on knowing the PIN, can transact in the account.
Fake or similar interface apps: The fake applications, with exactly the same user interface as the original application are being created to steal confidential information shared by the user.
Malware: The increase in the number of mobile banking users is accompanied by a rise in attacks through malware.
Data theft: Mass attacks are possible through the theft of credentials which can be used for personal benefits.
Mobile wallets are also susceptible
Increased risk of money laundering: The transfer of money into and out of a mobile wallet from or to a bank account is now possible. Cash-in from the bank account of an individual and cash-out to a different bank account of another individual can be used as a platform for laundering unaccounted money.
Unauthorised deductions from the wallet of a customer (especially a dormant or infrequent customer account): The employees of the mobile wallet service provider may misuse the balance stored in the wallet of a customer by making unauthorized deductions. Moreover, in case of a mishap to a customer with no nomination facility, the balance in the customer’s account is not passed on to his family members and remains with the service provider which ultimately becomes a low hanging fruit for the fraudsters.
Failure to conduct proper due diligence of merchants: If the merchant on-boarded by the service provider is a fraudster, and the payment is made by the customer for fictitious goods or services from the merchant, where cash can be rotated with minimum transaction fees.
No auto log-off facility: An individual usually opens the application on his/her mobile device for availing the services and closes the application, instead of logging out. If the mobile device is stolen or lost and a fraudster opens the application, he/she can misuse the remaining balance in the service provider’s wallet.