How Malware on Customer Devices Threatens the Bank

By Chemi Katz

For centuries, banks have invested heavily in delivering a safe, reliable banking experience to their customers. From the bull to the vault, banks have worked hard to create a sense of security to ensure loyalty over time. But as the customer preference shifts increasingly toward online and mobile, concentrating solely on the brick-and-mortar banking experience is no longer enough: banks must now focus creating a trusted, delighting and annoyance-free digital experience.

Creating a safe and frictionless digital environment is the main challenge banks face as they re-evaluate their priorities and resources. Along with many new challenges and variables to consider, trust and loyalty are (as they have always been) the key elements in this comprehensive and extensive re-evaluation process.

As banks work to remove the friction, a recent study from Bain and Company lays out the different ways in which customers engage with their banks and their likelihood to annoy and likelihood to delight: online is less likely to annoy, whereas mobile is the most likely to delight:

Cyber-chart
And it’s not only about “selling” via the digital journey. Banks need to focus on removing the friction and engaging customers early on in the digital journey, given that two-thirds of customers base their decisions on the quality of experience along their journey.

Keeping all this in mind, there is a new element in this ongoing challenge that banks have to consider. According to research, 15-30 percent of all online and mobile users are infected with client-side injected malware, or CSIM, which poses a massive threat to trust and loyalty. What’s unique about CSIM is that it runs on customers’ devices, bypassing all server-side security shields, thus remaining totally invisible to banks.

CSIM has two major implications on customers’ trust and loyalty by significantly affecting both the “annoyance” and the “delight” aspects of the digital journey: CSIM enables third parties to inject ads, banners and pop-ups directly on the digital asset of the bank, on both desktop and mobile, without the bank’s approval. These injected ads may include competing services, ads for unrelated products and inappropriate content, such as pornography or gambling, and are designed to lure customers away. In addition, these injected ads create a severe distraction to the customer journey and a true “annoyance” factor, at times covering a large amount of the screen and covering important call-to-action forms and buttons and critical information.

For banks, this is a serious issue. CSIM runs directly from the customer’s device and therefore cannot be detected and blocked by the bank with traditional server-side security shields. The annoyance factor created by CSIM may cause confusion and lack of trust by customers that experience the bank’s online journey in vastly different way than it was originally designed.

But CSIM also affects how delightful the customer journey is. In addition to injected ads, CSIM also enables spyware and scripts to be injected to the site, posing a significant threat to the customer’s privacy and potentially stealing user credentials, payment information and any other sensitive information displayed during the customer’s digital interaction. Together with visual injections, this is a potential hurdle in establishing long-lasting trust in bank’s brand and safety across all channels.

As bankers continue to invest heavily in improving the customer experience, reducing the annoying factors and strengthening the delighting elements, they also need to rethink how they protect customer trust and loyalty. Traditional server-side shields are no longer sufficient and banks should also consider protecting the client side to ensure their customers’ experience remains one that builds trust and loyalty.

Chemi Katz is co-founder and CEO of Namogoo, an Israel-based cybersecurity firm.