For years, the assumption was simple: if the iPhone is secure, mobile banking is secure.
That idea held up for a long time. It shaped how banks designed authentication, how users thought about risk, and how fraud teams prioritised threats.
According to Dominic Forrest, Chief Technology Officer of identity verification firm iProov, that assumption is starting to break down—not because Apple’s security has weakened, but because attackers have moved on.
“iOS is still strong. That’s not the issue,” Forrest told FintechNewsPH in an exclusive interview. “The problem is that attackers have stopped trying to break the device. They are now going after something far more flexible—and far more valuable: the user’s identity inside trusted app sessions.”
The “iOS illusion” problem
IMAGE CREDIT: stock.adobe.com
For years, mobile security meant defending the phone.
Now it’s about what happens after the login screen—and that’s where things get uncomfortable.
Forrest shared that, for a long time, the industry treated a secure device as a secure transaction.
“The method has shifted rather than weakened the device. Instead of attacking iOS itself, they target the user’s identity and trusted app sessions through AI-powered injection attacks — a layer no device-level protection, however robust, was designed to defend,” he said.
AI-driven injection attacks, fake inputs, and manipulated app environments mean stolen trust, not stolen passwords. It’s subtle, and that’s what makes it effective.
iProov’s data points to a 1,151% surge in iOS-targeted injection attacks, with some markets seeing that spike in a matter of months—not years.
“So, iOS still plays an important role in the security stack, but treating device security as sufficient on its own needs review. The BSP’s “Check, Protect, and Report” campaign helps on the consumer side, but the response can’t sit with consumers alone. Banks need layered, identity-focused strategies that continuously verify who is behind every transaction,” Forrest further stated.
Fraud has stopped being “craft” and become infrastructure
Nearly half of users have encountered scams since digital banking went mainstream, according to regional data cited in the interview. Authorities have been warning about this for some time — the sophistication of attacks is outpacing public awareness.
That gap matters, because attackers scale into gaps.
Dominic Forrest, Chief Technology Officer at iProov
What was once fragmented experimentation has turned into large-scale, automated fraud operations.
Deepfakes generated in seconds. Virtual camera feeds. Automated account takeovers running in parallel. KYC data bought, sold, and reused.
“It’s industrial now,” Forrest said. “That’s the right word for it.”
Southeast Asia has become one of the most active testing grounds, with the region recording a 720% spike in attacks in Q3 2025 alone, according to industry intelligence cited by Forrest.
The Philippines, in particular, sits in a high-risk position. Nearly half of users have reportedly encountered scams since the rise of digital banking, while authorities, including the PNP Anti-Cybercrime Group, have repeatedly flagged the growing sophistication of attacks.
“These systems are designed to scale,” Forrest said. “And once they work in one market, they spread quickly.”
Why the Philippines is such a high-value target
The Philippines is doing exactly what policymakers want it to do: more digital payments, more inclusion, less cash dependency.
But consolidation changes the risk profile.
When banking, wallets, identity systems, and government services all sit behind one device, the stakes change.
“One compromised identity can open everything,” Forrest says.
That’s the attraction. Layer on the BSP’s digital finance push and the industry’s “80×80” ambition—80% digital accounts, 80% digital transactions by 2028—and the surface area expands quickly.
Fast adoption is good, but fast adoption without matching security maturity is where things begin to tilt.
Why static security checks are no longer enough
IMAGE CREDIT: BSP
Regulators, including the Bangko Sentral ng Pilipinas (BSP), have already begun pushing institutions away from SMS-based one-time passwords (OTPs) by the end of June under the Anti-Financial Account Scamming Act (AFASA).
For Forrest, this reflects a deeper industry shift.
“The old model assumes you verify once and trust the session,” he said. “That doesn’t hold anymore.”
He added that older user-facing defenses weren’t built for today’s threat environment. “Once effective, these techniques are quickly adopted and scaled by criminal groups, accelerating coordinated identity attacks across financial institutions and digital platforms.”
Even biometrics, often seen as the strongest layer of protection, are not immune, with a single facial or fingerprint check capable of being replayed or spoofed using AI-generated inputs.
The shift to continuous identity verification
The emerging standard, Forrest argues, is continuous verification—systems that don’t just confirm identity at login but throughout the entire session.
Instead of asking “Who are you?”, the model evolves into a continuous question: “Is this still the right person?”
That requires real-time monitoring of behaviour, device integrity, and session activity to detect anomalies as they happen.
“It’s not about adding more friction at login,” Forrest said. “It’s about making sure trust doesn’t expire after login.”
What fintech leaders should do next
IMAGE CREDIT: Magnific
For banks and fintechs reviewing their security architecture, Forrest’s recommendation is straightforward: stop treating authentication as a single event.
The priority is moving toward continuous identity threat detection—systems that can identify fraud mid-session, not just at the entry point.
This includes detecting unusual behavioural patterns, spotting manipulation inside live sessions, and responding before transactions are completed.
He also pointed to global frameworks such as NIST SP 800-63-4 and FIDO standards as useful reference points—not for compliance alone, but as practical design foundations.
The new reality of digital trust
Mobile banking is no longer just a question of device security. It is now a question of whether identity itself can be trusted in real time.
And in that shift, Forrest believes the industry is only at the beginning.
“The threat isn’t trying to get in anymore,” he said. “It’s already inside the session. Winning against today’s threat actors takes more than telling users to ‘be vigilant.’ Modern attacks are designed to look legitimate even to trained eyes, making ‘spot the scam’ guidance increasingly outdated. iProov’s research shows that 99.9% of people fail to identify a deepfake. If experts cannot reliably tell real from fake, it is no longer realistic to expect customers or employees to do so.”
For financial institutions in the Philippines and beyond, that may be the hardest adjustment yet.
