Mobile Commerce Daily is now Retail Dive: Mobile Commerce! Click here to learn more!

Financial institutions must address security concerns in mobile banking and payments

Security factors that financial institutions must take into account include mobile malware, mobile software/app assurance, application and OS trust management, data protection, identity and access management, according to IDC Financial Insights. Tactics banks should consider include mutual authentication approaches that incorporate multi-factor, multi-layered security techniques, for example, online banking transaction confirmations via SMS or call back.

“Smartphones and media tablets are increasingly important in financial services, given current penetration globally and the tremendous growth forecast in the consumer market for both device types,” said Michael Versace, research director of global risk at IDC Financial Insights, Boston.

“And the devices are just one component of the mobile ecosystem that ultimately will become an core component of the financial supply chain,” he said.

According to Mr. Versace, the strategy for secure mobile financial services for enterprise users must include mobile secure content and threat management (MSCTM) to defend against viruses, spyware, spam, hackers, intrusions and the unauthorized use or disclosure of confidential information for mobile devices such as smartphones and media tablets.

MSCTM includes mobile threat management, mobile information protection and mobile virtual private network (VPN).

Mobile security and vulnerability management solutions provide device wipe, device lockdown and patching for mobile devices and also include mobile security, including password management, policy and compliance management.

Mobile identity and access management (MIAM) solutions provide authentication and authorization technologies associated with ecommerce transactions conducted from mobile devices and that support network access for mobile devices.

Other mobile security covers emerging security functions such as antitheft and antifraud.

Security partnership
Security is always a partnership between the user and the bank, according to mFoundry.

A bank can go to extraordinary lengths to protect the consumer, but a lazy PIN or conducting banking via an insecure Wi-Fi network can make a bank’s efforts futile.

Banks have to balance the need for security with the important need to provide a usable experience for the customer.

“If it’s too hard, no one will use it, and if it’s too easy it might be insecure,” said Drew Sievers, cofounder/CEO of mFoundry, San Francisco. “In the mobile category, it’s important for a bank to use a solution that has multiple factors of authentication, leveraging something the customer knows like a special mobile PIN, and something the customer has like their phone.”

Many banks use a challenge question to validate a new device as well.

Similarly, if a particularly risky transaction needs to occur, then many banks look for yet another factor of authentication such as answering a special question.

Mobile apps and mobile Web sites have their own unique ways to be compromised, per mFoundry.

In the app space, while Apple’s iTunes store does the best job of curating content, there have been examples of apps from Google’s Android Market that were specifically designed to phish banking credentials from unsuspecting customers.

Also, third-party, non-bank-issued apps that aggregate different types of accounts also present a risk, since the customer has to share their credentials with an unknown, untrusted source.

“Banks always recommend against sharing credentials with anyone,” Mr. Sievers said. “Mobile Web presents its own challenges, since a fraudulent mobile Web site can be invoked in much the same way a fake online site can be called, via a corrupting link.

“In our opinion, it’s important for customers to be trained to never click a link sent from their bank via text or email,” he said. “Most banks believe that sending clickable links to customers is a dangerous way to open them up to phishing.”

Build trust in mobile financial services
Banks and financial institutions have realized that in order to win new customers and retain existing ones, they have to be accessible via the mobile device.

There are more than 5 billion phones in the world, and only about one-half of adults are using bank services, so the potential is very promising, according to TRUSTe.

Customers are hungry for convenience: they want access to their bank’s site through the mobile Web site and also want the simplicity and easy access of a dedicated mobile app.

However, the security of the financial transactions is of great importance, since many of these transactions are executed from a remote location and the information is executed over the air. 

“Of course, the banks and financial institutions can’t solve this alone—it requires cooperation by the app developers, the carriers, the bank customer and the bank’s IT department,” said Janet Jaiswal, senior director and mobile product manager at TRUSTe, San Francisco. “That said, there are a few measures that banks and other financial institutions can take to ensure that their mobile Web sites and apps are secure.

“What is ultimately utilized depends on a bank’s budget, their customers’ preference and ease of integration,” she said.

Front door: multi-factor authentication
With the popularity of mobile phones, two-factor authentication can be deployed at a fraction of the cost of physical tokens, per TRUSTe.

At the time of registration, the bank can send an automated mobile PIN to the user’s mobile phone, which establishes that the phone is in the possession of the user at the time of registration. 

For regular account access, banks can send a 6- or 8-digit one-time pass code that changes every 30-60 seconds to their user’s mobile device via SMS.

Users simply enter this code along with their username and password when signing into their online account.

With two-factor authentication, even if a customer’s account name and password has been guessed, the likelihood of their account falling to cybercrime has been drastically reduced.  

Brower security is also paramount. Other safeguards can be ensuring that a bank’s mobile Web site is only accessible through browsers that have at a minimum, simple 128-bit SSL support.

Back door: fraud/risk modeling
Many of the security measures deployed for traditional banking still apply for access via the mobile device such as funding source authentication, monitoring transactions and data security. 

However, banks have additional access points that they will have to account for in their fraud/risk models.

For example, phones can be used to tie a user to an account. Most users access a limited number of accounts through their mobile device, so if a bank starts to see multiple accounts accessed via the same mobile device, they should look deeper.

Law enforcement is also a factor.

Banks should form good relationships with the law enforcement community, their peers and industry associations, per TRUSTe.

If a bank has collected information about a potential “bad guy,” they should share it with the law enforcement community, which will appreciate the help and will be more willing to help when a bank needs them.

Banks should also network with their peers and become active with industry associations. 

Lastly, other banks are trying various security solutions and banks can learn from their experience and learn of new technologies and strategies that can be helpful.

Everything in between: customer education
All the security in the world can never protect a customer’s account if that customer leaves a note with their password stuck to their mobile device cover or stores their password in their address book with a contact labeled “passwords.”

A well-informed and alert user can be one of the strongest deterrents to theft via a mobile device. 

Banks should take the time to provide helpful tips for using the mobile device and educate them on the best way to access their account via the mobile device and their PC. They can also build safeguards into their account such as the need to change their password every X-number of days and only accept a password that is at least 6-digits long and contains alphanumeric characters.

Also, Ms. Jaiswal recommends making sure that the questions they are required to answer for lost password recovery are unusual or different from the 6-10 security that have now become common.

Data privacy is also key.

Bank customers want to be able to see a public statement of their practices with regards to the information they collect, use, transmit and share.

In order to build trust with a bank’s customers, they have to make sure that their internal and external policies are defined, documented and followed.

Ensure that the information is collected, used, retained and disclosed in conformity with the commitments with the privacy statement. Information designated as confidential is protected as committed or agreed.

Document the data handling procedures, per TRUSTe. Also, train all employees not just those that touch the data.

Define what needs to be done in case of a data breach. And, update the privacy policy/statement and let the bank customers know them know that their bank will stand by it.

“The measures that a bank has built in will not protect their customers if their customers don’t know their bank has them,” Ms. Jaiswal said.

“Make them aware of the safeguards available and let customers know that their bank takes their safety just as seriously as they do,” she said. “And, tell them over and over again.”

Final Take
Dan Butcher, associate editor, Mobile Commerce Daily