In the world of security there is often a tendency to
accentuate the negative. This can often be justified. Malware can lead to
data/identity theft and financial fraud and a DDoS attack can create havoc by
denying access to a web site or service etc.
However, security can also be a positive factor – an
enabler. For financial services, each time we use our debit or credit cards in
an ATM or POS terminal in a retail store or use them on an eCommerce website we
have a fair level of assurance that all parties are protected from fraud - where
would eCommerce and financial transaction integrity be without cryptography?
Security technology coupled with sound risk management has
been at the heart of the financial services industry for many years. This
combination of security technology and risk management must be applied to new
methods of providing financial services to bank customers including one of the
hottest channels for providing financial services – Mobile.
Mobile devices, from feature to smart phones and from tablets
to phablets, have become a vital endpoint for accessing banking services. The
mobile banking channel is viewed as one of the most important channels for
delivering financial services to bank customers. These are the same bank
customers that are rapidly adopting these ‘smart mobile devices’ and are using
them as their primary digital device – the first screen for consuming
work/leisure digital content.
With the rush to mobile by financial institutions for
banking and payment services there have been serious questions asked on whether
mobile is secure enough? There is no denying that smart mobile devices are
increasingly being attacked for financial fraud and identity theft. A
combination of platform vulnerabilities and an increased desire from hackers
and fraudsters to attack has led to a situation where mobile devices are under
threat. Mobile malware is on the rise, especially affecting Android, and
banking services, including some mobile-based Two-Factor-authentication (2FA)
services, are under targeted attack.
Much has been commented on mobile vulnerabilities and
whether security vendors are creating scare stories to make mobile users
install their products but my experience tells me that much of this is not FUD
but FACT. As money moves onto mobile devices than it is inevitable that the
criminals will follow.
This has to be one of my favourite quotes (although the
quote may in fact be an urban legend) and I apologise for repeating it again
here but it is such an important message and provides context for this blog.
One of the US’s most prolific bank robbers from the 1920s to the 1950s was a
man named Willie Sutton (AKA “Slick Willie”). In his 40-year ‘career’ he robbed
over one hundred banks and stole an estimated $2 million (a big number in old
money). When asked why he robbed banks he replied “because that’s where the money is”. Why is this important to today’s
ever mobile world? Well I think it is pretty obvious. Soon there will be more
mobile phones than people on this planet and every one of these devices has the
capability of banking (including full transactional banking). From the streets
of Nairobi, Kenya, to the avenues of New York, USA, people are accessing their
bank accounts and transferring money using mobile devices – be it an old
Ericsson ‘brick’ or the latest Apple iPhone; using SMS or a mobile App. Its
where the money is…
So, is mobile banking a secure method for banking and is it
the most secure yet? I believe that mobile banking has the ‘potential’ to be
more secure than traditional online banking and comparable with other banking
channels. Whether current deployments of mobile banking are secure enough at
the moment is another question. The key word is ‘potential’. Mobile phones and
smart mobile devices have the capability to offer very good levels of security
for banking purposes. Whether it is leveraging the hardware security
capabilities and trusted environment that the Secure Element (SE) offers or
adopting strong mobile-based Multi-Factor Verification (MFV), mobile devices
can play an important part in ensuring trust between the bank customer and
their bank.
In a recently published report from Goode Intelligence written by Ron Condon, Senior Analyst, “Mobile
Banking Security Insight Report”, we investigate the risks to mobile
banking, how banks are securing the mobile banking and analyse the state of
security for this channel.
We have interviewed some of the leading lights in the world
of banking security and have asked them to recommend ways in which mobile
banking can be a trusted channel for financial institutions – actionable steps that banks can adopt to
ensure that their customers are secure when banking on their mobile devices.
I can share some of this advice here. When designing and
deploying mobile banking solutions financial institutions should, at a minimum:
- Use the power of the mobile phone to create an encrypted communication channel between user and bank
- The phone’s “fingerprint” should provide one factor in authenticating the users (the PIN provides another)
- Consider using the other facilities on the phone for stronger authentication (biometrics, geolocation)
- Monitor apps stores for any rogue apps that purport to represent your company – and kill them quickly
- Introduce a plan for updating mobile banking apps
- Ensure that mobile banking apps are security tested
- Integrate mobile apps with other banking channels, so that security lessons learned in one channel benefit the others
- Educate users about system hygiene when upgrading their handset, and disposing of an old one
I hope this blog has been useful for you? Please feel free
to contact me to find out more about mobile banking security and our research.
You can follow us on twitter @goodeintel.
