Some mobile banking security fears are based on the unknown.
“No conversation with a credit union client takes place these days without a mention of mobile. It’s no longer any sort of novelty—it’s integral to any security discussion,” says Brian Abele, vice president of product management at Q2ebanking. “Emerging technology always brings unknowns, so people’s concerns are basically worries about the unknown.”
But Abele agrees with his industry peers that the level of threats to the security of mobile devices isn’t as great as many credit unions fear.
“Threats that credit unions raise with us more than in any other area is someone else getting a mobile device and using it—getting the user name and password,” says Tom Campbell, vice president of sales at PM Systems. “Since phones are carried everywhere, it’s easier to lose them or have them stolen, certainly compared to a PC in somebody’s house. Also, there’s a concern that easy-to-use bill pay or person-to-person funds transfer apps could be used by a fraudster.”
But, Campbell asks, can those fears be realized?
“Theoretically, yes; but practically speaking, probably not,” he says. “First, it’s hard to steal money via a mobile device because it leaves a paper trail. And the person who finds or steals a mobile device isn’t likely to know anything about its owner, which makes it difficult to use the device for fraudulent purposes.”
The threat to mobile devices can be marginally less than the threats to a regular website, Campbell says. That’s true for two reasons:
1. Credit union mobile sites can drop a cookie on the phone that helps them identify its user; and
2. Mobile devices have certain identifying characteristics that indicate characteristics about the user.
“For example, when a phone ‘talks’ to our server, there’s a header that shows its operating system and the browser version its owner uses,” Campbell explains. “So if they normally come in on an iPhone but now are coming in on an Android device, that alerts us that there could be fraudulent activity going on.”
“We see the biggest threats on this channel as the presumption of fraud and the lack of education about what to expect with this channel,” says Jeremiah Lotz, manager of e-commerce solutions at PSCU Financial Services. “It’s a lot like when online banking was introduced: People had great concerns about security and didn’t quite know their way around the topic.”
One area security providers are watching is apps.
“In security bulletins and publications, mobile banking hasn’t emerged as a threat vector yet. But, as everybody is creating apps and websites, it will become an issue,” says Ward Howell, director of security solutions consulting at Q2ebanking.
“A recent survey revealed that 25% of smart phones now have IDs and passwords cached on them,” he continues. “But at this point, there’s not a lot of talk about mobile banking security.”
As the adoption of mobile banking continues to increase, users need to be mindful of security, including recommended password management techniques. Additionally, financial institutions need to keep up with the latest security protocols, including the use of best practices for passwords, security tokens, and multifactor authentication.