Addressing the Unique Security Challenges Mobile Devices Present
Mobile devices are introducing unprecedented improvements in convenience. However, mobile devices also present a unique set of security requirements and challenges. Mobile devices are the 21st century wallet – the ultimate in convenience for banking, shopping and entertainment. Since mobile devices contain a wealth of information, they are target rich, and hence attractive for fraudsters.
FFIEC has issued guidance on using multi-factor authentication to financial institutions for all forms of electronic banking and payment activities, including mobile banking. Multi-factor authentication uses a combination of something that the user knows (password), something that the user possesses (mobile device) or something that is inseparable from the user (biometrics). Multi-factor authentication systems is ideal of course to have a high level of security with ease of access, and transparent to the end user and not delivered to the device. A second or third layer of authentication to login makes an attack harder. But the challenge is to make an attack difficult for fraudsters without making the consumer experience unpleasant.
An example of striking this balance is the D+H Mobile Banking App. Joan Owens, product manager for the D+H Channel Solution, says “Our Mobile Banking App uses a mobile device registration process to achieve multi-factor authentication. Subsequent access to the mobile app requires only the login and password and the same device used to enroll.” In addition to multifactor authentication, Mobile Banking App security features include SSL encryption, compliant Device ID, mobile fraud risk prevention, entitlements, optional pin and debit card lock.
When it comes to data storage, community banks and credit unions need to ensure their banking apps do not store customer information, such as usernames and passwords on the mobile device. According to Sean Darragh, VP of security at Malauzai Software, “Mobile devices should be considered ‘compromised’ from a design perspective. Sensitive data such as credit card numbers, social security numbers, etc. if necessary should only live in session, and should NOT persist to the device. If data is not stored securely, then sensitive data can be retrieved from a device fairly easily as mobile devices have the propensity to ‘leak’ information due to users allowing overly permissive apps.” For example, apps that have a marketing bent, or allow in-app purchases usually ask for access to things they don’t need to function such as document management storage, use accounts on the device, or full network access. If a user grants such permissions, then the app can add or remove items from storage or see all the accounts on your device. In sum, the device would then leak information to apps that don’t specifically need it because the user has granted access to the app. Fortunately, Mobile Banking App does not store sensitive information on a device. If the FI chooses, the username can be stored, but all other information only exists for the length of the session.
So what happens if a mobile device is lost or stolen? Bank administrators need the ability to deactivate their apps on individual devices and force consumers to re-authenticate prior to assessing account information. Mobile Banking App features SAMI – an application management system designed to provide remote device and application management. Financial institutions can track devices running the Mobile Banking App, disable the app remotely if necessary, and send push notifications to the devices. The consumer can take action as well, including contacting his or her financial institution to report the missing device, and his or her mobile carrier to suspend service, as well as taking advantage of recovery apps on the market to help track lost devices. For example, Android users can take advantage of Google’s Android Device Manager to track phones/tablets that do not require an app to be installed. Customers can also use their mobile operating systems to track and wipe their devices if necessary, which is a capability that should be configured upon device setup. Being able to wipe data is crucial – customers may not even remember what they accessed on their phone over time. Any data stored on a device, even personal contacts, can be very dangerous in the wrong hands. Confidential information, emails, text messages, and browsing history, when compromised, can be used to commit illegal activities such as identity theft, and fraud.
Overall, having a strong focus on innovation with mobile banking is key, but it is important to integrate secure practices all along the way.