08:26 AM
Ivan Schneider
Ivan Schneider
Connect Directly

5 Critical Strategies for Mobile Banking Security

To the best of their ability, banks need to ensure that their services are available and secured within any mobile phone configuration. Because absolute security is nearly impossible to attain in the mobile world, banks’ back-end systems have to be prepared to detect anomalies and fraudulent activity in the event that a front-end channel has been compromised.
1 of 7

By 2013, one-third of mobile phone users are expected to use mobile banking services. Already, one out of five Americans accesses financial information through a mobile phone, according to March 2012 research conducted by the Federal Reserve Board’s Division of Consumer and Community Affairs.

Yet the increasing use of mobile financial services has been accompanied by increased risk. According to Javelin Strategy’s 2012 Identity Fraud Report, smartphone owners are one-third more likely to have been victims of identity fraud in the past year. In part, these wounds are self-inflicted by smartphone owners who use outdated software, fail to use a home screen password or, most disturbingly, store their passwords as plain text on their mobile devices. The most advanced password protection in the world is no protection against someone who insists on saving his or her login details on an unprotected notebook page. It’s the mobile version of writing your password on a Post-It note attached to your monitor, made worse by the ease of losing a mobile device.

BS&T examines the rapid take-up of the mobile channel, the parameters of the security challenge, the common approaches taken by financial institutions to combat fraud, and the overall benefits of a multi-layered, multi-factor approach to mobile security and fraud prevention. To read more, download our special report.

Because regulations generally protect consumers from monetary loss in the case of online fraud, it’s not surprising that industry leaders say that they’re more concerned about fraud than their customers are. In a 2011 KPMG survey of business leaders in the financial services, technology, telecom and retail industries, security was viewed as the chief obstacle to the development of mobile payments strategies. By contrast, the same respondents believe consumers are much more interested in convenience, accessibility and ease of use.

Banks have to get both parts right. Mobile devices are designed for usability, with pared-down user interfaces and input options. Customers expect ease-of-use and seamless operation, and these factors have to be combined with effective security practices that maintain competitive parity with industry peers while meeting or exceeding regulatory requirements.

As more customers take to the mobile channel to perform higher-value activities, the threat of fraud increases. “Phones are little computers, facing the same malware threat that exists online,” says Julie Conroy-McNelley, research director for Aite Group’s retail banking practice. “Banks are very aggressively pushing higher-risk functionality out to mobile and tablet devices, and the fraud will follow.”

A truly comprehensive approach to mobile security involves security measures at up to five different points:

— The back end, with risk-based authentication and anomaly detection that examine requests for unusual or unexpected activity

— The application itself, which can contain multiple security features

— Out-of-band authentication, which relies on a separate device rather than just the smartphone itself

— The mobile operating system, which may offer security-oriented characteristics and settings

— The hardware, which might include layers of security beyond what a mobile OS can offer by itself

Based on interviews with leading industry analysts from Forrester Research, Mercator Advisory Group, Aite Group and ABI Research, this special report reviews the state of the art and discusses promising avenues for development for each of these five areas. The rapid pace of growth in the mobile banking and payments industries combined with the threat of fraud points to likely innovation at each of these levels, turning today’s R&D into tomorrow’s reality.

[Next: 1. Back-End Booster Shot: Risk-Based Authentication]

1 of 7
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/12/2013 | 4:15:56 PM
re: 5 Critical Strategies for Mobile Banking Security
Mobile developers still need to play their part by building and maintaining secure mobile banking apps.

Results from a recent study reveal that 8 out of 10 mobile banking apps contain build and configuration setting weaknesses. While the issues identified are merely informational in terms of risk, they do provide insight into the state of mobile development practices among leading megabanks, regional banks, and credit unionsGin short, basic security best practices are not being followed.

Download full report:
Natalie McCaughin
Natalie McCaughin,
User Rank: Apprentice
3/8/2013 | 10:00:36 PM
re: 5 Critical Strategies for Mobile Banking Security
I think people have become really comfortable purchasing online and assuming companies are providing some level of protection. As a consumer, its important to remember that your online security is sometimes not in your control - I was reading this blog and it was an interesting read on how to protect yourself even if you have been hacked:
User Rank: Apprentice
7/25/2012 | 3:40:23 PM
re: 5 Critical Strategies for Mobile Banking Security
-I depend a lot on shopping online and have
always been concerned about the risk of exposing my credit card information. A
must have is asking users to telesign in to complete a transaction by using
2FA. I am not sure why not all companies use this, in fact I feel suspicious
when an online store doesn't ask me to telesign in, now it just feels as if
they are not offering enough protection.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.