By 2013, one-third of mobile phone users are expected to use mobile banking services. Already, one out of five Americans accesses financial information through a mobile phone, according to March 2012 research conducted by the Federal Reserve Board’s Division of Consumer and Community Affairs.
Yet the increasing use of mobile financial services has been accompanied by increased risk. According to Javelin Strategy’s 2012 Identity Fraud Report, smartphone owners are one-third more likely to have been victims of identity fraud in the past year. In part, these wounds are self-inflicted by smartphone owners who use outdated software, fail to use a home screen password or, most disturbingly, store their passwords as plain text on their mobile devices. The most advanced password protection in the world is no protection against someone who insists on saving his or her login details on an unprotected notebook page. It’s the mobile version of writing your password on a Post-It note attached to your monitor, made worse by the ease of losing a mobile device.
Because regulations generally protect consumers from monetary loss in the case of online fraud, it’s not surprising that industry leaders say that they’re more concerned about fraud than their customers are. In a 2011 KPMG survey of business leaders in the financial services, technology, telecom and retail industries, security was viewed as the chief obstacle to the development of mobile payments strategies. By contrast, the same respondents believe consumers are much more interested in convenience, accessibility and ease of use.
Banks have to get both parts right. Mobile devices are designed for usability, with pared-down user interfaces and input options. Customers expect ease-of-use and seamless operation, and these factors have to be combined with effective security practices that maintain competitive parity with industry peers while meeting or exceeding regulatory requirements.
As more customers take to the mobile channel to perform higher-value activities, the threat of fraud increases. “Phones are little computers, facing the same malware threat that exists online,” says Julie Conroy-McNelley, research director for Aite Group’s retail banking practice. “Banks are very aggressively pushing higher-risk functionality out to mobile and tablet devices, and the fraud will follow.”
A truly comprehensive approach to mobile security involves security measures at up to five different points:
— The back end, with risk-based authentication and anomaly detection that examine requests for unusual or unexpected activity
— The application itself, which can contain multiple security features
— Out-of-band authentication, which relies on a separate device rather than just the smartphone itself
— The mobile operating system, which may offer security-oriented characteristics and settings
— The hardware, which might include layers of security beyond what a mobile OS can offer by itself
Based on interviews with leading industry analysts from Forrester Research, Mercator Advisory Group, Aite Group and ABI Research, this special report reviews the state of the art and discusses promising avenues for development for each of these five areas. The rapid pace of growth in the mobile banking and payments industries combined with the threat of fraud points to likely innovation at each of these levels, turning today’s R&D into tomorrow’s reality.
[Next: 1. Back-End Booster Shot: Risk-Based Authentication]
If a customer were to walk into the branch and ask to withdraw an entire account’s balance, a bank employee would probably ask why. A similar response should hold no matter which channel is being used, with remote channels triggering investigations at a much lower threshold than in-person channels.
Indeed, a bank should calibrate its response to a remote request based on the typical behavior for that customer and by expected behavior for similar customers. Typical, low-risk transactions should sail through, while atypical, high-risk transactions should be flagged for further review and confirmation with the customer through a separate channel, such as a home phone or email account.
That’s the promised benefit of risk-based authentication (RBA), the cornerstone of security for the modern multi-channel financial institution. “How do we add more security with usability? The easiest way is to silently observe the transactions,” says Eve Maler, principal analyst for security and risk at Forrester Research. “It’s becoming par for the course for financial institutions.”
The move to RBA is driven in part by FFIEC guidelines calling for a multilayered approach to security. However, the benefit goes beyond regulatory compliance in that the technique works extremely well without requiring extreme measures on the application or device side.
The RBA approach is well-established outside of financial services. For example, e-commerce vendors that also depend upon usernames and passwords mitigate their risk with a heavy dose of RBA. “Merchants need to make things easy for consumers,” says Maler. “I’ve never changed my Amazon or PayPal passwords, and they don’t make me change because they’re hardly using those passwords. Instead, they’re using the back-end observational details.”
Security experts describe multifactor authentication as comprising three elements:
— Something you know, like a password
— Something you have, like a one-time-password generator
—Something you are, via a biometric identifier such as a fingerprint or iris scan
RBA can be considered a fourth layer of multifactor authentication by capturing the essence of what you do, suggests Maler. “It’s the booster shot that we need to apply so that we can step up the level of authentication,” she says.
An important question for banks is where to apply the RBA booster shot. Edward O’Brien, director of the banking channels advisory service for Mercator Advisory Group, recommends that banks capture the business logic for risk analytics in the back-end core banking solution. “If the core banking system has the main business rules, it won’t matter if the customer’s going through the ATM, mobile or branch,” says O’Brien. “If something seems out of sync or if there’s an issue to address, anomaly detection analytics can decide whether to call the person or to put a hold on the account.”
“It makes perfect sense to include these rules in the core banking system,” adds O’Brien. “If you have multiple attacks occurring simultaneously through multiple channels, the core system should have the business rules to respond.”
Increasingly, downloaded mobile apps have become the primary mobile interface between financial institutions and their customers. Still, older approaches remain in wide use. Prior to the runaway success of the iOS-powered Apple iPhone, non-Apple customers tended to use either SMS messaging for simple informational requests or the built-in WAP mobile browser, which is capable of rendering PC-oriented websites for smaller mobile screens.
SMS text messaging offers only limited capabilities for mobile banking, due to the asynchronous communication mode and restricted character count per message. Accordingly, SMS is best used for requests such as balance inquiries and finding the nearest ATM. However, balance inquiries are the most common usage for mobile banking, according to the Fed study cited in the introduction. If financial institutions hope to drive further adoption of mobile so as to shift transactions away from more-expensive channels, the replacement technology has to be just as easy to use.
[Five Bank Security Trends Shaping the Future of Fraud Fighting.]
Mobile banking access through a WAP-enabled browser is still commonly supported by some of the largest banks and credit unions, observes Mercator’s O’Brien. The problem with the WAP approach is that browser security largely depends on the security of the network being used. If the user communicates directly through a cell phone tower, that’s probably safe enough. But if someone has enabled WiFi and visits a bank website through a public hotspot, personal information can be captured through a “man-in-the-middle” attack.
“On an open network, someone may be able to intercept the communication and then make it appear that they are a legitimate process to the other side,” explains O’Brien. “Be aware of basic mobile phone protocol – don’t use an unsecured network in a retail store or a restaurant to access private information.”
Banks are far more capable of controlling the end-to-end session through a custom-developed, downloadable mobile application. Even so, downloading an application involves its own potential pitfalls. Aite Group’s Julie Conroy-McNelley spoke with a financial institution that, in a single 30-day period, requested the removal of over 200 rogue apps from one of the app stores.
That’s why it’s not enough to just provide an app to customers. Financial institutions also have to train those customers on how to find and download the correct app. “Make sure you download your banking apps from trusted sources,” advises Conroy-McNelley to bank customers. “Go to your bank’s website. If they have a mobile app, it’ll be available from there.”
Once the real application has been installed, the periodic application update process ensures that customers have the most current levels of protection. The mobile application can also enforce best practices in security, such as preventing passwords from being stored in the application or by deprecating the functionality of the application after a given time has elapsed.
One-time passwords can give users a unique code that signals to the bank that they’re not thieves who’ve grabbed hold of someone’s password.
One-time passcodes work great for PC users. For example, if you’re doing something potentially risky on a bank’s website, you might be stopped from proceeding until you enter a special code, which you can choose to receive through an “out-of-band” phone call or via email. This works well because even a completely-hacked browser might have trouble answering the phone or reading your email.
By comparison, the principle of using a separate channel for distributing a one-time passcode is violated in the case of mobile devices. A single smartphone may act as the hub for voice calls, SMS messages, emails, browser sessions and mobile banking sessions. Therefore, if a smartphone has been severely compromised, the one-time password could also be intercepted along with the banking session.
For commercial clients and high-net-worth individuals in the U.S., a common approach for banks is the distribution of separate devices capable of generating one-time passcodes. The user may have to authenticate with the device using a smartcard or PIN in order to generate a one-time passcode, or “token.”
Although non-U.S. banks have gone down this road for retail banking customers, it has yet to catch on domestically. “In the U.S. it’s seen as an inconvenience,” says Forrester’s Eve Maler. “In other places it’s seen as a status symbol – or it could turn around and make you a kidnapping target.”
Given the challenge of finding a suitable out-of-band authentication method for a mass market, financial institutions are turning to various solutions that may use the existing device but in intelligent ways that makes it difficult for attackers to intervene. “There are clever solutions out there with interesting security properties and ancillary use cases,” says Maler.
[Next: 4. Device-Level Protection: Dusting for Device Fingerprints]
Banks and their service providers are under competitive pressure to develop applications for all of the major mobile ecosystems.
The good news is that making cross-platform mobile applications has gotten slightly easier over the short history of mobile web development. “A few years ago financial institutions would have to perform integration for each platform,” says Mercator’s O’Brien. “Now, apps are being written to a platform level, where if you write for one, you can extend it with some minor adjustments to another.” The bad news is that you still have to customize security for each platform, and the approaches you need to take will be much different than what works on the website.
Banking sites on the Web commonly create unique device identification tokens for each computer that accesses the site. By doing so, the website can detect whether a customer is logging in using a PC not seen before. If so, the site may require answers to additional challenge questions or auxiliary authentication using an out-of-band channel.
However, the absence of Flash on Apple iOS makes this technique much harder to accomplish. “It’s extremely difficult to generate a reliable device identification token on an iPhone, because the browser and the environment will not let you access anything deeper into iOS, such as screen resolution, installed software, installed fonts, time zones and various other things that are normally invisible to the user,” says Forrester’s Cser. “The iPhone is more secure, but it also represents a big headache when trying to develop a device fingerprint.”
Purportedly to protect the privacy of users from third-party ad networks, Apple’s security practices have had unintended consequences. “Some things that are very effective for fraud prevention are not possible, by technology or by policy, in mobile,” says Aite’s Conroy-McNelley. “There are other unique properties associated with mobile devices, but it requires app makers to get closer to the telecom providers.”
By contrast, the Android ecosystem allows Flash, and therefore supports unique device identification tokens for user device fingerprinting. However, with Android there are fewer policy restrictions for available apps. “It’s so open and so popular that it has become an attractive target for malware,” says Conroy-McNelley. “Apple has a safer environment at this point in time, but it doesn’t mean that someone who’s using an iPhone should feel that they’re immune from malware.”
One thing that banks are generally able to detect is whether the user has a jailbroken iPhone; in other words, if they have gained root access in order to install applications and services other than from the Apple App Store. “It’s a lot harder to secure a jailbroken iPhone or an Android phone,” says Cser. “If you want to secure it you have to install some sandboxes or additional software, which your customers may not tolerate or like at all.”
Banks aren’t the only ones interested in having secure applications. In fact, they’ve not even alone in deploying secure applications for payments and mobile wallets. To serve this expanding market, mobile operators and device manufacturers are likely to attempt to differentiate their offerings through their respective security models.
Accordingly, a proliferation of new form factors that accentuate security and privacy is likely. This trend should afford financial institutions with an opportunity to forge useful new partnerships.
Already, some customers can order devices with security software pre-installed or available through a six-month free trial. “Network operators and handset manufacturers are enabling people to download and install security software to police and monitor their handsets to ensure there isn’t any snooping,” says ABI Research’s John Devlin. “A relatively small proportion of phones have that.”
Banks might extend upon the pre-installation approach by having their own mobile applications pre-installed on new smartphones. These applications may work in concert with other new technologies that bolster smartphone security at the device level. “There are moves from various hardware and semiconductor companies to improve security by creating a trusted execution environment,” says Devlin. “You can create closed areas on the processor that can prevent other software applications from being able to access, spy, or report on any data that’s happening in those secure applications, effectively putting in a firewall.”
Phones designed and built according to the NFC (Near Field Communication) standard can also ratchet up security by communicating with a separate token device, such as an NFC-enabled smart card, for an added layer of out-of-band communication. These phones would be capable of working with various point-of-sale schemes involving NFC, and banks would certainly have an interest in being involved in those transactions as well. Furthermore, the same security that governs the NFC chip would also be extremely useful for servicing the current generation of mobile banking applications.
Mobile security and fraud prevention are often considered to be check-the-box compliance topics. The above discussion should make it entirely evident that a perfunctory approach to regulatory compliance is the wrong way to proceed. The fast-moving technologies, alliances and competitors in the mobile banking market will require bank executives to make careful strategic decisions on capital allocation, resource deployment and business partnerships.
As a recommendation, it would be simple to list the five security options with the suggestion that banks go to the limit with all of them. However, that’s not a viable option for resource-constrained financial institutions, which will more likely make trade-offs and place bets as to how to allocate security budgets across these five technically challenging security areas.
Some banks may decide to bet on the most sophisticated multi-channel, back-end risk-based authentication in the marketplace, with the intention of putting its mobile banking application on every handheld device in the marketplace. Others may decide to place a bold platform bet on the security capabilities of a specific operating system, allowing them to meet regulatory requirements for risk-based authentication while focusing on the mobile OS or the hardware. Still others might make a play to be the bank of the future, implementing the most forward-looking biometric technologies on the most cutting-edge device in the marketplace.
The reality is that most banks don’t have unlimited funds, manpower, or time to implement across multiple technologies with the entire range of security protections. Each institution must decide what it wants its mobile business to be and then design a roadmap to get there.
The key recommendation: Go slowly and choose wisely.
[Speed Is the Key to Beating New Account Fraud.]