News

08:26 AM
Ivan Schneider
Ivan Schneider
Slideshows
Connect Directly
RSS
E-Mail
50%
50%

5 Critical Strategies for Mobile Banking Security

To the best of their ability, banks need to ensure that their services are available and secured within any mobile phone configuration. Because absolute security is nearly impossible to attain in the mobile world, banks’ back-end systems have to be prepared to detect anomalies and fraudulent activity in the event that a front-end channel has been compromised.
Previous
2 of 7
Next


If a customer were to walk into the branch and ask to withdraw an entire account’s balance, a bank employee would probably ask why. A similar response should hold no matter which channel is being used, with remote channels triggering investigations at a much lower threshold than in-person channels.

Indeed, a bank should calibrate its response to a remote request based on the typical behavior for that customer and by expected behavior for similar customers. Typical, low-risk transactions should sail through, while atypical, high-risk transactions should be flagged for further review and confirmation with the customer through a separate channel, such as a home phone or email account.

That’s the promised benefit of risk-based authentication (RBA), the cornerstone of security for the modern multi-channel financial institution. “How do we add more security with usability? The easiest way is to silently observe the transactions,” says Eve Maler, principal analyst for security and risk at Forrester Research. “It’s becoming par for the course for financial institutions.”

The move to RBA is driven in part by FFIEC guidelines calling for a multilayered approach to security. However, the benefit goes beyond regulatory compliance in that the technique works extremely well without requiring extreme measures on the application or device side.

The RBA approach is well-established outside of financial services. For example, e-commerce vendors that also depend upon usernames and passwords mitigate their risk with a heavy dose of RBA. “Merchants need to make things easy for consumers,” says Maler. “I’ve never changed my Amazon or PayPal passwords, and they don’t make me change because they’re hardly using those passwords. Instead, they’re using the back-end observational details.”

Security experts describe multifactor authentication as comprising three elements:

— Something you know, like a password

— Something you have, like a one-time-password generator

—Something you are, via a biometric identifier such as a fingerprint or iris scan

RBA can be considered a fourth layer of multifactor authentication by capturing the essence of what you do, suggests Maler. “It’s the booster shot that we need to apply so that we can step up the level of authentication,” she says.

An important question for banks is where to apply the RBA booster shot. Edward O’Brien, director of the banking channels advisory service for Mercator Advisory Group, recommends that banks capture the business logic for risk analytics in the back-end core banking solution. “If the core banking system has the main business rules, it won’t matter if the customer’s going through the ATM, mobile or branch,” says O’Brien. “If something seems out of sync or if there’s an issue to address, anomaly detection analytics can decide whether to call the person or to put a hold on the account.”

“It makes perfect sense to include these rules in the core banking system,” adds O’Brien. “If you have multiple attacks occurring simultaneously through multiple channels, the core system should have the business rules to respond.”

[Next: 2. Mobile Applications: Adding Intelligence With a Simple Install]

Previous
2 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pjauregui
50%
50%
pjauregui,
User Rank: Apprentice
12/12/2013 | 4:15:56 PM
re: 5 Critical Strategies for Mobile Banking Security
Mobile developers still need to play their part by building and maintaining secure mobile banking apps.

Results from a recent study reveal that 8 out of 10 mobile banking apps contain build and configuration setting weaknesses. While the issues identified are merely informational in terms of risk, they do provide insight into the state of mobile development practices among leading megabanks, regional banks, and credit unionsGin short, basic security best practices are not being followed.

Download full report: http://www.praetorian.com/prom...
Natalie McCaughin
50%
50%
Natalie McCaughin,
User Rank: Apprentice
3/8/2013 | 10:00:36 PM
re: 5 Critical Strategies for Mobile Banking Security
I think people have become really comfortable purchasing online and assuming companies are providing some level of protection. As a consumer, its important to remember that your online security is sometimes not in your control - I was reading this blog and it was an interesting read on how to protect yourself even if you have been hacked: http://blogs.mcafee.com/consum...
Rock_Star
50%
50%
Rock_Star,
User Rank: Apprentice
7/25/2012 | 3:40:23 PM
re: 5 Critical Strategies for Mobile Banking Security
-I depend a lot on shopping online and have
always been concerned about the risk of exposing my credit card information. A
must have is asking users to telesign in to complete a transaction by using
2FA. I am not sure why not all companies use this, in fact I feel suspicious
when an online store doesn't ask me to telesign in, now it just feels as if
they are not offering enough protection.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology - August 2014
Modern core systems are emerging as the foundations of effective channel integration and customer engagement initiatives.
Slideshows
Video
Bank Systems & Technology Radio