News

08:26 AM
Ivan Schneider
Ivan Schneider
Slideshows
Connect Directly
RSS
E-Mail
50%
50%

5 Critical Strategies for Mobile Banking Security

To the best of their ability, banks need to ensure that their services are available and secured within any mobile phone configuration. Because absolute security is nearly impossible to attain in the mobile world, banks’ back-end systems have to be prepared to detect anomalies and fraudulent activity in the event that a front-end channel has been compromised.
Previous
4 of 7
Next


One-time passwords can give users a unique code that signals to the bank that they’re not thieves who’ve grabbed hold of someone’s password.

One-time passcodes work great for PC users. For example, if you’re doing something potentially risky on a bank’s website, you might be stopped from proceeding until you enter a special code, which you can choose to receive through an “out-of-band” phone call or via email. This works well because even a completely-hacked browser might have trouble answering the phone or reading your email.

By comparison, the principle of using a separate channel for distributing a one-time passcode is violated in the case of mobile devices. A single smartphone may act as the hub for voice calls, SMS messages, emails, browser sessions and mobile banking sessions. Therefore, if a smartphone has been severely compromised, the one-time password could also be intercepted along with the banking session.

For commercial clients and high-net-worth individuals in the U.S., a common approach for banks is the distribution of separate devices capable of generating one-time passcodes. The user may have to authenticate with the device using a smartcard or PIN in order to generate a one-time passcode, or “token.”

Although non-U.S. banks have gone down this road for retail banking customers, it has yet to catch on domestically. “In the U.S. it’s seen as an inconvenience,” says Forrester’s Eve Maler. “In other places it’s seen as a status symbol – or it could turn around and make you a kidnapping target.”

Given the challenge of finding a suitable out-of-band authentication method for a mass market, financial institutions are turning to various solutions that may use the existing device but in intelligent ways that makes it difficult for attackers to intervene. “There are clever solutions out there with interesting security properties and ancillary use cases,” says Maler.

[Next: 4. Device-Level Protection: Dusting for Device Fingerprints]

Previous
4 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pjauregui
50%
50%
pjauregui,
User Rank: Apprentice
12/12/2013 | 4:15:56 PM
re: 5 Critical Strategies for Mobile Banking Security
Mobile developers still need to play their part by building and maintaining secure mobile banking apps.

Results from a recent study reveal that 8 out of 10 mobile banking apps contain build and configuration setting weaknesses. While the issues identified are merely informational in terms of risk, they do provide insight into the state of mobile development practices among leading megabanks, regional banks, and credit unionsGin short, basic security best practices are not being followed.

Download full report: http://www.praetorian.com/prom...
Natalie McCaughin
50%
50%
Natalie McCaughin,
User Rank: Apprentice
3/8/2013 | 10:00:36 PM
re: 5 Critical Strategies for Mobile Banking Security
I think people have become really comfortable purchasing online and assuming companies are providing some level of protection. As a consumer, its important to remember that your online security is sometimes not in your control - I was reading this blog and it was an interesting read on how to protect yourself even if you have been hacked: http://blogs.mcafee.com/consum...
Rock_Star
50%
50%
Rock_Star,
User Rank: Apprentice
7/25/2012 | 3:40:23 PM
re: 5 Critical Strategies for Mobile Banking Security
-I depend a lot on shopping online and have
always been concerned about the risk of exposing my credit card information. A
must have is asking users to telesign in to complete a transaction by using
2FA. I am not sure why not all companies use this, in fact I feel suspicious
when an online store doesn't ask me to telesign in, now it just feels as if
they are not offering enough protection.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology - August 2014
Modern core systems are emerging as the foundations of effective channel integration and customer engagement initiatives.
Slideshows
Video
Bank Systems & Technology Radio