News

08:26 AM
Ivan Schneider
Ivan Schneider
Slideshows
Connect Directly
RSS
E-Mail
50%
50%

5 Critical Strategies for Mobile Banking Security

To the best of their ability, banks need to ensure that their services are available and secured within any mobile phone configuration. Because absolute security is nearly impossible to attain in the mobile world, banks’ back-end systems have to be prepared to detect anomalies and fraudulent activity in the event that a front-end channel has been compromised.
Previous
5 of 7
Next


Banks and their service providers are under competitive pressure to develop applications for all of the major mobile ecosystems.

The good news is that making cross-platform mobile applications has gotten slightly easier over the short history of mobile web development. “A few years ago financial institutions would have to perform integration for each platform,” says Mercator’s O’Brien. “Now, apps are being written to a platform level, where if you write for one, you can extend it with some minor adjustments to another.” The bad news is that you still have to customize security for each platform, and the approaches you need to take will be much different than what works on the website.

Banking sites on the Web commonly create unique device identification tokens for each computer that accesses the site. By doing so, the website can detect whether a customer is logging in using a PC not seen before. If so, the site may require answers to additional challenge questions or auxiliary authentication using an out-of-band channel.

However, the absence of Flash on Apple iOS makes this technique much harder to accomplish. “It’s extremely difficult to generate a reliable device identification token on an iPhone, because the browser and the environment will not let you access anything deeper into iOS, such as screen resolution, installed software, installed fonts, time zones and various other things that are normally invisible to the user,” says Forrester’s Cser. “The iPhone is more secure, but it also represents a big headache when trying to develop a device fingerprint.”

Purportedly to protect the privacy of users from third-party ad networks, Apple’s security practices have had unintended consequences. “Some things that are very effective for fraud prevention are not possible, by technology or by policy, in mobile,” says Aite’s Conroy-McNelley. “There are other unique properties associated with mobile devices, but it requires app makers to get closer to the telecom providers.”

By contrast, the Android ecosystem allows Flash, and therefore supports unique device identification tokens for user device fingerprinting. However, with Android there are fewer policy restrictions for available apps. “It’s so open and so popular that it has become an attractive target for malware,” says Conroy-McNelley. “Apple has a safer environment at this point in time, but it doesn’t mean that someone who’s using an iPhone should feel that they’re immune from malware.”

One thing that banks are generally able to detect is whether the user has a jailbroken iPhone; in other words, if they have gained root access in order to install applications and services other than from the Apple App Store. “It’s a lot harder to secure a jailbroken iPhone or an Android phone,” says Cser. “If you want to secure it you have to install some sandboxes or additional software, which your customers may not tolerate or like at all.”

[Next: 5. Defense-Minded Devices: Building a Better Data Fortress]

Previous
5 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pjauregui
50%
50%
pjauregui,
User Rank: Apprentice
12/12/2013 | 4:15:56 PM
re: 5 Critical Strategies for Mobile Banking Security
Mobile developers still need to play their part by building and maintaining secure mobile banking apps.

Results from a recent study reveal that 8 out of 10 mobile banking apps contain build and configuration setting weaknesses. While the issues identified are merely informational in terms of risk, they do provide insight into the state of mobile development practices among leading megabanks, regional banks, and credit unionsGin short, basic security best practices are not being followed.

Download full report: http://www.praetorian.com/prom...
Natalie McCaughin
50%
50%
Natalie McCaughin,
User Rank: Apprentice
3/8/2013 | 10:00:36 PM
re: 5 Critical Strategies for Mobile Banking Security
I think people have become really comfortable purchasing online and assuming companies are providing some level of protection. As a consumer, its important to remember that your online security is sometimes not in your control - I was reading this blog and it was an interesting read on how to protect yourself even if you have been hacked: http://blogs.mcafee.com/consum...
Rock_Star
50%
50%
Rock_Star,
User Rank: Apprentice
7/25/2012 | 3:40:23 PM
re: 5 Critical Strategies for Mobile Banking Security
-I depend a lot on shopping online and have
always been concerned about the risk of exposing my credit card information. A
must have is asking users to telesign in to complete a transaction by using
2FA. I am not sure why not all companies use this, in fact I feel suspicious
when an online store doesn't ask me to telesign in, now it just feels as if
they are not offering enough protection.
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Bank Systems & Technology Dec. 2, 2014
BS&T's 2014 Elite 8 executives are leading their banks to success, whether it involves leveraging the cloud, modernizing core systems, or transforming into digital enterprises.
Slideshows
Video
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.