Channels

11:34 AM
Connect Directly
Facebook
Twitter
Google+
RSS
E-Mail
50%
50%

Improving Security In the Fast-Paced World of Mobile

Looking at the biggest threats banks face in mobile with BITS’ security expert Jim Pitts.

Security has been on everyone’s mind since last year’s data breaches focused public attention on cyber security. With more online and banking activity moving to the mobile channel, banks are going to have to address new threats and challenges unique to mobile. Jim Pitts, senior product manager at BITS, and one of the experts who will be speaking at Bank Systems & Technology’s Mobile Disruption Forum in May, recently gave us some of his insights on how banks should be responding to those threats and challenges.

BS&T: What do you see as the biggest threats with both consumers and employees that banks are facing?

Pitts: We did a research project looking in 2011 defining and assessing the risks in mobile. I think many of those risks are still the same today. We cam up with a total of 13 categories. One of the big ones was mobile malware that can be delivered through rogue apps. Some larger institutions have been affected by this. There are thousands of app stores globally, and many of them are unregulated, giving the bad guys the opportunity to put out false apps that imply that they’re linked to a big bank. I say it’s like if Walmart put boxes of Tide on their shelves that actually damaged clothes -- with Procter & Gamble’s logo on them -- then Procter & Gamble wouldn’t let them do it.

Jim Pitts, BITS
Jim Pitts, BITS

Then we looked at BYOD in 2012 and came up with four or five main threats. Some of them are similar to the threats on the consumer side, like malware. Others are unique to employee use of mobile devices, like the popularity of cloud, transmission in the clear and intruders gaining access to the enterprise through the device.

BS&T: How aware do you think customers and employees are of these threats?

Pitts: There’s a commercial on TV where there’s an auto accident, and the tagline is “humans are difficult to live with.” We can’t educate these threats away. We’re going to have different pockets of consumers, and some are going to be difficult to work with. I think we do a good job with employee policies, and with educating them. But consumers expect the banks and technology innovators to handle these problems. They know when they get a strange email they shouldn’t open, but it’s difficult for them to keep up with attacks.

One of the rules that we advocate is to assume that every device you work with is compromised, because there are some people ho just aren’t going to be conscientious.

BS&T: How will the way that banks have to respond to threats change as more online activity and transactions shift to mobile?

Pitts: The top banks are very proficient at controlling fraud attacks. A lot of it is about the process of constant analysis and staying ahead of the curve. In mobile, about 80% of it is to keep doing what you’re already doing in online security. Then there’s the other 20% that is unique to mobile. There are new challenges and opportunities in authentication with mobile. We’re paying a lot of attention to those opportunities, but it’s important not to underestimate what we’ve already learned.

BS&T: What are some of the things that banks should be doing to address threats both on the employee side and the consumer?

Pitts: On the employee side, a lot of it is doing the same stuff that many banks are already doing: putting employee agreements in place, and educating them about policies. Use restrictions when needed; you might want to restrict certain devices based on business priorities, and the type of device or operating system. You might restrict certain apps, or you may have an open policy. Security measures like device management, remote wipe and containers need to be applied according to the policy.

One the consumer side, we have a process where we assess risk and that’s something that each financial institution should be doing based on its product offerings. If you see an attack, you need to analyze and learn from it. We have an analysis process that we recommend to our members.

We’re also 110% engaged looking at authentication. We have 400 individuals from 70 institutions working on authentication and ways to do that better with mobile.

BS&T: What do you see as the biggest challenge in implementing some of these measures for better security in mobile?

Pitts: The biggest challenge that I see, and this is my own subjective opinion, is the velocity of change in mobile offerings. In the past you could fine-tune things for decades. Now you don’t have the time to do that and it can be a struggle staying ahead of the curve.

Interested in learning more about about the security threats and opportunities unique to mobile? Pitts and other industry experts will be speaking more in-depth on Making Sense of Mobile Security at the Mobile Disruption Forum in New York City on May 14.

Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
4/28/2014 | 8:56:55 PM
re: Improving Security In the Fast-Paced World of Mobile
That kind of attitude definitely shows that customers views around security and fraud are evolving.
Kelly22
50%
50%
Kelly22,
User Rank: Author
4/28/2014 | 7:29:29 PM
re: Improving Security In the Fast-Paced World of Mobile
Same here - when I charged a few Christmas presents last year my bank was quick to call and verify that I made them (I rarely use my credit card). I'd definitely rather get those calls than learn about a fraudulent charge after it appears on my account.
Nathan Golia
50%
50%
Nathan Golia,
User Rank: Author
4/27/2014 | 7:55:55 PM
re: Improving Security In the Fast-Paced World of Mobile
I agree that the top banks are doing a good job proactively identifying fraud. Sometimes, my top 5 bank shuts down my card for no reason at all while I'm on a trip if I run off too many consecutive charges. That's frustrating, but it's worth it considering the three times last year that my wife or I had true fraudulent charges.
Jonathan_Camhi
50%
50%
Jonathan_Camhi,
User Rank: Author
4/16/2014 | 7:36:30 PM
re: Improving Security In the Fast-Paced World of Mobile
We're just starting to see the impact of attacks in mobile, and it's something that banks are still learning their way through. So until banks have more experience with the unique challenges and threats in mobile, I think treating every device as if it were compromised is pretty good advice.
KBurger
50%
50%
KBurger,
User Rank: Strategist
4/16/2014 | 5:17:22 PM
re: Improving Security In the Fast-Paced World of Mobile
Very interesting insights from Jim, especially the thinking on "assume every device is compromised" -- that's probably the only way to get consumers, employees and management to adopt and consistently practice appropriate security procedures. Banks clearly cannot push the burden of compliance to their customers (consumer or corporate) -- that simply is not realistic.It will be interesting to get more of Jim's thoughts on what banks should be doing to address mobile security, and BITS's role in that at the May 14 Mobile Disruption Forum http://www.mobilityinbanking.b...
Register for Bank Systems & Technology Newsletters
White Papers
Current Issue
Slideshows
Video