Security has been on everyone’s mind since last year’s data breaches focused public attention on cyber security. With more online and banking activity moving to the mobile channel, banks are going to have to address new threats and challenges unique to mobile. Jim Pitts, senior product manager at BITS, and one of the experts who will be speaking at Bank Systems & Technology’s Mobile Disruption Forum in May, recently gave us some of his insights on how banks should be responding to those threats and challenges.
BS&T: What do you see as the biggest threats with both consumers and employees that banks are facing?
Pitts: We did a research project looking in 2011 defining and assessing the risks in mobile. I think many of those risks are still the same today. We cam up with a total of 13 categories. One of the big ones was mobile malware that can be delivered through rogue apps. Some larger institutions have been affected by this. There are thousands of app stores globally, and many of them are unregulated, giving the bad guys the opportunity to put out false apps that imply that they’re linked to a big bank. I say it’s like if Walmart put boxes of Tide on their shelves that actually damaged clothes -- with Procter & Gamble’s logo on them -- then Procter & Gamble wouldn’t let them do it.
Then we looked at BYOD in 2012 and came up with four or five main threats. Some of them are similar to the threats on the consumer side, like malware. Others are unique to employee use of mobile devices, like the popularity of cloud, transmission in the clear and intruders gaining access to the enterprise through the device.
BS&T: How aware do you think customers and employees are of these threats?
Pitts: There’s a commercial on TV where there’s an auto accident, and the tagline is “humans are difficult to live with.” We can’t educate these threats away. We’re going to have different pockets of consumers, and some are going to be difficult to work with. I think we do a good job with employee policies, and with educating them. But consumers expect the banks and technology innovators to handle these problems. They know when they get a strange email they shouldn’t open, but it’s difficult for them to keep up with attacks.
One of the rules that we advocate is to assume that every device you work with is compromised, because there are some people ho just aren’t going to be conscientious.
BS&T: How will the way that banks have to respond to threats change as more online activity and transactions shift to mobile?
Pitts: The top banks are very proficient at controlling fraud attacks. A lot of it is about the process of constant analysis and staying ahead of the curve. In mobile, about 80% of it is to keep doing what you’re already doing in online security. Then there’s the other 20% that is unique to mobile. There are new challenges and opportunities in authentication with mobile. We’re paying a lot of attention to those opportunities, but it’s important not to underestimate what we’ve already learned.
BS&T: What are some of the things that banks should be doing to address threats both on the employee side and the consumer?
Pitts: On the employee side, a lot of it is doing the same stuff that many banks are already doing: putting employee agreements in place, and educating them about policies. Use restrictions when needed; you might want to restrict certain devices based on business priorities, and the type of device or operating system. You might restrict certain apps, or you may have an open policy. Security measures like device management, remote wipe and containers need to be applied according to the policy.
One the consumer side, we have a process where we assess risk and that’s something that each financial institution should be doing based on its product offerings. If you see an attack, you need to analyze and learn from it. We have an analysis process that we recommend to our members.
We’re also 110% engaged looking at authentication. We have 400 individuals from 70 institutions working on authentication and ways to do that better with mobile.
BS&T: What do you see as the biggest challenge in implementing some of these measures for better security in mobile?
Pitts: The biggest challenge that I see, and this is my own subjective opinion, is the velocity of change in mobile offerings. In the past you could fine-tune things for decades. Now you don’t have the time to do that and it can be a struggle staying ahead of the curve.
Interested in learning more about about the security threats and opportunities unique to mobile? Pitts and other industry experts will be speaking more in-depth on Making Sense of Mobile Security at the Mobile Disruption Forum in New York City on May 14.
Jonathan Camhi has been an associate editor with Bank Systems & Technology since 2012. He previously worked as a freelance journalist in New York City covering politics, health and immigration, and has a master's degree from the City University of New York's Graduate School ... View Full Bio