5 Critical Strategies for Mobile Banking Security
By 2013, one-third of mobile phone users are expected to use mobile banking services. Already, one out of five Americans accesses financial information through a mobile phone, according to March 2012 research conducted by the Federal Reserve Board’s Division of Consumer and Community Affairs.
Yet the increasing use of mobile financial services has been accompanied by increased risk. According to Javelin Strategy’s 2012 Identity Fraud Report, smartphone owners are one-third more likely to have been victims of identity fraud in the past year. In part, these wounds are self-inflicted by smartphone owners who use outdated software, fail to use a home screen password or, most disturbingly, store their passwords as plain text on their mobile devices. The most advanced password protection in the world is no protection against someone who insists on saving his or her login details on an unprotected notebook page. It’s the mobile version of writing your password on a Post-It note attached to your monitor, made worse by the ease of losing a mobile device.
Because regulations generally protect consumers from monetary loss in the case of online fraud, it’s not surprising that industry leaders say that they’re more concerned about fraud than their customers are. In a 2011 KPMG survey of business leaders in the financial services, technology, telecom and retail industries, security was viewed as the chief obstacle to the development of mobile payments strategies. By contrast, the same respondents believe consumers are much more interested in convenience, accessibility and ease of use.
Banks have to get both parts right. Mobile devices are designed for usability, with pared-down user interfaces and input options. Customers expect ease-of-use and seamless operation, and these factors have to be combined with effective security practices that maintain competitive parity with industry peers while meeting or exceeding regulatory requirements.
As more customers take to the mobile channel to perform higher-value activities, the threat of fraud increases. “Phones are little computers, facing the same malware threat that exists online,” says Julie Conroy-McNelley, research director for Aite Group’s retail banking practice. “Banks are very aggressively pushing higher-risk functionality out to mobile and tablet devices, and the fraud will follow.”
A truly comprehensive approach to mobile security involves security measures at up to five different points:
— The back end, with risk-based authentication and anomaly detection that examine requests for unusual or unexpected activity
— The application itself, which can contain multiple security features
— Out-of-band authentication, which relies on a separate device rather than just the smartphone itself
— The mobile operating system, which may offer security-oriented characteristics and settings
— The hardware, which might include layers of security beyond what a mobile OS can offer by itself
Based on interviews with leading industry analysts from Forrester Research, Mercator Advisory Group, Aite Group and ABI Research, this special report reviews the state of the art and discusses promising avenues for development for each of these five areas. The rapid pace of growth in the mobile banking and payments industries combined with the threat of fraud points to likely innovation at each of these levels, turning today’s R&D into tomorrow’s reality.