5 Critical Strategies for Mobile Banking Security
2. Mobile Applications: Adding Intelligence With a Simple Install
Increasingly, downloaded mobile apps have become the primary mobile interface between financial institutions and their customers. Still, older approaches remain in wide use. Prior to the runaway success of the iOS-powered Apple iPhone, non-Apple customers tended to use either SMS messaging for simple informational requests or the built-in WAP mobile browser, which is capable of rendering PC-oriented websites for smaller mobile screens.
SMS text messaging offers only limited capabilities for mobile banking, due to the asynchronous communication mode and restricted character count per message. Accordingly, SMS is best used for requests such as balance inquiries and finding the nearest ATM. However, balance inquiries are the most common usage for mobile banking, according to the Fed study cited in the introduction. If financial institutions hope to drive further adoption of mobile so as to shift transactions away from more-expensive channels, the replacement technology has to be just as easy to use.
[Five Bank Security Trends Shaping the Future of Fraud Fighting.]
Mobile banking access through a WAP-enabled browser is still commonly supported by some of the largest banks and credit unions, observes Mercator’s O’Brien. The problem with the WAP approach is that browser security largely depends on the security of the network being used. If the user communicates directly through a cell phone tower, that’s probably safe enough. But if someone has enabled WiFi and visits a bank website through a public hotspot, personal information can be captured through a “man-in-the-middle” attack.
“On an open network, someone may be able to intercept the communication and then make it appear that they are a legitimate process to the other side,” explains O’Brien. “Be aware of basic mobile phone protocol – don’t use an unsecured network in a retail store or a restaurant to access private information.”
Banks are far more capable of controlling the end-to-end session through a custom-developed, downloadable mobile application. Even so, downloading an application involves its own potential pitfalls. Aite Group’s Julie Conroy-McNelley spoke with a financial institution that, in a single 30-day period, requested the removal of over 200 rogue apps from one of the app stores.
That’s why it’s not enough to just provide an app to customers. Financial institutions also have to train those customers on how to find and download the correct app. “Make sure you download your banking apps from trusted sources,” advises Conroy-McNelley to bank customers. “Go to your bank’s website. If they have a mobile app, it’ll be available from there.”
Once the real application has been installed, the periodic application update process ensures that customers have the most current levels of protection. The mobile application can also enforce best practices in security, such as preventing passwords from being stored in the application or by deprecating the functionality of the application after a given time has elapsed.