5 Critical Strategies for Mobile Banking Security

To the best of their ability, banks need to ensure that their services are available and secured within any mobile phone configuration. Because absolute security is nearly impossible to attain in the mobile world, banks’ back-end systems have to be prepared to detect anomalies and fraudulent activity in the event that a front-end channel has been compromised.
July 20, 2012

2. Mobile Applications: Adding Intelligence With a Simple Install


Increasingly, downloaded mobile apps have become the primary mobile interface between financial institutions and their customers. Still, older approaches remain in wide use. Prior to the runaway success of the iOS-powered Apple iPhone, non-Apple customers tended to use either SMS messaging for simple informational requests or the built-in WAP mobile browser, which is capable of rendering PC-oriented websites for smaller mobile screens.

SMS text messaging offers only limited capabilities for mobile banking, due to the asynchronous communication mode and restricted character count per message. Accordingly, SMS is best used for requests such as balance inquiries and finding the nearest ATM. However, balance inquiries are the most common usage for mobile banking, according to the Fed study cited in the introduction. If financial institutions hope to drive further adoption of mobile so as to shift transactions away from more-expensive channels, the replacement technology has to be just as easy to use.

[Five Bank Security Trends Shaping the Future of Fraud Fighting.]

Mobile banking access through a WAP-enabled browser is still commonly supported by some of the largest banks and credit unions, observes Mercator’s O’Brien. The problem with the WAP approach is that browser security largely depends on the security of the network being used. If the user communicates directly through a cell phone tower, that’s probably safe enough. But if someone has enabled WiFi and visits a bank website through a public hotspot, personal information can be captured through a “man-in-the-middle” attack.

“On an open network, someone may be able to intercept the communication and then make it appear that they are a legitimate process to the other side,” explains O’Brien. “Be aware of basic mobile phone protocol – don’t use an unsecured network in a retail store or a restaurant to access private information.”

Banks are far more capable of controlling the end-to-end session through a custom-developed, downloadable mobile application. Even so, downloading an application involves its own potential pitfalls. Aite Group’s Julie Conroy-McNelley spoke with a financial institution that, in a single 30-day period, requested the removal of over 200 rogue apps from one of the app stores.

That’s why it’s not enough to just provide an app to customers. Financial institutions also have to train those customers on how to find and download the correct app. “Make sure you download your banking apps from trusted sources,” advises Conroy-McNelley to bank customers. “Go to your bank’s website. If they have a mobile app, it’ll be available from there.”

Once the real application has been installed, the periodic application update process ensures that customers have the most current levels of protection. The mobile application can also enforce best practices in security, such as preventing passwords from being stored in the application or by deprecating the functionality of the application after a given time has elapsed.

[Next: 3. Evolution of Out-of-Band Form Factors: One-Time Passwords]

Bank Systems & Technology encourages readers to engage in spirited, healthy debate, including taking us to task. However, Bank Systems & Technology moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Bank Systems & Technology further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 
< Previous1 2 3 4 5 6 7 8 Next > 

< Previous1 2 3 4 5 6 7 8 Next >