5 Critical Strategies for Mobile Banking Security

To the best of their ability, banks need to ensure that their services are available and secured within any mobile phone configuration. Because absolute security is nearly impossible to attain in the mobile world, banks’ back-end systems have to be prepared to detect anomalies and fraudulent activity in the event that a front-end channel has been compromised.
July 20, 2012

3. Evolution of Out-of-Band Form Factors: One-Time Passwords

One-time passwords can give users a unique code that signals to the bank that they’re not thieves who’ve grabbed hold of someone’s password.

One-time passcodes work great for PC users. For example, if you’re doing something potentially risky on a bank’s website, you might be stopped from proceeding until you enter a special code, which you can choose to receive through an “out-of-band” phone call or via email. This works well because even a completely-hacked browser might have trouble answering the phone or reading your email.

By comparison, the principle of using a separate channel for distributing a one-time passcode is violated in the case of mobile devices. A single smartphone may act as the hub for voice calls, SMS messages, emails, browser sessions and mobile banking sessions. Therefore, if a smartphone has been severely compromised, the one-time password could also be intercepted along with the banking session.

For commercial clients and high-net-worth individuals in the U.S., a common approach for banks is the distribution of separate devices capable of generating one-time passcodes. The user may have to authenticate with the device using a smartcard or PIN in order to generate a one-time passcode, or “token.”

Although non-U.S. banks have gone down this road for retail banking customers, it has yet to catch on domestically. “In the U.S. it’s seen as an inconvenience,” says Forrester’s Eve Maler. “In other places it’s seen as a status symbol – or it could turn around and make you a kidnapping target.”

Given the challenge of finding a suitable out-of-band authentication method for a mass market, financial institutions are turning to various solutions that may use the existing device but in intelligent ways that makes it difficult for attackers to intervene. “There are clever solutions out there with interesting security properties and ancillary use cases,” says Maler.

[Next: 4. Device-Level Protection: Dusting for Device Fingerprints]

Bank Systems & Technology encourages readers to engage in spirited, healthy debate, including taking us to task. However, Bank Systems & Technology moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Bank Systems & Technology further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
< Previous1 2 3 4 5 6 7 8 Next > 

< Previous1 2 3 4 5 6 7 8 Next >