Mobile banking, and other financial services, enable customers to pay bills on the fly, check and transfer balances and even trade stocks. Most mobile banking services are delivered via text messaging, mobile websites and applications downloaded to smartphones. Research firm TowerGroup Inc. predicts that by 2012, 108 million people will turn to their mobile devices to conduct some type of banking.
That includes a number of the antifraud capabilities found in PC browsers, such as geo-location, PC fingerprinting (OS and browser version, time of day) and other factors that, when taken together, help substantiate the authorized customer is making the transaction. "On mobile, it's still just mainly user names and passwords," Litan said.
A recent incident serves as an example of mobile banking risks: Citigroup Inc. disclosed that its free U.S. mobile banking application accidentally saved account numbers and other sensitive information on devices, and issued an updated application to resolve the gaffe.
Careful deployment to mitigate mobile banking risks
Despite the relative immaturity of the mobile platform, financial services firms said they're taking appropriate steps to keep customer and account data secure. Most banks start by carefully choosing what services their customers can access on their mobile devices.
"We only enable functionality where we know we have good control over the underlying risks," said Teddy De Rivera, executive vice president of online fraud prevention and authentication for Wells Fargo's Internet Services Group. An example would be enabling the payment of existing bills on mobile devices, but not allowing the setting up of new payees on the smartphone. "The bad guys will set themselves up as a payee, or a mule as a payee. Once they've done that, they're hard to catch until the customer calls," De Rivera said.
Bank of America takes a similar approach. "We are very deliberate about the types of interactions customers can have over mobile. It's not just a security issue, it's also a customer experience issue," said Todd Inskeep, authentication and customer protection executive for the consumer bank echannels and customer solutions organization at Bank of America.
For Bank of America customers, SiteKey is a familiar mobile security control. "SiteKey is an extra layer of security that we use as two-factor authentication to ensure customers know they are interacting with us when they sign on to access account information through their mobile device," Inskeep said.
Fraud detection and secure application development
Additional security controls banks put into place for mobile services include ways to try to identify fraudulent transactions. "We are looking at peoples' behaviors to spot out-of-pattern transactions. We score all of the transactions based on how far from normal they are for that particular customer," explained De Rivera.
Other lines of defense include simply not storing sensitive financial and account information on devices, and encrypting transactions and any data that is on the device, while another is extending secure software development practices out to mobile applications.
"We have downloadable applications for the phone, and those are tested in a variety of methods to ensure that things are encrypted and safe from hacking," said Marc Warshawsky, senior vice president and mobile channel executive at Bank of America.
Despite all of these efforts, as the recent Citigroup application flaw and the past decade of ecommerce show us, any new sales or service channel will be exploited, and mobile banking may be more challenging to secure because of the vast number of devices and ubiquitous Internet access they provide.
"The challenge with developing on smartphones is that banks can't count on all of their users having the latest and greatest mobile operating system. They will have to develop to the least common denominator," Gartner's Litan said. "So security will always lag state of the art for many customers."
About the author:
George V. Hulme is a business and technology journalist who often writes about security topics from his home in Minneapolis, Minnesota.