Is Mobile Banking Safe?

Digital security is often an act of calibration. Banks need to protect financial information without making it a hassle for customers to gain access to it. They also want to throw enough resources at the problem, without needlessly overspending.

Mobile-banking security presents its own set of calculations. The channel does not yet have the traction of online banking, making it less of a focus for fraudsters. At the same time, nobody wants to destroy consumer confidence in mobile banking through early missteps on security.

Mobile security-or at least consumers’ perceptions of it-already may be presenting a challenge for mobile banking adoption. The number of smartphone owners ranking mobile banking as unsafe or very unsafe rose 54 percent between 2009 and 2010, to a total of 40 percent, according to a July 2011 study from Javelin Strategy & Research, a trend the research firm called “dangerous and significant.” In an October 2011 report, Javelin also found that 53 percent of smartphone owners say security is the main reason they don’t use mobile banking. Further, 67 percent of consumers say they think mobile banking is riskier than online banking.

Despite these fears, mobile banking continues to enjoy steady growth. It more than doubled from 5 percent of online adults in 2007 to 12 percent in 2010, according to a January 2011 report from Forrester Research Inc. Forrester expects 20 percent of U.S. adults will be using mobile banking by 2015.

Even so, banks’ actions and messages around security appear to be missing the mark for a large segment of potential customers. Security is “the elephant in the room” when it comes to mobile banking adoption, says Mary Monahan, executive vice president and director of mobile banking research at Javelin.

To some extent, consumers’ instincts are correct. Certain characteristics of mobile devices do make them more challenging to secure. The small screens, for example, obscure irregularities that might normally reveal clues about phishing attacks, making mobile users three times more likely than desktop ones to submit personal information to phishing web sites.

The speedy nature of mobile is also a problem-users are more likely to ignore security warnings when transacting on a mobile device. In addition, mobile application developers must navigate a complex ecosystem that includes several points of vulnerability. Because they’re under pressure to introduce new applications and updates quickly, they often skimp on security testing in the process.

Some financial firms may take comfort in the fact that malware, a severe problem in the PC world, does not have a big presence in mobile. It’s true that criminals are much more focused on developing malicious programs to steal data from PCs. But observers agree that once money transfers via mobile begin, the bad guys will be quick to follow, thanks in part to the groundwork they’ve already laid. “They will just use the back end that’s already been developed to do PC fraud,” says Yishay Yovel, vice president of marketing for Boston-based Trusteer, a provider of security software.

Already, fraudsters are using the entry points they have gained into PCs to also attack the mobile channel. For example, they might intercept a routine text message sent by a bank to confirm a money transfer initiated on the PC. “First they have to penetrate the PC-which they do-then they use that point to manage the whole fraud cycle,” Yovel says.

Perhaps scarier than any attack the fraudsters may be thinking up is the reality that the regulatory guidelines for authenticating online customers were updated in June. By January 1 of this year, institutions were to have met new requirements for conducting risk assessments, educating customers and introducing more layers of security. Firms whose procedures are not up to snuff are vulnerable. “Right now, if you get sued and you’re not compliant with the updated guidelines, then you’re liable,” notes Alisdair Faulkner, chief products officer at Threatmetrix, a San Jose-based provider of fraud prevention software.

Even with the new guidelines, financial institutions are far from foolproof.

viaForensics, an Oak Park, Illinois-based digital forensics and security firm, discovered basic security lapses at several major banks when it conducted a survey of mobile apps in late 2010. The flaws included sloppy practices like saving user names, passwords and account data in plain text on phones. Institutions for the most part were quick to impose fixes, but not before several publications, including The Wall Street Journal, splashed news of the vulnerabilities on their pages.

Banks, of course, are trying to increase their security. Wells Fargo & Co. is typical of many in that it has a dedicated team working 24/7 to monitor fraud. “It’s not reactive,” says Brian Pearce, senior vice president and head of the retail mobile channel. “We don’t wait for things to happen.”

Wells also maintains a fraud information center on its web site and offers an online security guarantee that reimburses customers 100 percent of any funds they lose, as long as they fulfill certain responsibilities.

But as an industry, banks could do much more. Even though 78 percent offer information about mobile-banking security on their web sites, the messaging may not go deep enough, Javelin found in a November 2011 survey. Only 17 percent of banks educate consumers about installing anti-malware software on their phones. Forty-three percent do not promote a mobile banking security guarantee.

Banks are also falling short in terms of developing fraud prevention solutions that work across channels. In a November 2011 survey of global risk executives, Aite Group found that only 37 percent of respondents had a fraud solution that integrated both the online and mobile channels. “What we’re seeing is that any one-point solution is something the bad guys can circumvent,” says Julie Conroy McNelley, research director at Boston-based Aite.

Perhaps the hardest barrier for a criminal to circumvent is a well-informed customer. That’s why alerts, which let firms immediately communicate their suspicions of fraudulent activity to customers, are gaining favor as fraud-fighting tools. Text alerts are even more valuable than e-mailed alerts because they are delivered so quickly. “If you can talk to people in real-time wherever they are, you can really mitigate fraud,” says Bruce Livesay, chief information officer at Memphis-based First Tennessee Bank, a subsidiary of First Horizon National Corp.

Some banks are doing a better job than others of using alerts. When Javelin surveyed text alerts in March 2011, it found some that described transactions that exceeded a certain limit, but did not include vital information about the purchase amount and location. Some used industry jargon (like “ACH”) to describe payments. Others were hard to look at, with long strings of indecipherable letters and numbers. Such oversights can lead to costly customer service calls.

Well-crafted alerts, on the other hand, raise the possibility of fee income as consumers might be willing to pay for enhanced security. “Depending on the risk profile of the customer, I think some people would potentially be willing to pay a fee,” Livesay says.

Before they start counting on any new income streams, most banks will likely have to get their systems up to speed-literally. Javelin found in some cases that banks were sending alerts about purchases that had occurred days earlier (usually over a weekend).

Using mobile text to communicate transaction information with customers in real time is not an easy task. That’s because most banks still process information in batches at the end of the day. First Tennessee is better positioned than most, now that it has completed a major upgrade of its core systems that involved adding a layer of technology to access and deliver information immediately. “The faster our customers can get real-time information, the better decisions they can make,” Livesay says.

In the search for the best calibration between customer protection and institutional effort, banks should not expect regulators to lay out an exact blueprint. “The guidelines set certain minimum standards for authenticating customers and they give institutions a lot of flexibility about how to do that,” says Jeff Kopchik, senior policy analyst at the Federal Deposit Insurance Corp. “There’s more than one secure way to do it.”

Once the security is in place, experts say banks should conduct regular security audits, especially whenever they roll out an upgrade. “We always encourage developers whenever they change an app to test it,” says Andrew Hoog, chief investigative officer at viaForensics. “When the bank creates an app and installs it on the phone, it has their icon on it. So if there’s a security problem, all the responsibility is pushed onto the bank.”

For now, a large segment of banks are simply laying low. “A big proportion of banks do not allow substantial action on the phone,” Yovel notes. “Because they don’t have a lot of exposure on the current level of functionality they provide, they can defer decisions on security.”

But with interest in mobile banking and payments on an inexorable rise, they won’t be able to delay their decision-making for long. There is little doubt that consumers will soon be demanding all the functionality of PCs on their mobile devices as well. At that point, “the fraudsters will go there because the money will be there,” Yovel says. “It’s just a matter of time.”