Credit unions view mobile banking as a way to better member relationships—but they realize convenience doesn’t come without risk.
“They see mobile as a key to increasing member satisfaction,” says Marty Jost, senior manager of user authentication product marketing at Symantec. “But they’re also mindful of the expense and the need to make the experience safe and convenient.”
Those twin needs—protecting members from having their mobile data stolen or compromised without extraordinary cost—are where vendors are focusing their efforts when helping credit unions mitigate mobile security risks.
How big are those risks? It’s hard to tell.
“With so many points of vulnerability, there aren’t a lot of statistics available that accurately paint an entire picture of mobile banking breaches,” says Terrie Ipson, principal, security services strategy, at Diebold. “It’s been difficult for financial institutions to identify the points of compromise on attacks.”
She cites several startling findings:
“In a single 30-day period, it was reported that one financial institution requested the removal of 200 rogue apps from an app store,” Ipson reports.
But many of the problems associated with mobile security are created by members. “One of the biggest vulnerabilities with mobile is guessed or stolen passwords,” says Jost. “People often set up passwords that are easy to remember” and, therefore, easy to guess.
CSCU Adds Suspicious Transaction Alerts
CSCU’s Pass-Through Mobile Alerts system now provides suspicious transaction alerts that trigger real-time text messages to enrolled cardholders in the event of suspected fraud.
The informational text message alert is sent to the mobile phone in conjunction with calls to the cardholder. This creates an added channel of communication to help mitigate fraud and improve the response time.
The Pass-Through system also allows CSCU-member credit unions to provide real-time text message notifications for various debit and credit card activities. These include signature/PIN purchases, declined transactions, international transactions, ATM deposits or withdrawals, and card-not-present transactions.
Another danger is the loss of a mobile device, such as a smartphone or tablet. The key to defending against misuse of the lost device, says Jost, is having a strong password—upper- and lower-case letters mixed with numerals mixed in.
Ipson agrees that consumers’ control over the security on their mobile devices presents one of the biggest risks in mobile banking.
“Credit unions can’t necessarily secure a device when consumers decide what applications they download, what networks they connect to, and how they access their information,” she says. “Credit unions can offer free security software but there’s no assurance a consumer will keep the device updated.”
Ipson says not all financial institutions are proactive about mobile security, which can lead to increased risk. “Many credit unions don’t take action until a mobile security breach hits close to home.”
That, she says, shows that not all of the responsibility for security lies with the consumer.
“Because the biggest threats to mobile banking security depend on how members access information, credit unions can selectively offer the most secure possible access and authentication. Although this requires balancing convenience with security, credit unions are ultimately responsible for ensuring that member information isn’t put at risk.”
How vendors work this on a practical level is pretty straightforward. “You get around people’s tendency to go with too-simple passwords, as well as cater to their desire for convenience, by using one-time password technology,” says Jost.
This is where users have a token—a little calculator, really—that creates a random number that appears onscreen at the push of a button.
“Users enter that one-time password to begin a transaction. The token changes numbers every 60 seconds, so stealing a mobile device without the token” provides no advantage.
But it’s expensive to buy and distribute the hardware, Jost says, citing a workaround involving two options:
1. A software version of a token that runs on a cell phone—the cell phone becomes the token.
2. An app in the mobile device that generates a separate, one-time password that appends to the user’s regular password whenever he or she starts a mobile transaction.
Besides member authentication, Jost says credit unions have to be concerned with privileged users, people who are authorized to transfer credit union money internally and externally. “They usually use hardware tokens that are protected by two passwords: the password coded within the token and a second strong password known only to the person authorized to have the token,” he says. “This lessens the risk of a stolen token being put to bad use.”
NEXT: Thwart Fraud