Mobile Providers Tackle Security Concerns

Some mobile banking security fears are based on the unknown.

November 19, 2011

“No conversation with a credit union client takes place these days without a mention of mobile. It’s no longer any sort of novelty—it’s integral to any security discussion,” says Brian Abele, vice president of product management at Q2ebanking. “Emerging technology always brings unknowns, so people’s concerns are basically worries about the unknown.”

But Abele agrees with his industry peers that the level of threats to the security of mobile devices isn’t as great as many credit unions fear.

“Threats that credit unions raise with us more than in any other area is someone else getting a mobile device and using it—getting the user name and password,” says Tom Campbell, vice president of sales at PM Systems. “Since phones are carried everywhere, it’s easier to lose them or have them stolen, certainly compared to a PC in somebody’s house. Also, there’s a concern that easy-to-use bill pay or person-to-person funds transfer apps could be used by a fraudster.”

But, Campbell asks, can those fears be realized?

“Theoretically, yes; but practically speaking, probably not,” he says. “First, it’s hard to steal money via a mobile device because it leaves a paper trail. And the person who finds or steals a mobile device isn’t likely to know anything about its owner, which makes it difficult to use the device for fraudulent purposes.”

The threat to mobile devices can be marginally less than the threats to a regular website, Campbell says. That’s true for two reasons:

  1. Credit union mobile sites can drop a cookie on the phone that helps them identify its user; and
  2. Mobile devices have certain identifying characteristics that indicate characteristics about the user.

“For example, when a phone ‘talks’ to our server, there’s a header that shows its operating system and the browser version its owner uses,” Campbell explains. “So if they normally come in on an iPhone but now are coming in on an Android device, that alerts us that there could be fraudulent activity going on.”

“We see the biggest threats on this channel as the presumption of fraud and the lack of education about what to expect with this channel,” says Jeremiah Lotz, manager of e-commerce solutions at PSCU Financial Services. “It’s a lot like when online banking was introduced: People had great concerns about security and didn’t quite know their way around the topic.”

One area security providers are watching is apps.

“In security bulletins and publications, mobile banking hasn’t emerged as a threat vector yet. But, as everybody is creating apps and websites, it will become an issue,” says Ward Howell, director of security solutions consulting at Q2ebanking.

“A recent survey revealed that 25% of smart phones now have IDs and passwords cached on them,” he continues. “But at this point, there’s not a lot of talk about mobile banking security.”

Lotz says fake mobile apps do exist, but there aren’t many of them.

“Credit unions can teach members what to expect if an app identifies itself as coming from the credit union—certain pieces of information that should be provided if the app is legitimate,” he explains. “But for now, they’re not a real big threat—certainly not as much as on other channels.”

The one form of fraud that will always be the most difficult to deal with, Campbell says, is family fraud.

“It’s the hardest of all types of fraud to protect against,” he says. “When one family member knows so much about another it becomes easy to take over that person’s mobile device and use it for fraudulent purposes.” 

Next: Mobile security best practices

Mobile security best practices

Howell says one of his most important roles is education.

“We present best practices wherever we go, regardless of what technology a credit union uses,” he says. “One thing we know is that the smart phone has become the hub of almost everyone’s universe—social, personal, financial. So already there’s a set of consumer best practices emerging.”

Howell says these security best practices include always having the phone’s password turned on, knowing how to kill data remotely, and replacing lost phones immediately.

People often are overly trusting with their phones, adds Mickey Goldwasser, vice president of marketing for Q2ebanking.

“When somebody says, ‘Hey, let me see your iPhone,’ it can be easy for somebody to pick up vital information about the owner,” he warns. “There should always be a password.”

Proper use of a password is as important as having one. Abele says credit unions should teach members not to lock in an ID and password just so they can access their accounts without checking in.

“It’s a minor inconvenience for the amount of security gained,” he maintains.

Some credit unions encourage members to use their mobile devices as tokens to access Internet banking.

Users log in, identify themselves, click a button, and receive text messages containing a temporary code.

Then they input the code to get to a banking site, but the code is good for only one use. Anybody trying to use it a second time is locked out.

Howell says credit unions should also remind members to be careful about WiFi.

“At a coffee shop I can’t always be certain the wireless access is secure,” he says. “That’s something credit unions need to tell members.”

End-to-end security

Another important feature for mobile banking solutions is end-to-end security, according to Intuit Financial Services, a CUNA Strategic Services alliance provider.

The company’s mobile banking product uses industry standard technologies (i.e., SSL and WTLS) and security certificates with 128-bit encrypted communication.

No personal or confidential information is stored on the mobile device or in the mobile Web banking application.

Intuit’s solution gives automatic access to mobile banking from the credit union’s website, due to the company’s mobile device detection capability.

Any user going to a credit union website will be automatically taken to the mobile version of the site.

This mobile redirect filter is standard on all mobile Web banking implementations.

Plus, high availability, fast response time, and network security are assured as the consumer mobile web banking solution is hosted in the same Intuit Financial Services SAS70-certified data center that operates its internet banking service.

Of course, transactional security is a balancing act, says Howell. “At certain levels it’s like a suit of armor. But you can’t run or jump in a suit of armor, so you have to be careful to add enough flexibility to meet members’ needs and expectations.”

Before introducing mobile financial services, he says credit unions should address these questions:

  • What types of transactions will you offer?
  • How and why will you send alerts to mobile users (i.e., for unusual activity or amounts)?
  • Which authentication mechanisms will you offer (i.e., a token feature or one-time password capability)?

Other features to look for in a mobile banking security product, Lotz says, include:

  • Session time-out capability, where the server disconnects if there’s no activity after a three- or five-minute window;
  • Browser and apps run with standard 128-bit encryption; and
  • Vendor education resources to inform members about the best ways to protect their accounts.

“As time goes on, there will be more attempts to compromise mobile channel security, but I’m not sure they will be all that successful,” Lotz says. “That’s because people’s knowledge of their devices and the channel itself is so intimate that it will be hard to defraud them.

“When you combine 128-bit encryption and credit unions’ own educational outreach on best practices for how members can safely use their devices, there won’t be a lot of room for fraud,” he continues.

Still, Goldwasser advises vigilance by both credit unions and members.

“There is never a time to let down. Besides service, the thing members want most is the trust and security their credit unions deliver. If members don’t trust your security, nothing else will matter.”


• Intuit Financial Services
• PM Systems
• PSCU Financial Services
• Q2ebanking