Mobile Banking Security

Consumers love the convenience, but security issues are making them nervous.

November 14, 2011


Mobile Banking Security


  • The financial services industry is moving toward a
    ‘true mobile wallet.’ 
  • Security experts agree the growth of mobile malware raises questions about the prudence of managing finances on the fly.
  • Board focus: The risk of not offering mobile banking
    to members might be greater than offering it.


By 2014, more people will access their accounts through mobile devices than through their home or office computers, predicts Robert Hedges Jr., managing partner of the research firm Mercatus.

But security concerns—and a couple of well-publicized breaches—could slow the rate of adoption. The number of consumers rating mobile banking as “unsafe” or “very unsafe” increased from 25% to 40% between 2009 and 2010, according to reports from Javelin Strategy & Research.

The only issues holding mobile banking back from the next phase of consumer adoption, it seems, are security concerns.

A game-changer

Mobile devices have, without a doubt, transformed our daily interactions and transactions. Some experts suggest the impact of mobile technology is far greater and has revolutionized the way we live.

A consumer shopping for a flat-screen television can compare prices, check account balances, and even transfer funds between accounts right on the sales floor using a mobile device. A stay-at-home mom with a small hos-pitality sales business can use her smartphone’s camera to deposit checks.

“Mobile banking will become the norm at some point, because our society is spending more time on mobile devices than on their PCs,” says Tony Rasmussen, senior vice president of eServices at $2.9 billion asset Mountain America Credit Union, Salt Lake City. “Our goal is really to enable our members to conduct business on their terms, when and where they want to.”

To that end, the credit union offers a full suite of mobile banking services including wireless application pro-tocol (WAP) Internet banking, short message service (SMS) text banking, and a downloadable application (app).

The credit union launched its WAP service—a slightly pared-down online banking site, accessible from any mobile device with a browser feature—about seven years ago. To use WAP, which works on more than 300 dif-ferent devices, a member needs only a feature phone, not a smartphone.

Mountain America’s SMS text banking allows members who’ve registered their mobile devices to complete a limited number of functions by entering short codes.

“It’s a fast way to check your balances, look at your past few transactions, and even make a transfer if you need to,” Rasmussen says.

The credit union’s downloadable app, however, is where most of the action is. Developed by an outside vendor, the app is custom-branded to the credit union and operates independent of a phone’s browser. Mountain America offers the app free to members in both the Android Market and the Apple iTunes Store.

The app looks better and works faster than WAP, says Rasmussen. It also offers additional features, including a GPS-driven branch and ATM locater. The app allows members to graph expenses or set up personal budgets with alerts when they get close to limits or exceed them. Glancing at their phones, members can determine if they can afford to eat out or go to a movie.

The app even saves members time since they don’t have to stop at the branch to deposit checks. With the remote deposit capture (RDC) feature using their phone’s camera, members can deposit and transfer funds by taking pictures of checks. Soon, Mountain America’s app will also accommodate bill-pay.

The new industry standard

Rasmussen expects the app to eclipse the mobile website and the regular online banking site as smartphones in-crease market penetration. Estimates vary, but some reports indicate smartphones constitute 35% of the current mobile market, and the International Data Corp. predicts final 2011 smartphone sales will double the sales of 2010.

“I think it’s a foregone conclusion that the industry will come to embrace feature-rich mobile banking applica-tions,” says Hal Tilbury, CEO and founder of Bluepoint Solutions, an independent software vendor that offers RDC and specializes in electronic content management and item processing.

The financial services industry is moving toward a “true mobile wallet” that allows consumers to use cell phones to do anything they currently do with the contents of a wallet, he says. A mobile phone as a debit or credit card? “Right around the corner,” he speculates. “Google has already launched its wallet service, and within two years you’ll see the players in that space multiply further.”

As mobile banking becomes a bigger facet of personal financial management, experts like Carlo Cardilli, senior vice president of mFoundry, expect physical branches to play a much smaller role. But that’s good news, he says.

“Mobile banking allows credit unions to cast a bigger shadow,” he adds. And when members rely less on brick-and-mortar branches, credit unions won’t have to work as hard to retain them, even when they move out of town or out of state. With shared branching and no-fee ATM locators on mobile apps, members can figure out how to access cash just about anywhere. And they can do just about everything else on their mobile devices.

Don’t forget the financial benefits of the mobile platform, Cardilli adds. Credit unions are very sensitive to cost, and call centers are expensive to staff and operate while mobile alerting is much cheaper, he says.

“Fifty percent of calls are ‘What’s my balance?’ or ‘Has my rent check cleared?’” he explains. Credit unions don’t want members to stop calling, but they do want members to use more efficient ways to get the information they need. “Mobile allows members to get that kind of information faster than it would take a call center employee to pick up the phone,” he says.

Members seem to like the platform, too, says Cardilli. Within the first three months of availability at mFoundry’s client $769 million asset Columbia Credit Union in Vancouver, Wash., 20% of members signed up for mobile banking.

Next: Malware and data breaches

Malware and data breaches

Mobile banking’s future looks bright, but security concerns remain. Recent cell phone scandals illustrate that mobile phones can be hacked, and headlines are screaming about the rapid growth of new malware designed to infiltrate mobile devices and exploit personal information and data.

Android malware is exploding, with an early 2011 incidence 400 times higher than a year earlier, according to a May 2011 report from Juniper Network’s Global Threat Center. Not surprisingly, this is directly proportional to the Android operating system’s market share growth, which has grown from 3.9% in
2009 to an estimated 38.5% in 2011, according to a Gartner research report.

While Juniper indicates Android malware still accounts for less than 1% of all malware in the world, the rate of increase suggests mobile devices are attracting more attention from fraudsters. And if nothing else, security experts agree the growth of nefarious activity raises questions about the security—and the prudence—of managing finances on the fly via the mobile channel.

Security must be a concern for credit unions, says Tom Gray of Member Service Solutions LLC, since he’s asked about it “in every webinar” his firm conducts. Gray, and co-managing partner Rick Hargis, say security drove the design of the firm’s CU Mobile Apps.

The app doesn’t push, pull, or store personal information or financial data on any mobile device. Instead, it functions by tying into a credit union’s existing mobile banking or online banking platform. It then repackages the information and features in a faster, more user-friendly format and adds additional functionality, including a GPS-driven branch locator.

Credit unions that develop their own mobile apps also are approaching security as an essential element. At CommunityAmerica Credit Union, Kansas City, Mo., “security was our No. 1 concern,” says Sam Passer, vice president of program services. “It wasn’t an after-thought. We built the app from the ground up focusing on se-curity.”

As an added precaution, the $1.7 billion asset credit union also enlisted a third-party vendor to do a full security review of the Android and iPhone app prototypes before launching them.

Passer acknowledges that mobile threats are proliferating, and his credit union invests a large amount of re-sources to secure online and mobile systems. But he says the greater risk lies not in the mobile platform itself, but in not offering it to members. “We needed it to stay competitive.”

In developing iPhone and Android apps, 1st Advantage Federal Credit Union, Yorktown, Va., considered only veteran vendors with good track records, says Jim Craig, vice president of marketing. The $539 million asset credit union hopes to launch the apps within the next year—as options in addition to its existing mobile banking site.

While Craig is always concerned about security, he’s not alarmed by the increase in hacking and malware. “What we’re seeing in the mobile space is that it isn’t any riskier than regular Web or Internet banking,” he says.

The financial services industry has a bit of “security fatigue,” agrees Rasmussen. Bombarded with messages about breaches everywhere from shoe stores to mortgage companies, many in the business have come to recognize the role security and risk play in both online and mobile banking. Credit unions and their employees manage risk, but they don’t overreact to it.

“Not every risk associated with doing business can be a crisis,” he explains. “Always operating in crisis mode is taxing, draining, and keeps us from doing our best work.

“Security has found its niche in the way we now conduct business,” he adds. “It’s seen as an ongoing, nev-er-ending part of the way we operate, rather than a one-time tragic event that can be dealt with and then forgotten. As things come up, we’ll deal with them. We have to, because the mobile device isn’t going away.”

Mobile-ready members feel the same way, says Craig. “We aren’t hearing anything from our members about security concerns in relation to the mobile channel. Basically, members concerned about security don’t currently use online banking, and certainly won’t use mobile banking.”

“You certainly have all the controls and all the protection that you have on the PC, because it’s encrypted communication back and forth,” agrees David Dye, an integrated services manager at Diebold Inc. “And mobile does have the protection of username and password. You have as much, or more protection, as you do on a PC.”

Diebold—a CUNA Strategic Services alliance provider—offers a fully functional native mobile banking app along with Card Lock. The latter is a new mobile-controlled solution that allows credit union members to lock and unlock debit and ATM cards to prevent identify fraud.

Next: Push notification

Push notification

Even if mobile malware proliferates, says Dye, the mobile platform offers unique, yet cost-effective, opportunities to enlist the members themselves in managing fraud and other risk.

For example, mobile banking apps often feature alert notifications, which send notices or text messages based on criteria the members select. Members can set filters so their app notifies them if they exceed spending limits on certain cards or if their cards are used in unauthorized transactions. Members who limit online purchases to one credit card receive an app notification if someone tries to place an online order in their name with another card.

“If something is happening that doesn’t look familiar, I find out and can respond to it immediately,” explains Dye. “The marketing term we use for it is ‘deputizing your members.’ That serves two purposes, because I’ve kept them informed and I’ve also kept them in a very inexpensive channel, in terms of support. If you can stay in the mobile channel, you can do all this and control your costs.”

Members seem to see and respond to notices on their phones sooner than they would to e-mails or even phone calls, Dye adds. “The interesting thing about mobile is that it’s with most of us most of the time, and we’re all used to using it to take care of things on an immediate basis. We get a piece of information, we respond to it, and we go on with our day.”

This behavior pattern, Gray notes, presents another opportunity. Credit unions can use the same notification features they use for fraud prevention for marketing. Push notices can alert members to falling mortgage rates or car loan specials. If current behaviors bear out in mobile banking, app notices stand to be an effective means of direct communication with members.

Those opportunities aren’t lost on Craig, who’s excited to harness the potential that mobile banking offers for member retention and business growth.

“We’ve been tracking traffic to our site by device,” he says. “I’ve wanted to go mobile for a long time but the members weren’t there. We’re finally seeing the traffic of mobile devices to our site to make it worth the expense to roll it out.”

The credit union’s timeline was controlled more by demand than by risk, Craig explains. “Until now, we didn’t think we’d get enough traffic to make it worth the investment.”

He advises other credit unions to weigh the costs and benefits of adding the technology. But he cautions against holding back on mobile banking out of fear, alone. Even boomers and seniors are using physical branches less, and younger generations are quicker to adopt new technology.

There isn’t a single market that won’t be in the mobile space in the next 10 years, he predicts, “and I seriously doubt it’s going to be something you can ignore forever.”


  1. Credit Union Environmental Scan
  2. National Member Survey
  3. Survey of Potential Members