Tools of the Trade

Mobile Offers Opportunities, Threats

Mobile services improve member satisfaction but raise new risks.

October 1, 2012

Credit unions view mobile banking as a way to better member relationships—but they realize convenience doesn’t come without risk.

“They see mobile as a key to increasing member satisfaction,” says Marty Jost, senior manager of user authentication product marketing at Symantec. “But they’re also mindful of the expense and the need to make the experience safe and convenient.”

Those twin needs—protecting members from having their mobile data stolen or compromised without extraordinary cost—are where vendors are focusing their efforts when helping credit unions mitigate mobile security risks.

How big are those risks? It’s hard to tell.

“With so many points of vulnerability, there aren’t a lot of statistics available that accurately paint an entire picture of mobile banking breaches,” says Terrie Ipson, principal, security services strategy, at Diebold. “It’s been difficult for financial institutions to identify the points of compromise on attacks.”

She cites several startling findings:

  • The likelihood of smartphone owners becoming identity theft victims increased by one-third in 2011, according to Javelin Strategy’s 2012 Identity Fraud report;
  • 48% of consumers remain concerned about security risks in mobile financial transactions; and
  • All apps can provide gateways for criminals to access mobile devices.

“In a single 30-day period, it was reported that one financial institution requested the removal of 200 rogue apps from an app store,” Ipson reports.

But many of the problems associated with mobile security are created by members. “One of the biggest vulnerabilities with mobile is guessed or stolen passwords,” says Jost. “People often set up passwords that are easy to remember” and, therefore, easy to guess.

CSCU Adds Suspicious Transaction Alerts

CSCU’s Pass-Through Mobile Alerts system now provides suspicious transaction alerts that trigger real-time text messages to enrolled cardholders in the event of suspected fraud.

The informational text message alert is sent to the mobile phone in conjunction with calls to the cardholder. This creates an added channel of communication to help mitigate fraud and improve the response time.

The Pass-Through system also allows CSCU-member credit unions to provide real-time text message notifications for various debit and credit card activities. These include signature/PIN purchases, declined transactions, international transactions, ATM deposits or withdrawals, and card-not-present transactions.

Another danger is the loss of a mobile device, such as a smartphone or tablet. The key to defending against misuse of the lost device, says Jost, is having a strong password—upper- and lower-case letters mixed with numerals mixed in.

Ipson agrees that consumers’ control over the security on their mobile devices presents one of the biggest risks in mobile banking.

“Credit unions can’t necessarily secure a device when consumers decide what applications they download, what networks they connect to, and how they access their information,” she says. “Credit unions can offer free security software but there’s no assurance a consumer will keep the device updated.”

Ipson says not all financial institutions are proactive about mobile security, which can lead to increased risk. “Many credit unions don’t take action until a mobile security breach hits close to home.”

That, she says, shows that not all of the responsibility for security lies with the consumer.

“Because the biggest threats to mobile banking security depend on how members access information, credit unions can selectively offer the most secure possible access and authentication. Although this requires balancing convenience with security, credit unions are ultimately responsible for ensuring that member information isn’t put at risk.”

How vendors work this on a practical level is pretty straightforward. “You get around people’s tendency to go with too-simple passwords, as well as cater to their desire for convenience, by using one-time password technology,” says Jost.

This is where users have a token—a little calculator, really—that creates a random number that appears onscreen at the push of a button.

“Users enter that one-time password to begin a transaction. The token changes numbers every 60 seconds, so stealing a mobile device without the token” provides no advantage.

But it’s expensive to buy and distribute the hardware, Jost says, citing a workaround involving two options:

1. A software version of a token that runs on a cell phone—the cell phone becomes the token.

2. An app in the mobile device that generates a separate, one-time password that appends to the user’s regular password whenever he or she starts a mobile transaction.

Besides member authentication, Jost says credit unions have to be concerned with privileged users, people who are authorized to transfer credit union money internally and externally. “They usually use hardware tokens that are protected by two passwords: the password coded within the token and a second strong password known only to the person authorized to have the token,” he says. “This lessens the risk of a stolen token being put to bad use.”

NEXT: Thwart Fraud

Beyond password-generating tokens, Jost says authentication can be designed to thwart fraud by analyzing the likelihood that certain activities present a risk, such as:

  • Logging in from an unfamiliar location.
  • Attempting to transfer funds to an unusual or unlikely destination, such as an overseas account.
  • Logging in from an unfamiliar device. If a member logs in from an unfamiliar device, the process automatically switches to an “out-of-band” special process where the user receives an additional log-in code via e-mail or mobile device that he or she has to add to the regular password.

“Good authentication layers,” Jost says, “include strong passwords, two-factor authentication—device ID plus a one-time extra password appended to the regular password—and out-of-band processes for anomalous behavior.”

Looking ahead, Jost says credit unions should be aware that recommendations the Federal Financial Institutions Examination Council has made concerning the use of behavioral analysis for both consumer and financial institution mobile processes “will probably become mandatory.”

Ipson says Diebold’s banking services follow a best practice of never storing information on mobile devices.

“Information on a mobile device can be accessible to ‘man in the middle’ attacks during Wi-Fi connections, as well as via mobile applications on the devices,” she says. “When information is stored directly on the device, losing your phone also carries the same weight as losing your wallet.”

In that case, credit unions can use remote device controls, including remote wipe and remote shut-offs, to erase data stored on a device and freeze account activity in the event of a digital security breach.

Ipson says education about mobile device use plays an important role in credit union-member relations. “For example, access to information directly through a cell tower is fairly secure,” so credit unions should encourage members to use this form of connectivity versus Wi-Fi.

She also advises credit union executives to be aware of and to educate members about mobile banking risks. “Security isn’t just a ‘set it and forget it’ kind of program, especially in the mobile banking space where functionality, partners, and consumer demands change rapidly. Security is an ongoing effort that isn’t finished once solutions have been implemented.”

Ipson says the paradox of open versus secure banking has been referred to as “a conundrum in the digital space”—and for good reason.

“As financial institutions are pushed to improve convenience,” she says, “they’re increasing their risks. They need to be cognizant of what this means for their business.”

But it’s not a new conundrum, Ipson says. “Similar situations played out in the past online, with ATMs, and with branch security as credit unions looked to improve access to information while staying a step ahead of criminals.

 “As many consumers have migrated recently from big banks to credit unions, standing out as a secure mobile banking provider is a way for credit unions to continue to differentiate themselves. It starts with education, discussing convenience and security at the same time.”