Three Mobile Banking Security Best Practices

Increased mobile traffic needn’t lead to increased risk.

August 3, 2012

Growing consumer demand for mobile banking has prompted more credit unions to offer members the ability to check account balances, transfer money, and pay bills using their smart phones.

A recent study released by the Federal Reserve showed that 21% of mobile phone users had used mobile banking within the past 12 months, and an additional 11% anticipated using it in the next 12 months.

But increasing traffic in the cyber realm doesn’t need to trigger additional security threats. Following are three best practices—some for the credit union and others for users—that can help ensure the security of your members’ data, as well as control and monitor access to your credit union’s systems.

1. Instruct members to use their mobile devices’ security features

Many device and operating system manufacturers build some level of security into their equipment, but members don’t always leave those safeguards in place.

“It seems a lot of people want to go in and hack or jailbreak their smartphones, and that opens the device up to quite a bit of security risk,” says Aaron Oplinger, director of eServices and channel integration at $1.3 billion asset Arizona Federal Credit Union in Phoenix. “We definitely advise our members to leave the security in place, and to use the security the devices come with, because there is value in that.”

Encouraging members to install antivirus software and to use good judgment when downloading applications is something Frank Macrina, vice president of e-services at $2.3 billion asset Virginia Credit Union in Richmond says also will contribute to a safe mobile banking experience.

“They should use a PIN or security pattern as a first line of defense,” he says.

These simple measures may be powerful, but they often go unused. A recent survey revealed that more than half of users don’t use a password or PIN to prevent unauthorized access to their mobile devices.

Macrina fears that losses attributable to the mobile channel will rise. “Mobile security does not yet seem to be taken seriously by consumers.”

Chris Saneda, Virginia Credit Union’s senior vice president and chief information officer, believes proactive member education often provides the foundation for other security features in the mobile banking channel, and is fundamental “in terms of ensuring additional security for member transactions.”

Virginia Credit Union’s website offers members a range of security tips, something Saneda says is crucial to a secure platform. “Without member education, that’s going to be your weakest link.”

2. Put sensitive features behind a multifactor authentication gateway

Members using Arizona Federal’s online portal are protected by multifactor authentication (MFA), but mobile banking users are not.

To maintain security without these more advanced authentication protocols, Oplinger says there are safeguards in place that limit what mobile users can do.

“We don’t allow them to change their password—they still have to go through online banking for that—and we don’t allow them to set up new payees within bill pay,” he says. “They can only send payments to existing payees.”

In short, money can’t be sent via mobile device anywhere that hasn’t already been established as a legitimate target in an MFA-protected environment.

Oplinger says one longer-term goal is to have enhanced MFA on mobile devices, at which point additional functionalities will be available to users. “But until we get those security features in place,” he says, “we’re restricting all of that.”

3. Leverage software to detect suspicious activity

The technology team at Virginia Credit Union also restricts what members can do through their mobile devices. Because they aren’t using MFA, high-risk transactions aren’t allowed.

However, Saneda says the credit union is looking at software solutions that would alert them to suspicious events.

“It will alert us to high-risk activities,” he explains. “Not just from a high-risk transaction standpoint, but also any kind of unusual behavior a member might exhibit.”

These fraud-detection platforms typically look for pattern anomalies, flagging suspicious actions for the credit union to examine and act on.

BRIAN McGINLEY is senior vice president of data risk management for Identity Theft 911.