WAP/mobile browser service appears to be the most popular approach to offering mobile banking. In "Callahan's Technology Guide," 26% of credit unions surveyed said that they anticipate adopting WAP/mobile browsing in 2009 and 43% said they anticipate adopting it in 2010. This compares to 23% that planned to adopt SMS/text message in 2009 and 39% in 2010. Fifteen percent said they are adopting a downloadable program in 2009 and 30% said they plan to in 2010.
While mobile banking services allow credit unions to provide convenience, just like online banking it comes with risk.
Since there hasn't yet been a full-fledged mobile security attack yet, Denise Senecal, research manager at Callahan, said that part of the fear with mobile banking is that people don't know what's going to come.
This has some credit unions treading the mobile banking waters cautiously, Senecal added. Some credit unions, she said, are starting with a simple text-based version that provides information, such as a balance request, and rolling out more advanced tools in the future.
CO-OP Financial Services offers a mobile download application to its credit union clients. Jim Hanisch, executive vice president of network operations and corporate development, said that key security measures when it comes to a mobile banking product include having the application time out, making sure no member information is stored on the phone, there are no account numbers displayed, and the product has a way for the member to disable to service immediately if their phone is lost or stolen.
Product manager for CO-OP mobile Randy Thompson said that the downloadable application is a little more secure than a SMS texting product and that they are looking at adapting a WAP product.
Geezeo, an online personal finance software provider, has mobile banking services built into its personal finance product. Members that use the software can get expense categorization, budget progress alerts, account balance alerts and transfer funds on their phones.
Co-founder Shawn Ward said that they have two key security functions with mobile banking services. The first is immediate session time-out, and the second is a SAML-based signal sign-on that authenticates that the member is who they say they are.
"The reality is that no matter how much security you have, the major risk of fraud is at the user level," Ward said.
He suggested that credit unions offering the services explain to members why sessions time-out and express the need to be diligent and aware when using the service. Ward said credit unions should make it clear to members that if their phone is loss or stolen, they can call the credit union right away to shut down access.
One of the biggest things consumers can do to protect themselves, Ward said, is to make sure they have a strong password, which should be eight characters and alpha-numeric.
Similar to the online services, mobile services are open to phishing attacks, Ward said, but there's also a newer threat specific to mobile phone use.
Bluejacking is a tactic used by fraudsters to connect to Bluetooth-enabled phones to steal data that includes phonebooks, calendars, texts and other data stored on the phone.
To prevent members from becoming victims of these attacks Ward said having quick session time-outs is important as well as multiple-layer authentication processes.