Mobile Banking Security: New Problems and Old Face Emerging Channel
o Sophistication, frequency of attacks is expected to rise along with usage.
o Texting is considered the most vulnerable of mobile banking channels due to social engineering.
o Vendors say mobile banking can be made as secure as Internet banking.
o Educating consumers about mobile banking security and how to avoid problems is seen as a necessity.
o End-to-end encryption involving telecommunications and financial services providers also is called for.
Mobile banking has created new opportunities for consumers and criminals alike, and some of the greatest vulnerabilities stem from the same factors that make banking by cell phone so attractive, industry observers and participants say.
For starters, short messaging service texting-which can be done on nearly any mobile phone and is often the first and sometimes only mobile service a credit union offers-is considered particularly prone to phishing attacks.
Then there are security problems caused by banking applications created sometimes hastily before being uploaded for iPhones, BlackBerrys and Android platform phones. Furthermore, mobile phones are small and easily lost and stolen, taking their stored credentials and text messages with them.
"There are a lot of security issues to be worked out with mobile banking but I still think social engineering remains the No. 1 threat against your financial institution's customers," said Rod Rasmussen, president and chief technology officer of Internet Identity, an Internet security firm based in Tacoma, Wash., that has worked extensively with international partners in combating phishing and domain name attacks.
"What makes phishing-type attacks so effective with this is the immediacy of the mobile technology they're using, because with texting you have to make quick decisions, and with that kind of time pressure, they're often bad decisions," Rasmussen said. "And you don't have all the warnings and messages you get in a Web browser."
He said credit unions have been a favorite target for text fraudsters because "you can do things you can't do in the Internet world, like SMS spamming and autodialing a metro area. All you need is access to a few accounts and it's worth the effort."
Rasmussen and another industry pioneer-Online Resources Corp. founder and former CEO Matt Lawlor-said they have seen Apple and Google, in particular, strengthen the screening of the banking applications they allow to be posted on their sites. They also said new forms of authentication are on the way, but consumer education, as always, remains key.
"There are all kinds of wild cards out there: losing devices because they're not stationary like your desktop PC, new kinds of malware finding multi-access security breaches, the fact that Bluetooth (the wireless connection between cell phone and earphone) is nonencrypted-even the uniquely mobile GPS channel, but the my biggest concern remains the fact that consumers are less vigilant than they should be," Lawlor said.
"Getting consumers to the mindset where they're as vigilant of mobile security issues as they are with their PCs would be a big step forward."
Core technology providers large and small find themselves addressing these problems now, too, as their customers turn to them for advice and solutions.
"We've talked more about this in the past few months than we had in the past two years," said Calvin Grimes, manager of mobile solutions at Fiserv Inc. "Our starting point is to say that the introduction of the mobile channel should not change security standards; those standards should extend to the mobile channel."
Payments, transfers and other transactions moving through a mobile browser can and should be just as encrypted as they are through any other device, Grimes said, adding that it's something his company is continually addressing.
How to find a solutions that isn't too complicated or time consuming remains a key question to people like Matt Roedell, vice president of infrastructure and information security at the $1.3 billion TruMark Financial Credit Union in Philadelphia.
He noted that third-party vendors often integrate multifactor authentication that requires passwords and PINs to be used, a regimen not convenient for users of devices like older-style flip phones. "And not everyone has a smart phone," he said. "Especially older people. I'm like a lot of other people, concerned more about that text message attack problem and the possibilities of tricking people into calling and giving up personal account information."
Meanwhile, TruMark has "a very secure solution and I think the lines are just going to continue to blur between mobile banking and the main online banking page, anyway, although education is also always going to continue to be a concern," Roedell said.
That's because just as they did when online banking began in the first place, the threats are expected to grow along with mobile banking itself.
"Will there be things like man-in-the-middle type attacks and other types of phishing events focused on mobile? I can see those threats evolving as the channel evolves," said Rudy Pereira, senior vice president of operations and technology at the $7.3 billion Alliant Credit Union in Chicago and a member of the CUNA Technology Council executive committee.
Alliant is in the process of launching its mobile banking services and exploring ways of securing the various ways it's offered. Industrywide, there have basically been three choices-SMS texting, downloadable applications and Web browsing, sometimes called the "triple play" of mobile banking.
Core providers like Bradford-Scott Data Corp. in Fort Wayne, Ind., find themselves deciding to offer all three but with some trepidation.
"We are very concerned about mobile banking security and feel text banking is especially dangerous," said Vice President Kevin Kolar. "What happens when you lose that phone? It's all right there, but that's also the offering that our credit unions are going to have to have if their members want it. We are working on a little different variation of that offering to help address that problem, though, but texting is still texting."
He also said his company is working on downloadable applets and mobile versions of its standard online banking interface.
The line between those two options is rapidly blurring as smart phones get smarter and iPads and other larger-screen tablets burst onto the scene, and financial services and telecommunications providers must work together to address security demands, according to Graham Titterington, principal analyst at the Ovum research firm in New York.
"Mobile banking is inherently vulnerable," he said. Besides devices themselves being lost or stolen and hacked, mobile networks may be intercepted either by breaking the wireless encryption mechanism or by hacking into the wired backbone of the network where encryption is not mandatory under telecommunications standards. Meanwhile, IT malware that compromises back-end servers but is harmless in the wireless environment may be passed through the mobile banking interface."
He also held out what might be considered a new brass ring for mobile banking in general. Providers must develop encryptions that work end-to-end independent of the telecommunications network operator and do not detract from usability.
One emerging solution favored by Pereira at Alliant is to have members call to establish a PIN to use for quick log-on and authentication on their mobile phone. "That way even if someone gets the PIN and uses a different phone, or vice versa, it wouldn't work," he said.
Physical tokens, long available for laptop and desktop access along with software tokens, are another possibility.
"It's a balancing act and we think the best option is going to continue to be to give members all the options we can up front, to let them decide whether they want the tightest possible security or the minimal but adequate variety," Pereira said.
"What's more important is that we continue to implement programs behind the scenes that look at behavior and activity that identify possible fraud and that we maintain a good perimeter defense. After that, we can discuss the rest with our marketing folks," he said.
Grimes at Fiserv said his company is, in fact, encouraging its customers to market mobile banking the same way they do online banking. "Talk about security, talk about the power of text alerts that let you know when your balance falls below a certain amount," he said. "Getting a text message is a more convenient and timely way to learn about that than not finding out until you get home that night and have a message on your home phone."
"We know from our marketing surveys that security is the number one or two concern among those not using mobile banking, so you need to be able to both secure that channel and to get the word out that you have done just that."
That said, Lawlor-who recently left one of the first companies to bring online banking and the electronic payments to the credit union mainstream-pointed out that "like all new technologies, mobile banking and the security issues that come with it can be a double-edged sword."
"It's a whole new experience and a whole new set of problems that can't be solved by advertising," he said. "People see their mobile devices differently than they do their PCs, and they're going to have to learn to be more vigilant, but we in the business also need to look for ways to plug the security holes that are going to continue to be created, too."