Some of the same tech advancements that credit unions are leveraging to attract and retain members are proving just as attractive to a less savory element.
That’s because cyber fraudsters – that sophisticated, loosely associated and shifting global network of online thieves – are devoting as much time and energy to exploiting the vulnerabilities of the mobile channel as the financial services industry is to securing the channel and assuring its users and potential users that mobile banking is safe.
A prime example is remote deposit capture, which is taking pictures of a check and depositing the image electronically with a mobile device and essentially sending a negotiable instrument through the airwaves. Typically, that transaction path includes ACH clearing, which is an area where electronic thievery has gained traction, targeting businesses as well as individuals. Does the mobile RDC channel present a new opportunity for criminals?
“There’s a lot of interest out there about that,” said Don Jackson, director of threat intelligence at Dell SecureWorks, the Atlanta-based provider of Internet security services to about 3,000 customers, including 628 credit unions.
“There’s a lot of interest in figuring out RDC and how that image gets turned into an ACH transaction. The crooks already know ACH pretty well and now, they’re really looking into that,” Jackson said.
Just like vendors that supply the technology and financial institutions that deploy it, Jackson said the criminal element “really hopes RDC takes off.”
Jackson, who makes his living monitoring malware and other cyber criminal activities on a global scale, said he also sees the mobile channel being attacked for different reasons than PCs and laptops and servers have been by hackers.
“As more people do most or all of their banking on mobile devices, we’re now looking at more efforts toward social engineering, toward selecting targets and selective types of accounts, rather than the kind of data that can be collected en masse through the traditional channels,” he said.
The selection of targets that used to be kind of an art is now becoming more of a science, Jackson explained. Criminal groups are doing a lot of profiling and paying more attention to who those targets are and what they can do with their accounts.
That said, the personalized, permission-heavy nature of mobile banking makes for an environment that currently is difficult to protect, he noted.
“The same design decisions that make them secure also make it difficult to add new security software,” Jackson said.
For instance, patching, which is the download and installation of security updates for existing software, really doesn’t exist in the mobile channel like it does in the server and PC domains. Fortunately, Jackson said his company has generally yet to see a lot of focus on the mobile channel by organized cyber thieves. But that could change as 4G networks spread across the United States, he warned.
“Right now, the speed is not there,” he said. “We haven’t yet seen a lot of targeting of mobile devices, but that can change.”
There are also regulatory changes for securing electronic banking. Along with knowing that cyber crooks will naturally gravitate toward the growing mobile channel, financial institutions also have to comply with new rules such as the Federal Financial Institutions Examination Council’s guidance that kicks in in 2012. Ultimately, credit unions and banks will still have to find ways to assure consumers that mobile banking is safe, experts continue to say.
“Those of us working in mobile all have a good awareness that there’s the need to do something. I just don’t think many people have figured out what that something is yet,” said Adam Dolby, eBanking manager for the Americas for Gemalto, a digital security firm based in Amsterdam.
“The whole definition of mobile is still a bit nebulous for a lot of financial institutions. Not a tremendous number of banks have real robust functionality yet, and they’re sort of taking what functionality they have and finding their way a bit,” he said.
Gemalto is working with its clients to move away from a silo approach with their banking applications and channels and look at how solutions can cross between them, both in end user functionality and security, Dolby said.
“We have the opportunity now with mobile to make the phone the access point where all these functions converge, just as historically, it’s been the laptop or desktop,” Dolby said.
Security and compliance will be part of that, he said, but warned against it being the primary motivator.
Dolby considers the FFIEC guidance to be a bit of a double-edged sword because he said it raises the awareness that financial institutions have got to do something to make mobile banking secure. He calls it “compliance think.”
“You start to look at what you need to do to get the auditor off your backside rather than how you can best protect the channel,” Dolby explained.
That’s a question that vendors big and small are being asked by their credit union clients.
“The new guidance has brought to a head a lot of conversations that had been lurking in the background, and we’re getting very specific questions now about where we’re going with our products, and what tools and assets we have to protect them,” said Calvin Grimes, mobile solutions manager at Fiserv Inc. of Brookfield, Wis.
He said some of the methods involve taking techniques now used for online banking, such as showing the person an image before entering a password.
“We also are basically working with a smaller version of the 128-bit encrypted browser, so in this case, there’s no reason to treat it differently,” Grimes said.
Some experts believe there is no reason to think consumers will regard it differently. As when online banking was first gaining widespread adoption, security concerns may be putting the brakes on mobile banking uptake.
“I believe very strongly that we’re at a point where smaller financial institutions can use security and technology as their differentiator,” Dolby said.