Call it banking’s Pogo moment: We have met the enemy and he is us.
“The weakest link in the online and mobile banking security chain is the end user,” said Mike Moir, an executive with security firm Entrust.
The key insight: as much as credit union IT security personnel need to keep aware of what cyber-crooks are cooking up, they also need to stay well aware of what members may be doing to (unwittingly) undermine their own security and safety.
The core reality is that, right now, “there is more security with a mobile device than a desktop computer,” said Terrence Spies, chief technology officer at Voltage Security. “There is not much controversy about that.”
That comes as a surprise to many – fears about mobile security always rate high among the reasons people say they do not do mobile banking. But the reality is that mobile devices on the chief operating systems – Apple’s iOS and Google’s Android – are architected in ways that make the traditional cyber-crook gambits impossible.
Nobody thinks this era of safety will long persist. The consensus among security experts is that it is “just a matter of time before fraudsters throw their considerable resources after mobile banking,” said Steve Santorelli, a cyber security expert with research firm Team Cymru.
Until then, however, we exist in an era of comparative safety – except to the degree we the users undermine ourselves.
One problem: “People don’t always see that there even could be any risks especially with mobile. It is just a phone, isn’t it?,” said Moir, who added that the computing power of today’s smartphones usually is much greater than the power of the computers users went online with for the first time in the mid 1990s. But because some see it as “just a phone,” they don’t begin to take precautions.
Call that the background to proliferating member errors – errors smart credit unions need to anticipate and, to the extent they can, safeguard against.
Here are the top five:
Just about every security expert points to this because surveys find that still among the most popular passwords are, you guessed it, password or 123456. Some email and etailer sites reject this kind of password as too weak but, in general, said the experts, financial institutions are reluctant to raise barriers to member use of mobile banking and if that means swallowing poor passwords, so be it. But those same experts suggested credit unions would do members a favor by urging them to use tougher passwords.
That is a key error pinpointed by Entrust executive Mike Byrnes. It’s human nature to try to maximize use of secret codes – thus necessitating less memorization – but it can be dangerous. Byrnes said he saw little harm in using the same password for, say, Twitter and Facebook – but do not also use it at a critical site such as banking. The recent LinkedIn password hack illustrated why.
Said Geoff Webb, director of product marketing, at data protection company Credant: “Users should re-set their phone to factory initial settings before even considering selling, recycling or donating their device. The biggest concern is that, obviously, personal information will be left on the phone and accessible to whoever subsequently owns it. However, people should also think carefully about the things that the phone has access to.”
Incidentally, this is easy to do with most phones. On an iPhone, for instance, click SETTINGS, GENERAL, RESET, ERASE ALL CONTENT. In a few clicks data is deleted. The process is `as simple on Android and BlackBerry.
The app may say XYZ Credit Union but don’t think about downloading it unless it’s via a link on the credit union’s website or from a well-known apps store such as Apple’s, Amazon’s or Google’s Play.
All manner of mischief may have been added into an otherwise official app that is available from third-party sites.
Big banks, said the security experts, devote substantial staff resources to hunting for such illicit apps. The risks are just as real for smaller credit unions and that is why many experts suggest regularly warning members to use only approved apps from major download locations.
Security experts say there is a paradox. Most computer users by now have grown wary of clicking on unknown links in email on their desktop or laptop. But when that same email arrives on a mobile device – with its tiny screen which may make it harder to attempt to read the full URL address – we just may click away.
Phishing scams targeting mobile phone users are already epidemic and are on a steep rate of increase, according to the security experts. Bogus emails – masquerading as alerts from financial institutions, for instance – keep growing in numbers and lately, said the experts, more of us are again clicking on links from mobile devices.
And when crooks are given a member’s user name and password by the member, their job gets very easy indeed.
Bottom Line: Mobile banking security is strong but member education can keep it strong, said Q2ebanking executive Jay McLaughlin. “Members must play a part in being the solution. That is what we are starting to advise our credit union customers.”