The image is starkly frightening. Picture tens of millionsessentially unprotected mobile phones and tablet computers that areconscripted by cyber crooks into a zombie botnet army and put towork overwhelming your credit union's network with meaningless datain a mobile Distributed Denial of Service attack.

But here's the question: is this science fiction or fact?

Experts disagree.

It's undisputed fact that most mobile devices have no meaningfulprotection against viruses and malware. But, beyond that, themobile DDoS story is marked by substantial disagreements.

Sounding the alarm is Javelin Research's senior analyst for security Al Pascual who,in a press statement, said: “FIs and other organizations with avested interest in the security of the mobile channel will be bestserved through a partnership with security vendors with the goal ofincreased adoption of mobile security software. Deputizingconsumers through education on mobile security threats andencouraging use of anti-malware, firewall protection and othersecurity solutions will have far-reaching benefits.”

In an interview, Pascual elaborated: “Financial institutionsneed to get into the fight. They are pushing mobile banking veryhard. They need to partner with security vendors. They need to getinvolved with carriers. They need to get involved in helping tomake devices more secure.”

He insisted that mobile DDoS attacks are coming in 2013 and“Android will be the most likely target,” mainly because thearchitecture is fundamentally more open than that of Apple'siPhone.

Scary as this image is, some experts believe it has all thereality of a prediction of a J.R.R. Tolkien style, full-outOrcattack crippling Washington, DC.

“Mobile DDoS is theoretically possible but the infrastructureisn't there yet. The cyber criminals are happy with what they nowhave,” said Steve Santorelli, a spokesperson for security researchers Team Cymru.

Tyler Shields, senior security researcher at Veracode, said there has been a proof of concept of mobile DDoSin the form of several apps thathave recently won press attention but, he stressed, “Criminals haveno need to create a new, mobile botnet. They have plenty of botnetcapacity right now.”

Shields stressed that “the available mobile bandwidth is rampingup” – which indeed makes the idea of harnessing mobile devices toping a target site into collapse possible – but, like Santorelli,his take is why do criminals need to bother with this? What theyhave is working, so why invest the time and energy to try to createa wholly new channel?

Ciaran Bradley, a security expert with AdaptiveMobile inDublin, Ireland, made it three skeptics. “Theoretically it ispossible but right now there just are much easier ways to launchDDoS than mobile.”

Santorelli, meantime, stressed: “Mobile DDoS may be coming. Justnot now.”

What does a credit union need to do about mobile DDoS today?It's your call. Every expert agrees it is a potentially interestingattack – but most seem persuaded that, for now, financialinstitutions are better advised to put their resources intoprotecting against other forms of attack such as classic DDoSinitiated via infected zombie networks.