Mobile banking

Member preferences differ from user to user. However, there are some important steps that ensure credit unions create and deliver a frictionless and secure mobile banking experience for all. David Vergara, director of security product marketing at Oakbrook Terrace, Ill.-based data security firm. VASCO offered eight tips financial institutions can use. 1. Credit unions need simple, quick but secure authentication. Members generally want a secure, frictionless mobile experience that allows them to utilize more services using their mobile device. Financial institutions attempted to offer faster, convenient logins by replacing complex passwords with simple PINs, fingerprint scanning or other biometrics. Vergara warned if not implemented correctly, they will not be secure. An underlying security framework solves the convenience versus security argument. 2. Provide a frictionless experience. Friction dampens consumer enthusiasm for mobile banking and the login and authentication stage is where delay most often occurs. The mobile banking app and supporting IT uses multiple security technologies for securing devices and communication. Look for ways to tie these processes together without requiring extra actions by customers. "For example, a mobile device can authenticate itself when a new session is started. Behavioral authentication technology is another frictionless option," Vergara emphasized. 3. Protect mobile banking apps. The increased popularity of mobile banking created a very competitive and challenging environment, especially among mobile app developers. Rushed releases often create vulnerabilities in the application layer, Vergara noted. The BankBot Android mobile banking malware, for instance, besieged more than 420 leading banks in countries such as Germany, France, Austria, the Netherlands, Turkey and the United States. The malware allows attackers to create windows that sit on top of legitimate Android applications and intercept user information. "It's important to harden the app via mobile app shielding and, specifically, Runtime Application Self-Protection or RASP." This keeps the app (and backend systems) safe even when the app is running on devices with disabled OS protection, or devices already infected with malware. 4. Measure risk on each mobile device. "The foundation of strong security is multi-layer controls. If a hacker manages to thwart one-layer, other controls mitigate malicious activity," Vergara held. Among these are technologies that analyze each device and associated behaviors of its user while engaged with a mobile banking app in real time. The goal is to score the risk of each device and provide actionable data for implementation of policy when critical thresholds are too high. For example, unpatched versions of OS or app software, an unknown public Wi-Fi network, a new password, or new biometric carry more risk. 5. Adopt an omni-channel approach. "To stay competitive, you need to seek ways to achieve a great user experience across channels – including mobile," Vergara said. Different channels often require different ways to prove user identity and to authorize operations. Variances can lead to friction and frustration. Look to inject a simple, intuitive experience with fewer required interactions. 6. Combat social engineering and other threats. Phishing and other types of social engineering such as its voice relative, vishing, exploit trust to steal valuable information such as usernames, passwords, credit card numbers or other sensitive data. Even with education and additional user controls, social engineering is still successful. "The simple reason is that the final decision to complete a transaction is made by the user who authenticates to the financial institution," Vergara said. Financial institutions should only generate signature requests known by the credit union. The mobile device should automatically reject requests not coming from the credit union. 7. Be ready for regulation. The banking industry is one of the most heavily regulated, and more rules are on the way. For example, in the EU, the new Payment Services Directive 2 is already in effect. It regulates the security of electronic payments — including mobile banking and retail payments security. Other regulations such as GDPR and PCI-DSS require multi-factor authentication to protect data or access control. 8. Electronic document signing. As digitization efforts mature and organizations realize its benefits in customer experience, compliance, productivity and hard cost savings. An electronic signature platform with flexibility accommodates any business process across any channel — online, the call center, the retail branch and mobile.