Pop quiz: Which statement is true? Mobile banking is becomingmore secure. When it comes to mobile security, the crooks aregaining.

Actually, both choices could be the right answer, experts havesaid. 

“My impression is we are all getting better at what we do,” saidScott Ksander, vice president of IT at the $733 million Purdue Federal Credit Union in West Lafayette, Ind.“Unfortunately, that goes for both the bad guys and the goodguys.”

When it comes to protecting online transactions, are financialinstitutions becoming more proactive? 

“Very much so. I think awareness is percolating through allages,” Ksander said. “There are lot of educational programs incredit unions and communities. But the bad guys are gettingsmarter, too. This kind of theft is sadly still a profitablebusiness opportunity with relatively low risk. It's six times moreprofitable than armed robbery.”

Even though Ksander believes law enforcement officials aregetting better at tackling mobile banking crime, he doesn't think it's time to stopworrying about it. 

“I talk to people who ask, 'Should I be afraid?' No, but youshould be aware and be cautious, just like our parents taught usnot to walk down dark alleys. The problem is that in the cyberworld, the dark alleys are a little harder to understand,” Ksandersaid.

Awareness is a big factor in combating mobile banking crime. With more people using the channel, manyof them may not be very sophisticated about protecting theiraccounts.

“As a society we've made it look so easy,” Ksander said.“Students coming here to Purdue have had their cellphones sincesixth grade. There's kind of a middle generation problem here. Theyounger generation has had technology for so long, they haveawareness. I think the older generation is more cautious by nature.The middle generation is really the prime target of the bad guys.That's a pretty broad brush, but that's kind of what we'reseeing.”

Identity is the key to the whole thing, he pointed out. The morethe bad guys know about you, the easier it is to impersonate youand carry out a successful transaction. The object is not to justhit and run. The crook wants to wait until he can wipe out yourentire retirement savings account. So, he watches andlearns.Ksander said you don't need to have the highest fenceavailable. You simply need a fence that's higher than what the nextguy has built.

Still, downloading a mobile banking transaction may not be anymore risky than downloading a family tree app, Ksander noted. Herecalled the time he was making a presentation at a retirementcommunity. During the presentation he received a vanity alertindicating his name had been found by Google in a story.

The alert revealed the Ksander family tree was available online.He discovered that if an identity thief wanted to know his mother'smaiden name – a common security confirmation question – there itwas. A birth certificate was attached in jpg. Turns out, a fairlydistant relative had used an app to create a family tree. Theproblem was the information would provide a crook with birthdatesand other information that would be dandy for identity theft.

Neal O'Farrell, director of the Identity Theft Council, agreedthe picture is mixed. Efforts by financial institutions to combathackers have improved, but attempts by crooks have become moretargeted and complicated.

“Financial institutions have realized it is a question ofsecurity first,” O'Farrell said. “Yes, security can be expensive,especially when a financial institution is struggling. “Butsecurity must come first or it will catch up with you.”

O'Farrell said there was a rush of mobile banking apps to market to capture market share. Now, people realizesecurity is as much of a priority as convenience. For theconsumers, O'Farrell said free malware detection, password monitorsand keyloger protection are available. 

As mobile devices have proliferated, IT departments have notkept up with needed controls, said Tom Schauer, CEO and chiefclient experience officer of TrustCC, an IT audit and securityassessment firm.The big threat today is loss of a mobile-enableddevice. If a cellphone or a tablet is swiped, confidentialinformation may be compromised.Many credit unions operate on a“bring your own device” basis. 

One employee, for example, may use an iPhone operating systemwhile another prefers Android. TrustCC has researched mobile devicemanagement software and has discovered inexpensive tools. The firmoffers several tips for credit unions offering employees a BYODapproach, including specifying what devices the credit union willsupport and instituting a stringent universal security policy.