Mobile banking, for so long seen as the next leap forward in personal banking services, is finally about to take off – thanks in no small part to the rise of smartphones such as Apple’s iPhone and RIM’s BlackBerry. Soon enough there will be more smartphones than PCs/laptops in the world, and increasingly savvy consumers will warm to the idea of using their handset for a large number of their financial transactions. People on the move, often with an urgent need for money, will find a mobile device easier to use than a computer.
This trend presents the banking industry with opportunities, most notably the potential cost savings expected from a set of self-service account access tools. However, the rise of mobile banking services also creates threats that must be addressed before they become a widespread reality.
Mobile banking is inherently vulnerable. Devices may be lost, stolen or hacked. The person using them may not be their legitimate owner. Mobile networks may be intercepted, either by breaking the wireless encryption mechanism or by hacking into the wired backbone of the network where encryption is not mandatory under telecommunications standards. IT malware that compromises back-end servers, but is harmless in the wireless environment, may be passed through the mobile banking interface.
Threats could emerge on the mobile device, in the mobile network and at the bank’s servers if mobile services are integrated into the core infrastructure. New risks are emerging all the time, as mobile devices become more powerful and more standardised on a small range of platform types.
Unfortunately, there is no easy way to mitigate against these risks. Our research suggests that defence must be designed incrementally to a level that is at least equivalent to that seen in internet banking. Banks must be prepared for attacks that are broadly similar to the range of attacks seen online, and must protect mobile banking services in the expectation that the end-user devices and the network are not free from malware.
Beware of Complacency
The absence of major attacks on mobile devices in the past should not lead banks to dismiss the risk in the future. Fraudsters consistently exploit the channels that provide the easiest and most profitable returns. So far those channels have not included mobile device, but this has mainly been due simply to lack of opportunity. This will change dramatically once mobile devices are used more widely to access financial facilities. Few consumers have yet experienced a mobile malware attack, and even fewer have suffered any significant consequences. While this is reassuring, it raises the risk of a lack of vigilance and a lack of caution by users.
Protection for mobile-banking customers must achieve two major objectives. Security must not detract from usability. It must be unobtrusive enough not to interfere with normal transaction flows, but at the same time provide users with the confidence to know that their banking activities are protected.
Taking a layered approach to protecting mobile users involves making good use of a number of existing and new-generation security approaches. There is a requirement to protect individual mobile devices, the financial systems that they are likely to interact with, and the transaction flows that will be generated. What this means is that the layered security required must be capable of protecting mobile and back-office systems, and also protecting users from their own actions.
The banking industry is experienced in living with risk. Indeed, balancing risks with business benefits is what it specialises in. A risk management approach is needed to steer the mobile banking strategy. In particular, risk assessments may indicate that specific services should not be offered over the mobile channel, or that different transaction value limits should be imposed.
Defence in Depth is Required
We believe that banks should adopt a ‘defence in depth’ strategy in order to detect and limit the effects of an attack on any of the components of the ecosystem. Banks must work with network operators and device vendors to improve security, but they must always assume the possibility of an attack at any tier of the system.
Network vulnerabilities can be avoided by adopting end-to-end encryption of transactions, independent of any encryption provided by the network operator. The main objection to this in the past has been the limited computational power of the mobile device, but the time has come to reject this argument as mobile devices become more powerful. Encryption protects against eavesdropping, message alteration, and ‘man-in-the-middle’ attacks.
Encryption is not, however, a panacea. It requires the secure distribution and storage of keys, and this can be vulnerable to malware on the device. Also, encryption does not protect information while it is being used on the device.
Fraud detection systems are needed at the transaction processing server. After all, the main method for stealing money through mobile banking is initiating a fraudulent payment. We believe it is vital that banks are particularly rigorous in checking the creation of new payment mandates, while emphasising ease of use when making further payments using an existing payment instruction. Banks should consider offering to reverse payments made in error, as they do with direct debit payments, even if fraud is not proven.
Mobile Transaction Security Must Reflect the Medium
Crucially, mobile security must not be simply a copy of internet security. While many of the concerns and strategies are similar, the approach must be tailored to the characteristics of the channel and the way in which it is used. There must be a compromise between security, cost, and user convenience, as there is on other banking channels.
More thought needs to be given to the types of mobile, multi-factor authentication that the banking community will be happy to accept, along with the levels of authentication that the average customer can comfortably accept.
The user must not be overburdened with authentication procedures. It is often more difficult to enter data on mobile devices than it is on a PC. Also, overly burdensome authentication makes it difficult for the user to remember their credentials and they revert to writing these on an insecure piece of paper. Voice authentication appears to be an enticing option for phone users, but the technology is not yet proven.
On balance, our research suggests that the security risks associated with mobile banking services are manageable. Although the volume of incidents so far has not been large, the industry is now at the point where adoption of mobile banking services will attract hackers to some potentially rich pickings. Banks must co-operate with mobile device vendors and mobile network operators to address the issue, or run the risk of being left behind by fraudsters.
This article is based on an Ovum report entitled ‘The Malware Threat to Mobile Banking’.
Many banks around the world, large and small, continue to experience major security failures. Biometric systems such as pay-by-selfie, iris scanners and vein pattern authentication can help.
The implementation date of Europe's revised Markets in Financial Instruments Directive, aka MiFID II, is fast approaching. Yet evidence suggests that awareness about the impact of Brexit on MiFID II is, at best, only patchy and there are some alarming misconceptions.
Despite all the automation and improvements that digital banking has the potential to achieve, customers and their needs still form the very core of the banking sector.
Banks might feel justified in victim blaming when fraud occurs, but it does little for customer confidence.