Mobile banking is being adopted by consumers at an increasing rate, but it's just one piece of the overall mobile financial services puzzle. As the mobility trend grows, banking institutions are still figuring out how far ahead they should look, and what strategies make the most sense.
But Paul Smocer, president of BITS, the technology policy division of the Financial Services Roundtable, says most institutions are doing much more than some observers give them credit for doing. Banking/security leaders are very concerned about mobile, and they're doing what they can to anticipate risks.
Because the mobile environment mimics the online environment, says Smocer, many of the same risks and controls that apply to the online channel also apply to mobile.
But there also are new risks - and opportunities. "Clearly, they need to be doing a good risk assessment," Smocer says in an interview with BankInfoSecurity's Tracy Kitten (transcript below)."When institutions look at this particular channel, part of what we're helping collectively try and do is to understand where there may be different and unique threats, where the threats are the same."
A known strong line of defense: knowing and educating the customer.
"As a customer ... you need to protect that mobile phone and recognize that it's no longer just a device on which to speak or even text," Smocer says.
BITS is in the process of conducting research about mobile threats and emerging technologies. To that end, BITS has issued a list of recommendations for mobile security, based on feedback it collected from 50 of its member banking institutions.
During this interview, Smocer discusses:
- Three key areas that make up mobile financial services: banking, payments and mobilized traditional services, such as remote deposit capture;
- Why mobile payments poses the greatest security risks;
- Steps BITS is taking to address mobile concerns, especially as they relate to FFIEC conformance.
Smocer is president at BITS, where he leads initiatives to enhance e-mail security and advance practices for identifying and validating online customers.
Mobile Security Suggestions
TRACY KITTEN: BITS recently issued a list of suggestions for mobile security based on information its mobile financial services working group collected from 50 U.S. financial institutions and security experts in the industry. What stood out among the group's findings?
PAUL SMOCER: I think there were a couple of key points. Obviously this is a service channel that will continue to grow over the next few years and therefore one clearly that institutions need to pay attention to. As a consequence of that, I think institutions recognize that as they offer new products in this channel they need to pay attention to both the risks and the potential mitigations to those risks to protect first and foremost their customers, but also the institutions themselves. I think one of the other key findings is that, particularly in the mobile payment's space, there are a lot of options that are being explored and that the base or core payment system still has yet to be identified. In a nutshell, I would say those are the three primary areas.
The Mobile Threat Landscape
KITTEN: I wanted to ask you about your personal take on the mobile threat landscape. Which threats concern you the most?
SMOCER: When I think of this channel, I think of it in two ways. One is that in a lot of ways it mimics the online environment, so a lot of the same kinds of risks and controls that we need to be concerned about in that environment move over to mobile. Obviously, it's slightly different though as well and there are both opportunities as well as new risks that get introduced.
There's still even within the mobile environment itself, many providers, many operating systems, etc., and that presents something unique that we don't typically see, at least not with the maturity of the online environment that we have today.
KITTEN: What kind of mobile adoption trends and emerging security risks are you seeing, and it sounds like it's just developing?
SMOCER: When we think of mobile, we tend to think of it in the broad sense of mobile financial services incorporating really three or four key areas. One is mobile banking itself and I think most people have come to define that, and we have certainly come to define that, as basically taking a lot of the functionality that was available to customers in the online environment and moving it over to the mobile phone space. I think there's a pretty high rate of adoption and implementation in that environment today, because the technology is fairly well-known, the controls are fairly well-known and there's a level of comfort with customers in terms of using that same functionality but in a different channel.
I think the next level is what we call the mobilization of some of the services that customers tend to have to be physically present to perform today. Probably the best example of that is the idea of remote deposit capture, capturing copies of checks and making the deposit through your mobile phone. Where as today to do that, you typically have to either go to an ATM or go into a bank branch. That's also emerging relatively quickly and there are, I believe, a good set of controls around that.
The third key area is the whole mobile payment space, and that's frankly where we still see the most churn and the most study being done with regard to ways to adequately control the risk in that space. There are a lot of players in that market now. The market itself, I'm sure, will mature over time but there are a lot of options and a lot of ways to affect the idea of mobile payments, and that ecosystem is still pretty broad and still going through a lot of turn as folks try and think about the best ways to offer those services. And I also think, as a lot of the recent articles and studies have suggested, there's a bit of trepidation on the part of consumers to really want or accept that service, knowing how it might affect both their security and their privacy. The area of mobile financial services, the mobile payments space, is going to have a longer maturity cycle then we're seeing in some of the others.
Some of the folks who have been involved in the work we've done so far provided to us and we thought they were good recommendations. Some of them cover information with regard to what customers can do to protect themselves in this environment, and some of them obviously relate to the environment itself and what institutions can do. There are some that speak to how as a customer - now that some of this functionality is being added to your mobile phone - you need to protect that mobile phone and recognize that it's no longer just a device on which to speak or even text, but now it's a device that provides you with the opportunity to find confidential and private information.
If I were to look at the recommendations, the fundamental piece of advice that I would make is that you almost need to start to think of your phone in the same way you think of your wallet today. It's something you need to protect and it's something you need to make sure that you're not sharing with folks that you might not want to see the kind of information that you have available through it today.
KITTEN: How often does BITS expect to update these recommendations?
SMOCER: We're actually in a series of fairly continuing work. We started another cycle of work about a month or so ago. As I mentioned earlier, this is clearly an emerging channel. There's a lot of opportunity for both institutions and their customers to benefit from this channel. We see this as something which we'll likely be concentrating on over the next few months to try and refine the work we've done so far, and probably eventually get to a series of stronger recommendations. I hesitate [to say] best practices, but perhaps at some point that will be the outcome as well.
KITTEN: Now when it comes to mobile security, a number of institutions have questions, especially about steps they should take to ensure their mobile online banking platforms conform to the FFIEC's updated authentication guidance. Given the absence of mobile's mention in that guidance, what types of questions has BITS been getting about mobile security from banking institutions?
SMOCER: I think most institutions recognize by now that the regulators intend that guidance to really apply to any electronic environment. It was originally issued in I believe 2005, if I recall correctly, and referred to as Internet banking authentication, but it became quickly clear to institutions from the messaging from the regulators that it was broader than Internet banking. It included at that time not only Internet banking but some of the call center kind of work as well. So I think institutions generally understand that, given that scope, it also applies in the mobile banking space as well.
I think to the extent there are questions, it's not around it's applicability per say, but it's around how to affect the same kinds of controls in the mobile space that we have seen grow in the online environment as well, whether it's how best to authenticate customers who are using their mobile phone as the entry channel or how best to monitor for anomalous activity. Many of the same kinds of controls still apply. The question is, how does the technology make their implementation different? That has been the subject of a fair amount of discussion that we've had with our members.
Layers of Security
KITTEN: I wanted to actually pull out some comments that were included in the recommendations, and there was one that stood out. It was made by Jim Routh, head of mobile security for Chase, and he says that financial institutions need to get consumers to password protect their mobile devices. I wonder what that means from an FFIEC conformance perspective. What additional layers of security, such as stronger passwords for account log-in, might BITS recommend?
SMOCER: I think there are a couple of things to consider, particularly with Jim's comment. As with any online channel, there are responsibilities and risks that the institution needs to address and there are also responsibilities and things that a consumer can do to protect themselves more effectively. I think in Jim's quote, he was pretty specifically talking about the idea that mobile phones typically come with the ability to lock the phone after a certain period of inactivity. That kind of simple step by a consumer protects the phone itself and use of the phone, but I think that realistically institutions, and I think this is what your question is getting to, are looking at the authentication techniques that a customer would use to actually access their account information or, if we go all the way to the end of the channel, to actually affect a mobile payment of some sort. It's a slightly different nuance.
In the one case, you're talking about protecting the physical device itself by having the time-out and the password lock that requires you to enter a password to actually use the phone itself. That's kind of a first line of defense that a consumer can easily implement, but I think looking at the authentication techniques that are available, some mimic the online environment, requiring you to enter a user ID and password and to validate information that's returned to you, or ask challenge questions. Those same kinds of things are available.
I think among the promises that mobile offers as a channel and certainly something that we're continuing to look at is whether the device itself also offers additional authentication techniques that might be unique to the phone environment. The ability, for example, to use some biometrics via the use of the camera to take a picture and validate that it's in fact the customer, or in some cases phones that have fingerprinting abilities on them, are certainly things we're exploring as other possible authentication techniques going forward.
KITTEN: What steps or recommendations do you have for banks that they should be taking now to enhance mobile security?
SMOCER: Like any product or channel in which a financial institution offers services, clearly they need to be doing a good risk assessment. I think that's something that institutions understand just from a good risk management perspective and it's certainly something I think they understand that the regulators expect them to do as well. When institutions look at this particular channel, part of what we're helping collectively to try and do is to understand where there may be different and unique threats, where the threats are the same that have been faced before.
And as a consequence of that, kind of just very base analysis if you would, what kind of mitigations that we've used in the past effectively can also apply in this channel and where [does] the channel present unique risks? What do we have to do to mitigate those risks for the customer and the institutions? A lot of continuing research will be going on in this space. We're certainly, as I mentioned earlier, focusing on this. Everybody really wants to get this right. It's a brand new channel with a lot of promise, but as a brand new channel I think collectively we want to make sure that we understand it well and that we mitigate the risks up front in the channel before it expands significantly.