Mobile Banking: Mitigating Consumer Risks
Users Pose Obstacles in Securing Mobile Transactions
Mobile banking is being adopted by consumers at an increasing rate, but it's just one piece of the overall mobile financial services puzzle. As the mobility trend grows, banking institutions are still figuring out how far ahead they should look, and what strategies make the most sense.
But Paul Smocer, president of BITS, the technology policy division of the Financial Services Roundtable, says most institutions are doing much more than some observers give them credit for doing. Banking/security leaders are very concerned about mobile, and they're doing what they can to anticipate risks.
Because the mobile environment mimics the online environment, says Smocer, many of the same risks and controls that apply to the online channel also apply to mobile.
But there also are new risks - and opportunities. "Clearly, they need to be doing a good risk assessment," Smocer says in an interview with BankInfoSecurity's Tracy Kitten (transcript below)."When institutions look at this particular channel, part of what we're helping collectively try and do is to understand where there may be different and unique threats, where the threats are the same."
A known strong line of defense: knowing and educating the customer.
"As a customer ... you need to protect that mobile phone and recognize that it's no longer just a device on which to speak or even text," Smocer says.
BITS is in the process of conducting research about mobile threats and emerging technologies. To that end, BITS has issued a list of recommendations for mobile security, based on feedback it collected from 50 of its member banking institutions.
During this interview, Smocer discusses:
- Three key areas that make up mobile financial services: banking, payments and mobilized traditional services, such as remote deposit capture;
- Why mobile payments poses the greatest security risks;
- Steps BITS is taking to address mobile concerns, especially as they relate to FFIEC conformance.
Smocer is president at BITS, where he leads initiatives to enhance e-mail security and advance practices for identifying and validating online customers.
Mobile Security Suggestions
TRACY KITTEN: BITS recently issued a list of suggestions for mobile security based on information its mobile financial services working group collected from 50 U.S. financial institutions and security experts in the industry. What stood out among the group's findings?
PAUL SMOCER: I think there were a couple of key points. Obviously this is a service channel that will continue to grow over the next few years and therefore one clearly that institutions need to pay attention to. As a consequence of that, I think institutions recognize that as they offer new products in this channel they need to pay attention to both the risks and the potential mitigations to those risks to protect first and foremost their customers, but also the institutions themselves. I think one of the other key findings is that, particularly in the mobile payment's space, there are a lot of options that are being explored and that the base or core payment system still has yet to be identified. In a nutshell, I would say those are the three primary areas.
The Mobile Threat Landscape
KITTEN: I wanted to ask you about your personal take on the mobile threat landscape. Which threats concern you the most?
SMOCER: When I think of this channel, I think of it in two ways. One is that in a lot of ways it mimics the online environment, so a lot of the same kinds of risks and controls that we need to be concerned about in that environment move over to mobile. Obviously, it's slightly different though as well and there are both opportunities as well as new risks that get introduced.
There's still even within the mobile environment itself, many providers, many operating systems, etc., and that presents something unique that we don't typically see, at least not with the maturity of the online environment that we have today.
KITTEN: What kind of mobile adoption trends and emerging security risks are you seeing, and it sounds like it's just developing?