Mobile Banking: Predicting the Risks

BofA's Security Strategies Hinge on Testing, Collaboration

By , June 4, 2012.
Mobile Banking: Predicting the Risks
Read Transcript

Mobile security threats can be managed through testing and strategic risk-mitigation strategies, says Keith Gordon, who oversees authentication and security strategies for Bank of America's consumer online and mobile banking units.

A mobile banking pioneer, Bank of America has come up with some innovative ways to anticipate mobile threats. This top-tier bank has seen its mobile-user base explode, increasing by nearly 3 million users in the last 12 months. It now has more than 10 million mobile users.

Given that rapid growth, coupled with the move toward mobile payments, Gordon says predicting risks before they hit has become a focal point for the bank. And all financial institutions that hope to thwart mobile attacks need to anticipate risks and address them, he stresses in an interview

"Mobile banking itself has been app-based and has been fairly limited, where moving money outside an institution is concerned," he says. "Now, with mobile payments, we see consumers paying other consumers or even a business, and that is concerning to us. When the money leaves the bank, that's when fraudsters strike, and, in some cases, they are finding gaps."

A reactive approach to those risks and security gaps won't work. And given some of the targeted schemes financial institutions worldwide are now seeing aimed at mobile, any institution offering mobile financial services needs to develop its own proactive program to address those risks.

Gordon heads a team that's developed an emerging threats program. "Literally, their job is to not only work to identify threats within the bank, but also work with other institutions, even outside financial services, to see what is really happening out in the marketplace right now that the general consumer may not hear about."

By communicating with government partners, vendors and others in overseas markets, such as Europe and Australia, Gordon's team is creating a roadmap of risk.

That roadmap is designed around anticipated risks - emerging threats expected to hit mobile in the future. "We can apply the threats they're seeing to our environment, to see if there's a (security) gap that we can identify through a new process or exploit."

Mobile-Threats Innovation

Six years ago, Bank of America developed a program called Security by Design - a testing strategy created to help the bank get in front of potential vulnerabilities identified during app development. After initially focusing on online banking, the program now is being applied to mobile.

"As we go through the process of using a new application in the testing environment, we have certain thresholds to ensure all of those threats and vulnerabilities, identified through ethical hacks, are remediated before they are actually available for customers to use," Gordon says.

Relying on numerous vendors, as well as internal testing, to identify potential risks through ethical hacks often yields mixed results. Vulnerabilities revealed through one assessment may not show up in another, Gordon notes. "That's actually a benefit, because different groups and different companies look at things differently," he says. "So we're using that as a positive aspect of our Security by Design lifecycle, to ensure we fill all the gaps."

Some of those gaps can be managed and addressed through application design and coding, handled in-house. But dealing with external risks, often brought on by the way mobile users behave, is a challenge.

To address those risks, Bank of America is encouraging its partners to develop innovative solutions for mobile-malware protection. For example, the bank will soon offer its customers a mobile malware protection program, designed by McAfee.

In the interview, Gordon also discusses:

  • Strategies Bank of America has enlisted to educate its customers about mobile risks;
  • Why mobile threats have to be constantly reviewed; and
  • How the security challenges posed by different mobile platforms, such as Android, can be managed.

At Bank of America, Gordon develops and manages the authentication and security strategies and product development for consumer online and mobile banking. His team oversees authentication, authorization, privacy and security for online and mobile banking. The team also plays a role in online and mobile customer education, identity management, domain management and enrollment. Gordon manages the bank's e-mail security strategy, addressing online threats and fraud at the enterprise level. He has been involved in the development of the bank's enterprise cybersecurity strategy. The Security by Design strategy his team developed has a patent pending.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Congress to Consider Info-Sharing Bills

Lawmakers have begun the process of taking up President Obama's call to enact cyberthreat...

Latest Tweets and Mentions

ARTICLE Congress to Consider Info-Sharing Bills

Lawmakers have begun the process of taking up President Obama's call to enact cyberthreat...

The ISMG Network