Mobile Banking: How Secure Is It?Malware, Apps, User Behavior Are Key Concerns
Movement in the mobile channel is exciting for bankers and customers alike. But that movement does not come without security concerns.
How secure is mobile banking? The short answer: No one really knows. The complexity of the mobile channel -- which includes a number of players, from the financial institutions and customers themselves to the wireless carriers and third-party developers of downloadable applications -- is part of what makes mobile so daunting.
Take smart phones as an example. They offer advanced data services, such as web access and the ability to download apps. But how secure is banking via a mobile browser, and how can institutions ensure that the apps their mobile users download are not storing financial data to devices that can be compromised, should a user's phone be lost, stolen or hacked? As the smart-phone market in the United States grows, these are the questions the industry must answer.
SMS/text-based banking, which is quickly growing to become a mainstream mobile offer from institutions, serves up its own worries, as vishing attacks targeted at mobile phones become more prevalent. Bend-based Mid Oregon Federal Credit Union, with $140 million in assets, launched SMS and browser-based mobile banking in late 2009. Last month, the credit union's membership was hit with a text-based vishing attack. Ray Spreier, Mid Oregon FCU's chief information officer, says the advent of mobile banking makes these types of attacks more prevalent.
"It's not the text function itself that the problem; it's just that as more people use it, the criminals are more likely to target the phone," he says. "And I think we can expect to see the look and the feel of these (text) attacks to get better, making it hard for the member to recognize the difference between what is coming from the credit union and what is not."
Most bankers and security experts are only beginning to look at the risks. There is no specific federal guidance for mobile banking. Regulators suggest the majority of banking services offered via the mobile channel fall under the same purview as other electronic banking services, such as those offered through the online channel. But nuances exist.
Donald Saxinger, senior examination specialist with the Federal Deposit Insurance Corp., says the mobile arena has so many different network operators and so many different platforms that financial institutions have a number of security risks to consider. "Banks are, in many cases, using third-party developers to develop applications that are not regulated," he says. "That's one big difference."
Downside of DownloadsSo it's not surprising that downloadable apps are raising the greatest concern. Bank of America, the largest U.S. provider of mobile-banking services, with 5 million mobile browser and downloadable-app subscribers, is working to address those app risks. Marc Warshawsky, senior vice president of mobile channel planning and design for BofA, which has $2.36 trillion in assets, says BofA provides links to approved downloadable apps from its website. "Customers should only download apps that are published by Bank of America," he says. Once downloaded, BofA's apps are protected using the same two-factor or site-key-image authentication that is used for online banking.
Warshawsky's recommendations to institutions re: apps:
- Provide links to approved mobile banking apps on the institution homepage;
- When customers or members download apps, provide tokens, picture keys or PINs when links to apps are text-messaged or e-mailed to mobile devices;
- Provide separate log-in PINs for mobile banking.
Robert Vamosi, a Javelin Strategy & Research analyst who focuses on risk, fraud and security, says spyware that is hidden in a downloaded app or even texted to a user's device should be the institution's real worry. "You're going to see spying apps that are basically Trojan horses. They will capture your location data and any information that you enter on the phone," he says. Dr. Markus Jakobsson, a noted security expert in the field of phishing and crimeware, says malware aimed at mobile devices will pose the next big headache for security professionals. Though malware for mobile remains relatively low, it's not expected to stay that way. "Malware writers are just crooked businessmen," he says. "I imagine they are working overtime to create malware for the smart phone platforms."
Vamosi says open-source apps, such as those available for download from Google's Android Market, are, in theory, the least secure. Closed-source apps, such as those available from the Apple Store and BlackBerry App World, must be certified by Apple and BlackBerry before they are made available to the public. But the "walled garden approach," as Vamosi calls it, is not necessarily more secure. Malware writers "have gotten some stuff into the Apple Store that should not have gotten in, just because of the way in which they wrote or packaged" the app, he says.
The most notable case of malware to hit an app store occurred last December. Malware posing as banking apps was found on Android Market for more than 50 institutions that did not at the time offer mobile banking. Most quickly issued warnings and advised customers and members to drop use of Android until Google could tighten its security.
Bryan Taylor, chief executive of Atlanta-based Anderson Taylor, a software-platform developer that specializes in mobile services, says BlackBerry, iPhone and Android have an obligation to test their apps, and that is becoming more common practice. "IPhone led the way by putting any application through testing processes," he says. "The Apple Store also is certifying every app's authenticity."
BlackBerry is starting to follow suit, he says, and is even taking it a step further -- BlackBerry is working to be the single source for all BlackBerry apps that are provided to wireless carriers, such as Verizon, AT&T, Sprint and T-Mobile. BlackBerry also requires app developers to purchase BlackBerry license keys. So, when an app is downloaded by a user from BlackBerry App World, the developer's license key associated with that app tells the mobile device the developer is certified with Blackberry. Comparatively, with Android, a developer can make his own certification key.
Ensuring SafetyWith so many players touching the mobile channel, and many not regulated by the same consumer protection laws to which the banking industry must adhere, how can financial institutions ensure security?
Natasha Coons, managing director of California-based Teranova Consulting Group Inc., which works with and consults wireless carriers, says text messages are much more secure than mobile browsing, because they are part of the voice-over-Internet-protocol, or VoIP, network. "Your contact with the cell tower on CDMA has six layers of security," Coons says. "It's the handoff -- the connection to the Internet -- that could, perhaps, not be so secure." CDMA, or code division multiple access, is a standard mobile communications technology protocol.
Marco Andujar, who has conducted independent research in network security and also is a solutions engineer for Sprint, agrees carrier networks are highly secure, because of the inherent security that's built into the technology. "It's a hell of a lot easier to penetrate a device that's got an open link," he says.
In the end, however, more of the discussion needs to revolve around consumer behavior, the FDIC's Saxinger says. "Banks need to know how their customers are using their mobile devices," he says. "That's the bottom line."
For more on mobile banking, see: