BofA on Mobility and Authentication

Mobile Authentication Poses Security Challenges and Benefits
BofA on Mobility and Authentication
Mobility is undoubtedly changing the way consumers interact with financial institutions. From traditional banking to payments, the mobile channel is revolutionizing financial services at a rate with which most financial institutions are struggling to keep up.

At Bank of America, with $1.45 trillion in assets, mobile banking has become a priority, primarily because of consumer demand. But the foray into this new financial-services arena comes with risk, and any banking institution that wants to make mobile services a win for consumers must ensure it is consistently reviewing and implementing security layers and controls.

At least that's the way Keith Gordon, senior vice president of BofA's security, fraud and enrollments for mobile and online banking, sees it. "As you look at online threats today, in many cases, those same concerns transfer over, regardless of the device customers are using," Gordon says. "The [mobile] application itself gives us more opportunity to include security capabilities. ... The challenge that we see is that we need to be able to validate who our customers are and authenticate them effectively."

Verifying Users

Validation and authentication on mobile devices is not quite the same as it is in the PC environment. And consumers, who often are not aware of the risks they face when banking online, on a PC or via mobile, need to be educated, not just about incoming threats, but also about user behaviors that can increase their risk of a security compromise.

Soon-to-take-effect updated authentication guidelines from the Federal Financial Institutions Examination Council's touch on the need for stronger device identification and user authentication. Although Gordon did not specifically address the new FFIEC guidelines, he did share insights about authentication steps and controls BofA has implemented for and through its mobile channel, especially in the area of detection capabilities.

"We work hard to know our customers," he says.

When it comes to authentication, a consistent user experience is paramount. "We make sure our customers have the same experience, whether online or mobile," Gordon says. Using the same techniques or questions to authenticate customers who log in via PCs or mobile devices ensures that consistency, and can save an institution dual investments on the technology side.

"If something doesn't look right, it gives us that heads up to know something may not be what it seems," Gordon says. "We analyze millions and millions of transactions a day looking for those patterns."

Out-of-Band Authentication

BofA also is taking steps on the front-end to educate consumers about mobile behavior and risks, another tenet of the updated FFIEC guidance, that could unknowingly open the door for attack. "We have a security component on the homepage ... and we give specific education to our mobile banking users," Gordon says. "We noticed the customers were asking for very specific information about mobile banking, so we added that this summer."

BofA also uses the mobile channel to keep customers informed about general account activity, such as notifying them via text alerts if irregular online-banking activity is detected.

"Authenticating outside the online channel is critical, and the mobile device has proven to be that exact perfect capability," Gordon says. "We've found it to be an effective fraud-mitigation control."


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.