Mobile Providers Tackle Security Concerns

Some mobile banking security fears are based on the unknown.

November 19, 2011
/ PRINT / ShareShare / Text Size +

“No conversation with a credit union client takes place these days without a mention of mobile. It’s no longer any sort of novelty—it’s integral to any security discussion,” says Brian Abele, vice president of product management at Q2ebanking. “Emerging technology always brings unknowns, so people’s concerns are basically worries about the unknown.”

But Abele agrees with his industry peers that the level of threats to the security of mobile devices isn’t as great as many credit unions fear.

“Threats that credit unions raise with us more than in any other area is someone else getting a mobile device and using it—getting the user name and password,” says Tom Campbell, vice president of sales at PM Systems. “Since phones are carried everywhere, it’s easier to lose them or have them stolen, certainly compared to a PC in somebody’s house. Also, there’s a concern that easy-to-use bill pay or person-to-person funds transfer apps could be used by a fraudster.”

But, Campbell asks, can those fears be realized?

“Theoretically, yes; but practically speaking, probably not,” he says. “First, it’s hard to steal money via a mobile device because it leaves a paper trail. And the person who finds or steals a mobile device isn’t likely to know anything about its owner, which makes it difficult to use the device for fraudulent purposes.”

The threat to mobile devices can be marginally less than the threats to a regular website, Campbell says. That’s true for two reasons:

  1. Credit union mobile sites can drop a cookie on the phone that helps them identify its user; and
  2. Mobile devices have certain identifying characteristics that indicate characteristics about the user.

“For example, when a phone ‘talks’ to our server, there’s a header that shows its operating system and the browser version its owner uses,” Campbell explains. “So if they normally come in on an iPhone but now are coming in on an Android device, that alerts us that there could be fraudulent activity going on.”

“We see the biggest threats on this channel as the presumption of fraud and the lack of education about what to expect with this channel,” says Jeremiah Lotz, manager of e-commerce solutions at PSCU Financial Services. “It’s a lot like when online banking was introduced: People had great concerns about security and didn’t quite know their way around the topic.”

One area security providers are watching is apps.

“In security bulletins and publications, mobile banking hasn’t emerged as a threat vector yet. But, as everybody is creating apps and websites, it will become an issue,” says Ward Howell, director of security solutions consulting at Q2ebanking.

“A recent survey revealed that 25% of smart phones now have IDs and passwords cached on them,” he continues. “But at this point, there’s not a lot of talk about mobile banking security.”

Lotz says fake mobile apps do exist, but there aren’t many of them.

“Credit unions can teach members what to expect if an app identifies itself as coming from the credit union—certain pieces of information that should be provided if the app is legitimate,” he explains. “But for now, they’re not a real big threat—certainly not as much as on other channels.”

The one form of fraud that will always be the most difficult to deal with, Campbell says, is family fraud.

“It’s the hardest of all types of fraud to protect against,” he says. “When one family member knows so much about another it becomes easy to take over that person’s mobile device and use it for fraudulent purposes.” 

Next: Mobile security best practices

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory ( will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive