Mobile Providers Tackle Security Concerns

Some mobile banking security fears are based on the unknown.

November 19, 2011
/ PRINT / ShareShare / Text Size +

Mobile security best practices

Howell says one of his most important roles is education.

“We present best practices wherever we go, regardless of what technology a credit union uses,” he says. “One thing we know is that the smart phone has become the hub of almost everyone’s universe—social, personal, financial. So already there’s a set of consumer best practices emerging.”

Howell says these security best practices include always having the phone’s password turned on, knowing how to kill data remotely, and replacing lost phones immediately.

People often are overly trusting with their phones, adds Mickey Goldwasser, vice president of marketing for Q2ebanking.

“When somebody says, ‘Hey, let me see your iPhone,’ it can be easy for somebody to pick up vital information about the owner,” he warns. “There should always be a password.”

Proper use of a password is as important as having one. Abele says credit unions should teach members not to lock in an ID and password just so they can access their accounts without checking in.

“It’s a minor inconvenience for the amount of security gained,” he maintains.

Some credit unions encourage members to use their mobile devices as tokens to access Internet banking.

Users log in, identify themselves, click a button, and receive text messages containing a temporary code.

Then they input the code to get to a banking site, but the code is good for only one use. Anybody trying to use it a second time is locked out.

Howell says credit unions should also remind members to be careful about WiFi.

“At a coffee shop I can’t always be certain the wireless access is secure,” he says. “That’s something credit unions need to tell members.”

End-to-end security

Another important feature for mobile banking solutions is end-to-end security, according to Intuit Financial Services, a CUNA Strategic Services alliance provider.

The company’s mobile banking product uses industry standard technologies (i.e., SSL and WTLS) and security certificates with 128-bit encrypted communication.

No personal or confidential information is stored on the mobile device or in the mobile Web banking application.

Intuit’s solution gives automatic access to mobile banking from the credit union’s website, due to the company’s mobile device detection capability.

Any user going to a credit union website will be automatically taken to the mobile version of the site.

This mobile redirect filter is standard on all mobile Web banking implementations.

Plus, high availability, fast response time, and network security are assured as the consumer mobile web banking solution is hosted in the same Intuit Financial Services SAS70-certified data center that operates its internet banking service.

Of course, transactional security is a balancing act, says Howell. “At certain levels it’s like a suit of armor. But you can’t run or jump in a suit of armor, so you have to be careful to add enough flexibility to meet members’ needs and expectations.”

Before introducing mobile financial services, he says credit unions should address these questions:

  • What types of transactions will you offer?
  • How and why will you send alerts to mobile users (i.e., for unusual activity or amounts)?
  • Which authentication mechanisms will you offer (i.e., a token feature or one-time password capability)?

Other features to look for in a mobile banking security product, Lotz says, include:

  • Session time-out capability, where the server disconnects if there’s no activity after a three- or five-minute window;
  • Browser and apps run with standard 128-bit encryption; and
  • Vendor education resources to inform members about the best ways to protect their accounts.

“As time goes on, there will be more attempts to compromise mobile channel security, but I’m not sure they will be all that successful,” Lotz says. “That’s because people’s knowledge of their devices and the channel itself is so intimate that it will be hard to defraud them.

“When you combine 128-bit encryption and credit unions’ own educational outreach on best practices for how members can safely use their devices, there won’t be a lot of room for fraud,” he continues.

Still, Goldwasser advises vigilance by both credit unions and members.

“There is never a time to let down. Besides service, the thing members want most is the trust and security their credit unions deliver. If members don’t trust your security, nothing else will matter.”


• Intuit Financial Services
• PM Systems
• PSCU Financial Services
• Q2ebanking

Post a comment to this story


What's Popular

Popular Stories

Recent Discussion

Great article! Unfortunately, most employees don’t feel valued or appreciated by their supervisors or employers. In fact, research has shown that the predominant reason team members quit their jobs is because they don’t feel valued. This is in spite of the fact that employee recognition programs have proliferated in the workplace – over 90% of all organizations in the U.S. has some form of employee recognition activities in place. But most employee recognition programs are viewed with skepticism and cynicism – because they aren’t viewed as being genuine in their communication of appreciation. Getting the “employee of the month” award, receiving a certificate of recognition, or a “Way to go, team!” email just don’t get the job done. How do you communicate authentic appreciation? We have found people have different ways that they want to be shown appreciation, and if you don’t communicate in the language of appreciation important to them, you essentially “miss the mark”. Additionally, employees need to receive recognition more than once a year at their performance review. Otherwise, they view the praise as “going through the motions”. A third component of authentic appreciation is that the communication has to be about them personally – not the department, not their group, but something they did. Finally, they have to believe that you mean what you say. How you treat them has to match the words you use. If you are not sure how your team members want to be shown appreciation, the Motivating By Appreciation Inventory ( will identify the language of appreciation and specific actions preferred by each employee. You then can create a group profile for your team, so everyone knows how to encourage one another. Remember, employees want to know that they are valued for what they contribute to the success of the organization. And communicating authentic appreciation in the ways they desire it can make the difference between keeping your quality team members or having a negative work environment that everyone wants to leave. Paul White, Ph.D., is the co-author of The 5 Languages of Appreciation in the Workplace with Dr. Gary Chapman.

Your Say: Who should be Credit Union Magazine's 2014 CU Hero of the Year?

View Results Poll Archive