Mobile security best practices
Howell says one of his most important roles is education.
“We present best practices wherever we go, regardless of what technology a credit union uses,” he says. “One thing we know is that the smart phone has become the hub of almost everyone’s universe—social, personal, financial. So already there’s a set of consumer best practices emerging.”
Howell says these security best practices include always having the phone’s password turned on, knowing how to kill data remotely, and replacing lost phones immediately.
People often are overly trusting with their phones, adds Mickey Goldwasser, vice president of marketing for Q2ebanking.
“When somebody says, ‘Hey, let me see your iPhone,’ it can be easy for somebody to pick up vital information about the owner,” he warns. “There should always be a password.”
Proper use of a password is as important as having one. Abele says credit unions should teach members not to lock in an ID and password just so they can access their accounts without checking in.
“It’s a minor inconvenience for the amount of security gained,” he maintains.
Some credit unions encourage members to use their mobile devices as tokens to access Internet banking.
Users log in, identify themselves, click a button, and receive text messages containing a temporary code.
Then they input the code to get to a banking site, but the code is good for only one use. Anybody trying to use it a second time is locked out.
Howell says credit unions should also remind members to be careful about WiFi.
“At a coffee shop I can’t always be certain the wireless access is secure,” he says. “That’s something credit unions need to tell members.”
Another important feature for mobile banking solutions is end-to-end security, according to Intuit Financial Services, a CUNA Strategic Services alliance provider.
The company’s mobile banking product uses industry standard technologies (i.e., SSL and WTLS) and security certificates with 128-bit encrypted communication.
No personal or confidential information is stored on the mobile device or in the mobile Web banking application.
Intuit’s solution gives automatic access to mobile banking from the credit union’s website, due to the company’s mobile device detection capability.
Any user going to a credit union website will be automatically taken to the mobile version of the site.
This mobile redirect filter is standard on all mobile Web banking implementations.
Plus, high availability, fast response time, and network security are assured as the consumer mobile web banking solution is hosted in the same Intuit Financial Services SAS70-certified data center that operates its internet banking service.
Of course, transactional security is a balancing act, says Howell. “At certain levels it’s like a suit of armor. But you can’t run or jump in a suit of armor, so you have to be careful to add enough flexibility to meet members’ needs and expectations.”
Before introducing mobile financial services, he says credit unions should address these questions:
- What types of transactions will you offer?
- How and why will you send alerts to mobile users (i.e., for unusual activity or amounts)?
- Which authentication mechanisms will you offer (i.e., a token feature or one-time password capability)?
Other features to look for in a mobile banking security product, Lotz says, include:
- Session time-out capability, where the server disconnects if there’s no activity after a three- or five-minute window;
- Browser and apps run with standard 128-bit encryption; and
- Vendor education resources to inform members about the best ways to protect their accounts.
“As time goes on, there will be more attempts to compromise mobile channel security, but I’m not sure they will be all that successful,” Lotz says. “That’s because people’s knowledge of their devices and the channel itself is so intimate that it will be hard to defraud them.
“When you combine 128-bit encryption and credit unions’ own educational outreach on best practices for how members can safely use their devices, there won’t be a lot of room for fraud,” he continues.
Still, Goldwasser advises vigilance by both credit unions and members.
“There is never a time to let down. Besides service, the thing members want most is the trust and security their credit unions deliver. If members don’t trust your security, nothing else will matter.”