Mobile Banking Security

Consumers love the convenience, but security issues are making them nervous.

November 14, 2011
/ PRINT / ShareShare / Text Size +

Malware and data breaches

Mobile banking’s future looks bright, but security concerns remain. Recent cell phone scandals illustrate that mobile phones can be hacked, and headlines are screaming about the rapid growth of new malware designed to infiltrate mobile devices and exploit personal information and data.

Android malware is exploding, with an early 2011 incidence 400 times higher than a year earlier, according to a May 2011 report from Juniper Network’s Global Threat Center. Not surprisingly, this is directly proportional to the Android operating system’s market share growth, which has grown from 3.9% in
2009 to an estimated 38.5% in 2011, according to a Gartner research report.

While Juniper indicates Android malware still accounts for less than 1% of all malware in the world, the rate of increase suggests mobile devices are attracting more attention from fraudsters. And if nothing else, security experts agree the growth of nefarious activity raises questions about the security—and the prudence—of managing finances on the fly via the mobile channel.

Security must be a concern for credit unions, says Tom Gray of Member Service Solutions LLC, since he’s asked about it “in every webinar” his firm conducts. Gray, and co-managing partner Rick Hargis, say security drove the design of the firm’s CU Mobile Apps.

The app doesn’t push, pull, or store personal information or financial data on any mobile device. Instead, it functions by tying into a credit union’s existing mobile banking or online banking platform. It then repackages the information and features in a faster, more user-friendly format and adds additional functionality, including a GPS-driven branch locator.

Credit unions that develop their own mobile apps also are approaching security as an essential element. At CommunityAmerica Credit Union, Kansas City, Mo., “security was our No. 1 concern,” says Sam Passer, vice president of program services. “It wasn’t an after-thought. We built the app from the ground up focusing on se-curity.”

As an added precaution, the $1.7 billion asset credit union also enlisted a third-party vendor to do a full security review of the Android and iPhone app prototypes before launching them.

Passer acknowledges that mobile threats are proliferating, and his credit union invests a large amount of re-sources to secure online and mobile systems. But he says the greater risk lies not in the mobile platform itself, but in not offering it to members. “We needed it to stay competitive.”

In developing iPhone and Android apps, 1st Advantage Federal Credit Union, Yorktown, Va., considered only veteran vendors with good track records, says Jim Craig, vice president of marketing. The $539 million asset credit union hopes to launch the apps within the next year—as options in addition to its existing mobile banking site.

While Craig is always concerned about security, he’s not alarmed by the increase in hacking and malware. “What we’re seeing in the mobile space is that it isn’t any riskier than regular Web or Internet banking,” he says.

The financial services industry has a bit of “security fatigue,” agrees Rasmussen. Bombarded with messages about breaches everywhere from shoe stores to mortgage companies, many in the business have come to recognize the role security and risk play in both online and mobile banking. Credit unions and their employees manage risk, but they don’t overreact to it.

“Not every risk associated with doing business can be a crisis,” he explains. “Always operating in crisis mode is taxing, draining, and keeps us from doing our best work.

“Security has found its niche in the way we now conduct business,” he adds. “It’s seen as an ongoing, nev-er-ending part of the way we operate, rather than a one-time tragic event that can be dealt with and then forgotten. As things come up, we’ll deal with them. We have to, because the mobile device isn’t going away.”

Mobile-ready members feel the same way, says Craig. “We aren’t hearing anything from our members about security concerns in relation to the mobile channel. Basically, members concerned about security don’t currently use online banking, and certainly won’t use mobile banking.”

“You certainly have all the controls and all the protection that you have on the PC, because it’s encrypted communication back and forth,” agrees David Dye, an integrated services manager at Diebold Inc. “And mobile does have the protection of username and password. You have as much, or more protection, as you do on a PC.”

Diebold—a CUNA Strategic Services alliance provider—offers a fully functional native mobile banking app along with Card Lock. The latter is a new mobile-controlled solution that allows credit union members to lock and unlock debit and ATM cards to prevent identify fraud.

Next: Push notification

Controls and Protection

Ron Kimball
December 20, 2011 1:06 pm
Great article but I had to comment on David Dye's comments regarding how the controls are "as much, or more protection, as you do on a PC". The devices this article is referring to are consumer based devices and therefore do not require the user to use a username or password. In the case of most mobile phones, if the user does opt to use a password, it is most likely a simple 4-digit numeric password. I fully understand, and agree, that authentication and network encryption are on par with most PC applications but to say the controls are the same (or better) is a bit of a stretch. I would contend that it's more likely that a PC has anti-virus installed (perhaps not updated but installed), on a windows PC perhaps has the security center running, and maybe even a firewall. From a risk perspective I would have to say the impact to the user is the same, the likelihood of loss is significantly higher since I haven't heard of too many PCs being left in the back of taxi-cabs lately and the control environment is signficantly different. I'm not advocating that PCs are better, just that to say the risk is the same or better with a mobile device is very misleading. Both environments are plagued with their issues and users need to be aware of the risks. I just don't think it's wise to go on record with a user and say they're 'more secure' than they would be if they used their PC. IMHO

Flag Comment as Offensive

Post a comment to this story

What's Popular

Popular Stories

Recent Discussion

Who Should Be the 2015 CU Hero of the Year?

View Results Poll Archive