From security to strategy: How banks can meet the mobile banking challenge
FINANCIAL INSTITUTIONS INSIGHTS |
Increasingly, consumers expect to be able to do their banking anywhere, at any time and from any device. That means that mobile banking has gone from being a curiosity to an expectation with record speed. A few short years ago, the idea of a customer snapping a picture of a check and making a deposit from a mobile phone was science fiction. Now it is the sort of convenience that consumers expect. According to the Federal Financial Institutions Examination Council(FFIEC), almost 50 percent of individuals under 35 used mobile banking at least once in the last 12 months, and 25 percent of all bank customers use mobile banking.
Yet financial institutions and consumers alike are concerned about the security issues attendant to mobile banking. According to a recent FDIC report, security is also a main reason "…why unbanked mobile phone users choose not to use mobile payments specifically, cited by 36.2 percent of unbanked mobile users. Lack of trust in the technology (31 percent) and not having the necessary features on the phone (29.4 percent) were the next most common reasons why unbanked mobile users do not use mobile payments." To start with, there's the fact that the devices involved are mobile. Cell phones and tablets are more easily lost or stolen than a laptop or desktop, and there is a greater time period between the disappearance of the device and the confirmation of its disappearance. So it is important that apps are configured accordingly, understanding that physical security is not assured. Apps should not be configured to save passwords on the device, since that would mean that anyone, including a thief who has the device, would also have access to the customer's account.
Mobile malware is also on the rise, adding another threat to mobile devices, since mobile anti-virus products are not as mature as desktop versions. Of note is that mobile malware for Android devices is especially rampant, with an over 500 percent increase in unique malware variants in the last 12 months. Most of this malware focused on stealing sensitive information off the devices or intercepting sensitive traffic (similar to viruses on desktops and laptops for the past five years). Malware is another reason to make sure passwords are not stored locally on mobile devices, as malware utilizes these stored items to give attackers access to customer accounts and data that are stored on the phone. Consumers simply are not yet as conscious of mobile threats as they are of threats to their laptops or other computers. It is also a good reason for financial institutions to help educate their customers about mobile security threats.
Another one of the issues financial institutions should educate their customers about is the potential threat involved with financial consolidation systems, such as Mint.com, Budget Boss, Spendie or Manilla. As we conduct more of our business online, the list of usernames and passwords we need to remember continues to grow. The convenience, as well as the consolidated view of all our finances in these systems, is very attractive. But since these applications store all of a consumer's usernames and passwords in a single location, the impact if either the site itself or the user's mobile app is compromised is considerable. A typical attacker may be able to compromise a credit card or a checking account and empty it before you notice. However an attacker with access to one of these consolidation systems could potentially empty your checking account, 401(k), savings accounts, trust funds or investment accounts and max out your credit cards in less than 24 hours. Even if all the funds were able to be recovered and no financial loss was suffered, the wake left by the attacker is going to take months, if not years to settle back to normal.
There are unique concerns for financial institutions, too. For example, those checks deposited via cell phone picture? How can financial institutions protect against the same check being deposited physically at one of their branches, or more problematically, at another institution?
Fortunately, while the risks to any financial institution are considerable, they also can be addressed, and perhaps more easily than many institutions think. When Internet banking was new, many of the same or similar security issues had to be addressed for the first time. Those measures have now had several years to mature, and many of them can be effectively applied to mobile banking often with little or no additional effort.
For example, the same secured sockets layer (SSL) common encryption technology used to secure Internet banking and other Internet commerce can and should be used for mobile banking. This is a well-vetted technology that has been updated many times since its original release to address emerging security threats.SSL allows the consumer to establish a secure, trusted connection with the bank that encrypts data and ensures delivery without tampering. Where there have been security vulnerabilities with SSL, such as "Heartbleed," they tend to be due to implementation problems, rather than the design of SSL itself.
Mobile devices also can leverage the same multifactor authentication strategies used online. In fact, new generations of mobile devices frequently have new authentication features that computers do not, including biometric options, like fingerprint scanning, facial recognition and voice recognition. By taking advantage of these options, financial institutions can not only help to ensure the security of mobile banking, they can also help the customers feel more secure—and perceived security is vital to mobile banking adoption rates.
As discussed above, it is vital that sensitive information like passwords not be cached on mobile devices. Such data should be stored only at the mobile banking server and hashed when possible, where far more stringent protections can be established. Consumers should also be educated to take advantage of alerts so that compromises can be caught earlier or even prevented. For an effective alert strategy, it may make sense for consumers to request alerts regarding mobile transactions be sent to their online email while alerts regarding card transactions or online transactions are sent via text. In fact, mobile devices present an additional authentication opportunity for both financial institutions and consumers if used to confirm large card purchases or online account-to-account transfer requests.
Just as many of the technical safeguards developed for Internet banking can be effectively leveraged for mobile banking, so too can many operational safeguards. For example, using the same holds on funds that protect against fraudulent ATM deposits can help protect against fraudulent mobile deposits. And those efficiencies extend beyond security. The same back-end processing currently used for deposits, data changes and communications for online accounts can be leveraged for mobile banking.
From security to strategy
Yes, there are challenges, but building an effective mobile banking offering is worth the effort. A mobile banking offering can help your financial institution reduce the cost of your branch footprint, while simultaneously giving you a way to expand your geographic reach. It will also allow you to build deeper, more responsive and more innovative relationships with your consumers, as access to a wealth of data facilitates a better understanding of consumer habits so you can anticipate and serve their needs.
So what does the current standard for mobile banking services look like? While the specific features offered by financial institutions vary, most mobile offerings are drawn from the following list of features:
- Managing account information
- Account statements
- Transaction history
- Account alerts
- Balance monitoring
- Monitoring of term deposits
- Loan statements
- Credit card statements
- Personal financial management (budgeting, spend analysis and account aggregation)
- Making payments, deposits, withdrawals and transfers
- ATM transactions
- Fund transfers
- Purchase tickets
- Bill payment
- Peer-to-peer payments
- Digital wallet
- Mobile deposit capture
- Picture pay
- Reloading prepaid cards
Financial institutions often also include tools to allow mobile users to find network ATMs and branch locations.
Looking to the future, Generation Y consumers offer a final, powerful reason to upgrade your mobile banking efforts. They have very different habits than their predecessors. They rarely go into branches, viewing them almost as a necessary evil. They want expanded mobile payment options—increasingly, they think of their smartphones as their wallets. This means they expect access to their money at any location, from any location and at any time. For these consumers, mobile banking isn't something extra, it's how they expect to do most of their banking.
Mobile banking is already radically changing the banking environment. Those financial institutions that develop the right strategies and address the emerging security issues will build a powerful competitive advantage.