Mobile banking at your financial institution: Key risks and countermeasures
RISK BULLETIN |
According to a recent report from Forrester Research, it is estimated that more than 46 percent of North American bank customers will be utilizing mobile banking by 20171. Forrester projects that mobile banking adoption will more than triple in the next four years. Increasingly, mobile banking is surpassing traditional online banking as the preferred method by which customers are interacting with their financial institutions.
The increases in demand for and utilization of mobile banking services can bring more than just operational challenges for financial institutions working to meet customer expectations. One of these challenges is gaining (and then maintaining) customer confidence and trust in the security of mobile banking services. According to a 2012 Federal Reserve study, approximately 32 percent of mobile banking consumer respondents rated their perception of the security of mobile banking as either "somewhat unsafe" or "very unsafe" and 34 percent where unsure2. Their primary concerns were hackers gaining access to their mobile device remotely and someone intercepting payment information or other sensitive data.
Consumers have good reason to be leery. The capture of bank account and related information is more often than not a primary goal of cyberattackers looking to profit. Cybercriminal organizations targeting mobile devices are increasingly well funded and sophisticated, and malware specifically targeting mobile devices is becoming increasingly prevalent. So, what can management at financial institutions do to help reduce this risk?
Customer education is key and mobile banking should be an area of focus as part of a financial institution's overall customer awareness training program. For organizations that are developing their mobile banking solution(s) in house, here are some key control items that should be assessed and implemented, where feasible:
- Include analysis of mobile banking threats in ongoing risk assessment.
- A system development life cycle (SDLC) approach for mobile application development that includes considerations for secure coding best practices (e.g. quality control monitoring and testing).
- A comprehensive change management program with a focus on the prevention of and monitoring for unauthorized changes.
- Enforce industry best practice password standards.
- Follow guidance provided by the Federal Deposit Insurance Corporation (FDIC FIL-103-2005) regarding authentication.
- Enforce session expiration after a period of time and upon device lock.
- Independently assess the security around mobile application servers including logical and physical access.
- Contract for third-party professional assessments of application security (e.g. mobile application penetration testing).
- SMS should not be used as a channel for money movement (or other high-risk transactions).
- Mutual authentication and encryption through client-server SSL.
- Enforce two-factor authentication.
- If mobile check cashing (remote deposit capture) is available, do not permanently store the image on the mobile phone.
Given the substantial investment required to develop a mobile banking solution in house, many (most) organizations will opt for outsourcing their mobile banking solution. For these organizations, their vendor management program and oversight of the outsourced service provider will be paramount. Management should be diligent in their review and assessment of all critical third party service providers. You can't outsource oversight.
Following the road map outlined above can help reduce your organizational risk and ensure your customers and their assets and information are better protected.