Today, mobile banking is highly appreciated as a personal finance management tool: it makes banking easier for users, while banks use smartphones to stay in closer touch with their clients.
However, a recent RateWatch study showed that 36% of clients still do not use mobile banking because of real or imagined security risks. Banks know full well that a secure and reassuring user experience is of utmost importance. So, they are working hard to set up strict security rules and strategies... for their traditional banking services.
The problem is, mobile banking has its own unique issues. So, any attempt to adapt on-line banking tools and infrastructures would significantly worsen the risk. Mobile-specific security measures need to be taken.
Mobile banking raises five major issues:
- Given the increasing popularity of mobile payments and digital keys, it is very likely that mobile devices will someday make these other two essential items obsolete. Basically, this means that mobile security is of absolute importance if the device is lost or stolen, but it also offers banks an opportunity to make mobile devices a key part of their user authentication strategy, using a variety of available characteristics: GPS, pressure sensors, biometric readers, etc.
- The main goal of mobile use is to provide a constructive experience for users. So, it is more important than ever to strike just the right balance between security and the user experience.
- As a rule, mobile devices offer “always on” mode for messaging, SMS and browsing, as well as a movement-based use mode. This might encourage users to open unsolicited e-mails and attachments, visit websites that aren’t necessarily trustworthy, download third-party applications and use the same user name and password for many platforms.
- As the use of unsecured Wi-Fi grows in place of classic wired networks, users are at greater risk of inadvertently compromising their devices’ security.
- The mobile threat landscape is in rapid transformation, and cyber criminals are becoming increasingly skilled.
Banks have no choice but to offer security on several levels. Their solutions need to adapt to difficulties that can arise at any point in the transaction, both front office (client interface) and back office (banking systems identifying and facilitating requests from legitimate users on mobile devices), and in the channel connecting them.
Banks need to focus on certain essential criteria when selecting a solution:
- Integrated and multi-level assistance solutions
Solutions using many different authentication methods to identify the client and offer end-to-end protection: at the device, app, connection and back-end server are generally the most robust.
- Ease of assigning and configuring different identification methods
This means an ultra-configurable, multi-entity solution that can apply any combination of authentication methods to user categories, channels and multiple bank divisions, based on the role and rules in force. This approach will help the bank cut operating costs by handling all of its authentication needs on a single platform, even if its activities are run by many bank divisions and entities located around the globe. This solution also lets clients with multiple accounts at the same bank connect to these accounts using a single sign-on (SSO).
- Security for mobile
Possible solutions will include debugger detection, emulator, fraud and code obfuscation detection functions, among other mobile app protection methods.
- Collecting information to avoid potential problems through risks analysis before and after system and user device infiltration
The best mobile security solutions anticipate and identify potential threats, old and new, and can use contextual information to correlate threat exposure with anticipated client behaviours, device configurations and threat profile.
- Strengthening compliance frameworks
Compliance with PCI standards, for example, strengthens the entire mobile banking security chain by reducing the risks borne by the banks and improving client confidence. The chosen mobile banking solution has to cover compliance frameworks in an integrated way, not deal with them as add-ons.
- Strengthening authentication without impacting the customer experience
While it is logical to use two-factor (or more) authentication in the mobile banking security process, users don’t want to waste time validating their identity and rights just to check their account balance or send a transfer. To reduce user tensions without hurting security, most of the authentication processes can be done in the background, which means that the user doesn’t have to do anything extra for additional authentication unless absolutely necessary, based on the charter and risk profile.
Olivier Thirion de Briel, Global Marketing Director for identity and access management solutions at HID Global