Mobile Banking Security: Plotting the Best Course for Adoption

Technology and member education can help ensure mobile transactions are secure.


As the mobile banking market evolves, credit unions need to consider offering multiple mobile access options, as different technologies appeal to specific member segments. However, questions remain about the security of different mobile banking technologies. But security need not be a barrier to adoption – mobile banking solutions available today have strong layers of security in place that, combined with member education, will enable credit unions to provide mobile offerings that expand member convenience.

According to David Benning, Vice President, Strategic Integration at Online Resources, "the question that financial institutions need to ask is: Is mobile banking more or less secure than traditional types of banking?" He points out that there are security risks associated with any type of banking and mobile banking does offer safeguards similar to online banking.

Benning provided an overview of some of the security measures in place by mobile banking technology for credit unions to consider when debating different technologies. He noted that both WAP/microbrowser and downloadable applications typically connect using 128-bit SSL encryption, so that data transfers are secure. Other security features include:

  • Text-based alerts: One-way account alerts, which typically just provide a balance or transaction information without account numbers, are just as safe as emailed account alerts. Two-way text messages typically require a PIN to authenticate the user and do not require users to enter account information. One concern is "SMSishing", whereby fake text messages ask consumers to text in personal information, but this threat can be reduced with member education.
  • WAP/Browser-based: These scaled-down versions of the online banking platform can use multi-factor authentication to ensure security. Similar to downloadable applications, some financial institutions require users to enroll their device as an added level of security.
  • Downloadable applications: After the application is downloaded to the member's device, it provides for multi-factor authentication via the specific device, and enable members to securely access mobile banking via a specially designed interface. Users must log-in, and account numbers are not stored on the device.

Five Ways to Manage Risks
Here are five ways credit unions should manage their risk related to mobile banking:

  • Control the access capabilities: don't allow members to make password changes via mobile. Require members to have complex passwords, such as a six character alphanumeric password.
  • Educate members: similar to online banking, some of the greatest risks for mobile are related to aspects the member can control. Clicking on links or mistyping urls can send members to spoofing websites or leave them vulnerable to downloading spyware just the same as on a computer. Another problem is shoulder surfing, whereby fraudsters in public places gather information being typed into the phone.
  • Limit transfers outside the credit union: many mobile banking offerings do not allow transfers to outside accounts, or have additional security steps in place to authenticate these types of transactions.
  • Limit new payees: mobile users should be able to schedule payments to existing payees, but not create new ones. This can limit fraud caused by unauthorized access to a member's phone.
  • User time-out: Members should be logged out of a mobile browser session after a short inactivity period.

Credit unions should carefully question prospective vendors regarding their security levels and reporting capabilities for detecting fraud. Credit unions should take advantage of flexible programs that enable them to set limitations on mobile activity to provide a balance between security and convenience. Developments in technology and fraud should be monitored to ensure that security is upgraded as new threats arise.




Jan. 12, 2009



No comments have been posted yet. Be the first one.