Mobile devices are introducing unprecedented improvements in convenience. However, mobile devices also present a unique set of security requirements and challenges. Mobile devices are the 21st century wallet – the ultimate in convenience for banking, shopping and entertainment. Since mobile devices contain a wealth of information, they are target-rich, and hence attractive to fraudsters.
FFIEC has issued guidance on using multi-factor authentication to financial institutions for all forms of electronic banking and payment activities, including mobile banking. Multi-factor authentication uses a combination of something that the user knows (password), something that the user possesses (mobile device) or something that is inseparable from the user (biometrics). A multi-factor authentication system is ideal, of course, to have a high level of security with ease of access and transparent to the end user while not delivered to the device. A second or third layer of authentication to login makes an attack more difficult, but the challenge is to make an attack harder for fraudsters without making the consumer experience inconvenient or unpleasant. Learn more about how one
When it comes to data storage, financial institutions need to ensure their banking apps do not store customer information, such as usernames and passwords on the mobile device. According to Sean Darragh, VP of security at Malauzai Software, “Mobile devices should be considered ‘compromised’ from a design perspective. Sensitive data such as credit card numbers, social security numbers, etc. if necessary, should only live in session and should NOT persist to the device. If data is not stored securely, then sensitive data can be retrieved from a device fairly easily as mobile devices have the propensity to ‘leak’ information due to users allowing overly permissive apps.” For example, apps that have a marketing bent or allow in-app purchases usually ask for access to things they don’t need to function such as document management storage, use accounts on the device, or full network access. If a user grants such permissions, then the app can add or remove items from storage or see all the accounts on your device. In sum, the device would then leak information to apps that don’t specifically need it because the user has granted access to the app.
So what happens if a mobile device is lost or stolen? Bank administrators need the ability to deactivate their apps on individual devices and force consumers to re-authenticate prior to assessing account information. Credible mobile apps feature SAMI – an application management system designed to provide remote device and application management. Financial institutions can track devices running the app, disable the app remotely if necessary and send push notifications to the devices. The consumer can take action as well, including contacting the financial institution to report the missing device, and the mobile carrier to suspend service, as well as taking advantage of recovery apps on the market to help track lost devices. For example, Android users can take advantage of Google’s Android Device Manager to track phones/tablets that do not require an app to be installed. Customers can also use their mobile operating systems to track and wipe their devices if necessary, which is a capability that should be configured upon device setup. Being able to wipe data is crucial – consumers may not even remember what they accessed on their phone over time. Any data stored on a device, even personal contacts, can be very dangerous in the wrong hands. Confidential information, emails, text messages, and browsing history, when compromised, can be used to commit illegal activities such as identity theft and fraud.
Overall, having a strong focus on innovation with mobile banking is key, but it is important to integrate secure practices all along the way. To learn more about how one credit union is competing with much larger financial institutions by offering this type of technology, click here.