Build an Intense Security Mindset into your Mobile Services

by Ondrej Krehel, Identity Theft 911

Educating members and staff is essential
In an emerging mobile ecosystem of mobile devices, smartphones and media tablets, member education will fortify your credit union against mobile’s chief dangers: weak security measures and risky user behavior.

Whether your credit union is an active mobile banking player, phasing in mobile services, or in wait-and-see mode, now is the time to implement one of the most effective security strategies in mobile fraud prevention—educating your members and staff.

Mobile threat vectors abound
Cybercriminals are finding mobile fraud to be far more lucrative than traditional PC-based campaigns. Tricking consumers remains the easiest way for hackers to breach a bank or credit union’s security network and steal treasure—your customer and organizational data.

New customized viruses, designer malware, and new Man-in-the-Middle or sniffing attacks via unsecured Wi-Fi networks, are targeting specific mobile platforms to steal banking and personal data. Malware on Androids alone has jumped 400 percent since summer 2010. An Infosecurity report ranked apps and App stores as “the greatest malicious software delivery system ever invented.”

Your mobile security coaches
Train all staff in secure mobile banking practices, proper payment procedures and the latest threat risks. Share updates to maintain a security mindset. Once trained, member-facing employees can proactively coach customers on mobile banking services and offer practical tips on everything from basic password hygiene to verifying authenticity of third-party apps prior to installation.

Educating members
Teach your mobile users to treat their devices like a credit card with the Internet attached. According to a 2010 SANS Institute report, 85 percent of smartphone users don’t employ an anti-virus solution to scan for malware. Teach them about phishing. Train them to never click on a link sent from your institution via email or text.

Drill your members in the basics
Keep your phone safe. Lock mobile devices when not in use and password protect it with a strong password.

Urge members to not store sensitive information on a phone (credit card data, passwords, user ID details, or proprietary work data).

Encourage them to activate effective security features such as encryption of a portable device, a time-out password and remote wipe if a device is lost or stolen, as well as:

• Install an updated anti-malware program/solution on the mobile device to protect from spyware, malware attacks or apps and infected SD cards.
• Use an on-device personal firewall for interface protection.
• Regularly delete text/voice messages with financial or personal information.

[Related security tips: Your Smarter Smartphone]

Security recommendations for credit unions
Centralize the administration of mobile device policies and enforcement; the ability to locate and remote lock, wipe, backup and restore facilities for lost and stolen devices; and monitor device activity for inappropriate use and data leakage. Other essential precautions include the use of:

• SSL VPNN clients to protect data in transit and ensure secure network access and authorization.
• Mutual authentication approaches that incorporate multifactor, multilayered security techniques.
• Anti-theft and anti-fraud tactics such as online banking transaction confirmations via SMS or call back.

Third-party Gold Rush
New mobile banking channels—mobile payments, near field communication (NFC), and person-to-person payments (P2P), are also prompting a virtual third-party Gold Rush. Google Wallet is launching its mobile payment system in summer 2011. [Related story: Google Wallet’s Potential Security Hole.] Visa Mobile, Isis and Square have staked their own NFC systems, with Apple and Amazon yet to jump, and multiple players in the wings.

Whatever the near future holds, turning a phone into a wallet involves tapping into the liquidity and credit lines now parked in your own institution. At the very least, this presents an opportunity for substantive member education.

Ondrej Krehel As chief information security officer at Identity Theft 911—the nation’s premier identity theft and data breach management, resolution and education service—Krehel manages a comprehensive information security program and leads computer forensic investigations. He helps businesses and individuals secure their information.