Mobile Risk Management
Security is obviously important for almost any useful mobile application. Security is absolutely paramount for financial services applications.
Consumers consistently list security concerns as a key reason for not adopting mobile banking. For example, last December, Javelin published a report entitled 2008 Mobile Security Standards. Nearly half (47%) cited security concerns as the reason they didn’t sign up for mobile banking. Even more troubling, 73% feared that hackers could access their mobile phones.
But it’s not just consumers, when I talk to bankers not yet doing mobile banking, security concerns are some of the most asked questions. Bankers are concerned that bad guys will use phones that are literally laying everywhere to do nefarious deeds.
We leave our phones on the table at restaurants, people can see our phone screens when we use them on planes and trains. I personally left my phone (and my wallet!) in a shopping cart at Lowe’s yesterday and drove away. Fortunately I got about 200 yards from the parking lot before thinking about my phone and went back for it. It appeared no harm had been done.
As mobile adoption increases, bad guys will look for opportunities like these to take what isn’t theirs. Thieves go to great lengths to skim ATM cards, find account numbers in trash, and create phishing sites. Mobile is the next great frontier for fraudsters, and we all have to be vigilant in using what we’ve learned in ecommerce to not make the same mistakes with mobile.
For businesses and financial institutions to profit from mobile, we have to get users to adopt mobile. We also have to implement mobile in ways that don’t expose us to undue risks. In my opinion, many organizations have over the last few years have deployed mobile solutions with security holes that would be considered patently unacceptable in their online channel. Fortunately for those organizations, adoption is still low enough that it seems they’ve avoided the attention of the bad guys so far. In some ways, though, they’ve added to the perceptions that mobile is insecure and made it harder for the rest of us to convince consumers that mobile can be a secure way to do transact.
Business, Security and Risk management need to work together from the start to ensure mobile solutions are as secure (or more secure) than online solutions. Mobile CAN be secure, but it takes discipline from all of us to insist that we move our businesses forward by providing business value in a secure way.
I’m recommending my clients to involve security and risk management from the very beginning. Even if you aren’t planning to do mobile until next year or later, it’s never too soon to begin pulling together requirements and planning for the security measures that will be required. Mobile projects often get pulled forward when budget becomes available, having a solid plan in place means you can act decisively and prudently when the opportunity presents itself.