Mobile Manifesto » fraud prevention

Is Mobile Banking Safe?

David Eads — Mon, 14 Sep 2009 18:05:33 +0000

Mobile banking is a popular product that banks and credit unions are increasingly offering to their customers.

Many consumers are concerned about the safety of mobile banking, however. A January 2009 study by Javelin Strategy & Research found that 73% of consumers feared that hackers could remotely access their phones. As the number of mobile banking users increases, hackers are likely to targeting mobile banking solutions.

Mobile Banking CAN be as secure or more secure than traditional online banking. The safety of your money depends upon how your bank chooses to implement mobile banking. Like many other products, some mobile banking solutions are more secure than others.

The following are some key safety features to look for:

128-bit Encryption – This means bad guys can’t look at the data flowing between your phone and your bank. Most solutions use the same type of protection web browsers use for online banking.

Bank protection in the event of fraud – Like online banking and debit cards, many banks promise to protect you in the event of a loss from a hacker attack on mobile banking. You need to read your bank’s terms and conditions carefully when you enroll for mobile banking to be sure.
Bank-specific username & password – Make sure the credentials you use to log into mobile banking are unique to your bank and are controlled by the bank and not a third-party. (See PIN Vault below).
Multi-factor authentication - This means the bank requires more than just a username and password to gain access to the system. This is often described as “something you have and something you know.” Often your phone itself is the additional “something you have.” This feature can make mobile banking more secure than many online banking products.
Lockout & timeout capabilities – Make sure you can disable access to your bank account if your phone is lost or stolen. Also make sure your session is automatically disconnected after a few minutes of inactivity.

Some things to watch out for:

SMS Links – Text based banking (also known as SMS) is very popular, but like email, hackers can trick you by sending fake messages that look like they’re from your bank but actually connect to computers controlled by the bad guys. Like email, never click on a link in an SMS message from your bank.
PIN Vaults – Some mobile banking solutions share the mobile banking username and password across multiple institutions. This is sometimes called a “PIN Vault.” While it makes it easier to log in, it can pose a significant risk. The PIN is often stored at a third-party location like the phone company or the software provider. The single PIN also would provide hackers access to ALL the accounts the PIN is works with if the hackers were able to break in.
SMS Transactions – There is no security around text (SMS) messages. Text messages are sent without any encryption. Imagine a text message like a note on a post card. Anyone near the message can see it. In fact, many people rarely delete text messages from their phone. Therefore, if bad guys were to get your phone, they could look at all the text messages you have sent or received. Make sure text messages have no sensitive information hackers can use to steal from you.
WAP 1.0 Mobile Internet Pages – Some older phones with web browsers use a technology called WAP 1.0. This technology turned out to have a security flaw dubbed “The WAP Gap” because the data was unencrypted and re-encrypted at points along the way. Most modern mobile web browsers now use newer technology.

Mobile Banking can be safe, convenient, and possibly even fun. However, make sure you are careful about the products you use and know your rights. Make sure you are absolutely certain of the identity of a web page before providing any sensitive information.

(I originally wrote this content as an article in Articles Base http://bit.ly/1MPuTa )

Mobile as fraud prevention

David Eads — Wed, 29 Jul 2009 17:22:08 +0000

James Van Dyke at Javelin Research posted a very interesting stat on his blog. The fraud-to-fraud detection ratio in online banking is 2:5. For every two instances of OLB fraud, five were caught by using OLB.

Mobile Banking has the potential to have an even stronger ratio because users have quicker, easier and more frequent access to their account information. That is of course, only if the mobile banking solution is secure and easy to use.

This is an interesting angle because Security is often cited as a key concern by consumers. A recent poll by Harris Interactive found that nearly 2/3 of consumers felt their phone was too insecure to do activities like mobile banking.

The mobile industry clearly needs to better communicate and demonstrate the security and benefits of their solutions to consumers.

Mobile Risk Management

David Eads — Mon, 27 Jul 2009 14:14:29 +0000

Security is obviously important for almost any useful mobile application. Security is absolutely paramount for financial services applications.

Consumers consistently list security concerns as a key reason for not adopting mobile banking. For example, last December, Javelin published a report entitled 2008 Mobile Security Standards. Nearly half (47%) cited security concerns as the reason they didn’t sign up for mobile banking. Even more troubling, 73% feared that hackers could access their mobile phones.

But it’s not just consumers, when I talk to bankers not yet doing mobile banking, security concerns are some of the most asked questions. Bankers are concerned that bad guys will use phones that are literally laying everywhere to do nefarious deeds.

We leave our phones on the table at restaurants, people can see our phone screens when we use them on planes and trains. I personally left my phone (and my wallet!) in a shopping cart at Lowe’s yesterday and drove away. Fortunately I got about 200 yards from the parking lot before thinking about my phone and went back for it. It appeared no harm had been done.

As mobile adoption increases, bad guys will look for opportunities like these to take what isn’t theirs. Thieves go to great lengths to skim ATM cards, find account numbers in trash, and create phishing sites. Mobile is the next great frontier for fraudsters, and we all have to be vigilant in using what we’ve learned in ecommerce to not make the same mistakes with mobile.

For businesses and financial institutions to profit from mobile, we have to get users to adopt mobile. We also have to implement mobile in ways that don’t expose us to undue risks. In my opinion, many organizations have over the last few years have deployed mobile solutions with security holes that would be considered patently unacceptable in their online channel. Fortunately for those organizations, adoption is still low enough that it seems they’ve avoided the attention of the bad guys so far. In some ways, though, they’ve added to the perceptions that mobile is insecure and made it harder for the rest of us to convince consumers that mobile can be a secure way to do transact.

Business, Security and Risk management need to work together from the start to ensure mobile solutions are as secure (or more secure) than online solutions. Mobile CAN be secure, but it takes discipline from all of us to insist that we move our businesses forward by providing business value in a secure way.

I’m recommending my clients to involve security and risk management from the very beginning. Even if you aren’t planning to do mobile until next year or later, it’s never too soon to begin pulling together requirements and planning for the security measures that will be required. Mobile projects often get pulled forward when budget becomes available, having a solid plan in place means you can act decisively and prudently when the opportunity presents itself.