By: Jan Valcke, President and COO of VASCO Data Security
A
clear and emerging new channel in the space of banking and payments
is mobile.Mobile banking has the opportunity to become just as
disruptive in the modern era as ATMs were back in the 1970s. From the
convenience of our own homes, and with our own devices, we now have
the opportunity to do just about everything except get cash from our
bank.
People don’t have to wait for a free ATM machine to deposit
pay checks or they can quickly pay bills from their mobile phone.
Mobile banking is not just convenient; it’s also a great
time-saver.The appeal of mobile phone banking is not one-dimensional;
rather consumers readily appreciate a number of advantages.
Convenience, speed and control emerge as the key benefits for a group
who value their time and the ability to regularly monitor their
finances to avoid bank charges and stay in the black.The individuals
who use mobile phone banking see technology as a means of easing
time-pressure and are likely to embrace further innovations such as
mobile payments. Their extensive experience in using an array of
phone applications gives them a confidence in the security of the
handset and networks and this will encourage adoption of new services
and features.
A
key challenge with gaining user adoption of mobile banking and
payments is the customer’s lack of confidence in security of the
services. Understanding the mobile banking and payments market and
ecosystem is critical in addressing the security challenges. There
are new security risks introduced with mobile banking and payments
that must be identified.When it comes to consumers’ concerns, both
identity theft and unauthorized use of their credit cards top the
list. And while consumers have concerns about data breaches, they
aren’t too worried about the consequences and are slow to take
particular actions to protect their credit and accounts. Perhaps this
is because they haven’t been educated in what they need to do, or
because they are mostly complacent about their banking needs. And
even the most practical consumers still wonder what else they need to
do to or what specific tools they should have in their arsenal.
Some
of the prominent scopes of mobile banking problem are the
Rising threats;financial
institutions are tremendous targets of opportunity for electronic
thievery. Blended threats, improvements to man-in-the-middle/ browser
exploits, and advances in malware have made threats more numerous and
even more available to less-skilled cybercriminals. And historically,
banks have purchased different systems to manage different risks, but
the result is that they have too many different controls that don’t
necessarily integrate or work well with each other.
Increasing
Complexity,
when it comes to mobile, it’s critical that we understand the
complexity of the problem we are trying to solve. The number of
connected devices has passed the total number of people on the
planet. And there are more devices per person and this number is
increasing. There are also many different types of passwords to
secure these devices, and many different accounts across a variety of
non-bank institutions and many different channels and methods to do
the banking itself (ATM, phone, Web). On top of this, hackers are
targeting everyone and using any method they can, making things
increasingly difficult.
Evolving
Environment,
certainly the computing environment has evolved over the years, and
while we have access to a great amount of information, we also have
the opportunity to be exposed to more fraudulent activities. Phones
now have multiple uses and functions with their data and Internet
connections. Consumer attitudes towards security are also evolving as
they become more familiar with a variety of mobile apps and not just
for their banking needs. Look at the interest towards mobile payment
mechanisms from Apple, MasterCard and others in the past year.
However, adoption will always lag because of security perceptions,
technology complexity, or other reasons.
Advancements
in Authentication,
there have also been an evolution in the use of authentication in
online banking too. Back in the early days, if you wanted stronger
authentication, you had to ask a user to change their behavior and
carry something such as a one-time password (OTP) token. But some
users were reluctant to do this. Ten years ago there weren’t a lot
of other solutions that were very secure and convenient, but that has
changed, thankfully for the better. There are more cryptographic apps
that are cost effective and secure.
Along
with the setbacks in mobile banking, there are also some trends that
have come to surface. Mobile business will lag accelerated smartphone
adoption which means, by the end of 2015, there is an expected of 36%
of adults in Asia to own a smartphone – ownership ranges from a
high of 86 percent in Singapore to 44 per cent in China and a low of
23 per cent in India. However, few companies will be ready to serve
these technology-empowered customers on their smartphones in their
moments of need. Mobile will remain small in terms of spend –
particularly advertising spend.Some of the best practices that can be
used to secure your mobile app both on the client and server sides
are to try to fight these perceptions listed below and also to make
mobile banking easier and more productive.
Adjust
Authentication Methods to Meet User Demands
It’s
increasingly clear that some of the older methods just aren’t
useful in today’s hyper-mobile world. The notion of using OTP
tokens, or using voice prompts to deliver access codes aren’t very
convenient when you want to do your banking on any device, wherever
you might be. New technologies like visual transaction signing and
risk-based authentication can enhance security while matching the new
demands for user and device flexibility, making certain that mobile
users have transparent authentication and signing methods and that
these methods are implemented behind the scenes.
Enhance
Client-side Protections
Simple
authentication with a user and PIN combination is no longer good
enough for mobile banking, because many users share these
combinations with a variety of online services, making their
authentication information subject to exploitation. When it comes to
mobile applications and users, a better solution is to have a user’s
PIN combined with other information to lock a phone and an account
down. Further, employing a variety of risk-based methods to determine
if a device is in an acceptable geolocation to conduct a transaction,
or if it has been jail broken or has malware present, can add
additional layers of protection. And with mobile banking, you can
also use strong OTPs behind the scenes so users don’t have to
remember and type it in all those numbers.
Strengthen
Security for Client-Server Communications
Beyond
the mobile app, there is user cases where having multiple
authentication factors makes sense. These devices (or software tools)
can generate the OTP but can transmit the password via a Bluetooth
connection as an example. This way an OTP fob can send the OTP
directly to the app, so the user doesn’t have to type in the
password. This is just one way that a Bluetooth device can secure a
transaction and transmit the information to a more hardened
environment for subsequent validation.
Use
a Variety of Risk-Based Methods
Another
issue is that users want to do more with mobile banking, not just
replicate what they could have done inside the branch or their Web
browsers. But that means banks have to meet the added risks for these
tasks and scale up their security measures accordingly. One problem
is that as cryptologic tools get better, hackers are getting better
too – for example, using “man-in-the-middle” types of attacks
to get around traditional defenses. This creates a requirement for
stronger and more transparent signatures that can be sent digitally
without worrying about these kinds of attacks.
One
potential solution is the use of encrypted signatures and public key
cryptographic infrastructure, which haven’t been quite satisfactory
up till now. These solutions are painful to manage, both for IT staff
and banking customers. In the mobile world, we can cut out some of
this pain and take better advantage of these technologies by making
use of native security inside the device to sign particular encrypted
data and digital signatures of the transaction.
Get
Proactive with Fraud Prevention
Stopping
potentially dangerous activity before it starts is critical in the
new mobile world, especially when it comes to fraud. Managing risk as
part of a self-protected application strategy is very different from
a reactive security model, where the fraudulent activity can happen,
but is stopped on the back end. With risk scoring capabilities built
in to a mobile application, organizations can proactively stop
fraudulent activity by creatinga barrier that a hacker cannot easily
circumvent, and further, can be done in a way that doesn’t impact
the user experience. Risk scoring capabilities within the mobile
application can limit risk on the client side before the transaction
ever occurs, and if the transaction is still allowed to occur, tools
like risk-based/adaptive authentication on the server side can help
to further mitigate risk.
Watch
for Evolving Regulatory Requirements
If
banks are playing catch up when it comes to mobile security, banking
regulators are playing catch up too. The FFIEC has issued guidelines
that are still based on some historical usage patterns, and some of
these guidelines don’t always apply to the new mobile world. Just
as the banking technology is evolving, so do the regulations and
compliance mechanisms. Regulators will need to augment the existing
FFIEC rules and help banks prepare for more mobile users.
Take
a Comprehensive Approach to Mobile App Security
No
matter how secure you make the various communications channels,
ultimately it comes down to how well a bank builds its apps and
understands the inherent security weaknesses. You still have to
balance security with ease of use, and you still have to ensure that
your core business logic isn’t subject to any exploits too.
Authentication on the server side can help to further mitigate risk.
In
the end, mobile banking security is the combination of a secure
application, running on a secure platform, over a secure
communication channel (between the bank and the user), and then being
able to gather and analyze user and session data to make real-time,
risk-based decisions that can protect against account takeover and
prevent fraud. Bringing these concepts together into a singular
mobile banking security strategy can satisfy the high demands of
banking organizations when it comes to security and service delivery,
while also satisfying the mobile banking user demands for
functionality, convenience, and data and identity protection.
Comments
Post a Comment