Building the business case for mobile banking security
As part of the smartphone and smart device revolution, mobile banking has become a popular method for people to manage their finances. The benefits of mobile banking are two-fold: users can bank in a more convenient manner and banks can use smartphones as a way to better engage with their customers.
Recent research by RateWatch has shown that 81% of the financial institutions surveyed are currently offering mobile banking services, which is a clear indicator of its popularity. With this in mind, it should be expected that customers will be able to conduct their banking activities on a wider range of mobile IoT-connected devices in the near future.
However, the same survey also showed that 36% of consumers are still not using mobile banking due to the perceived security risks. This, allied with an ever-evolving cyber threat landscape and the rapidly expanding Internet of Things, means that finding a way of making mobile banking more secure is crucial, says Olivier Thirion de Briel – Global Solutions Marketing director, HID Global.
Why mobile banking security is essential
Banks have worked hard to deploy effective security frameworks for traditional online banking. However, mobile banking presents its own unique challenges, including growing malware threats that specifically target the mobile channel. As a result, any attempt to leverage existing online banking infrastructure and tools will result in a much higher risk profile, unless steps are taken to adopt mobile-centric security.
There are several ways in which mobile banking presents its own unique challenges:
- In a relatively short space of time, mobile devices along with house keys and the wallet are the three must-have items when leaving the home. With the use of mobile payments and mobile keys, there is a very real possibility that mobile devices could one day replace physical keys and wallets altogether. This means that mobile security becomes even more important in the event of device loss or theft, but also enables banks to make mobiles a core part of a user authentication strategy, due to the various features they contain. These include GPS, pressure sensors and biometrics.
- Mobile usage is all about providing a positive user experience. As such, users expect access to apps, services and content to be seamless with strong security operating in the background as standard. This makes striking the balance between security and user experience more important than ever before.
- As a rule of thumb, mobile devices support always-on email, SMS, browsing and a gesture-based approach to using mobile apps. This encourages users to open unsolicited emails and attachments, visit untrusted websites, download third-party apps and reuse the same login credentials across multiple sites. This makes mobile devices vulnerable to a growing array of security threats, including phishing, malware and social engineering.
- Increasing use of unsecured Wi-Fi connections, as opposed to traditional wired networks means users are more likely to inadvertently compromise their device’s security.
- The mobile threat landscape is evolving rapidly, with cybercriminals becoming increasingly savvy in their methods. Symantec’s 2016 Internet Security Threat Report revealed a 77% increase in the number of new Android mobile malware variants between 2014 and 2015, with malware such as XcodeGhost also enabling hackers to target Apple’s operating system.
In order to securely deliver mobile banking and payment services, and to increase user confidence in the safety of banking on their mobile devices, banks must provide multi-layered security. Their solutions must address the potential challenges that can occur throughout the transaction.
This includes challenges at both the front end (consumer devices), the back end (banking systems that recognise and facilitate legitimate user requests through mobile devices), as well as the channel connecting the front and back ends.
Bringing this peace of mind to users helps to drive further adoption of mobile banking, thereby bringing added revenue and profits while improving the user experience. At the same time, banks can safeguard themselves from the severe reputational impact that a data breach can have.
What a mobile banking security solution should offer
In order to ensure adequate mobile banking security measures, without compromising on the all-important user convenience, banks should look for certain key capabilities when choosing a solution:
- Support for an integrated, multi-layered approach. Mobile banking customers expect to be kept safe, even if their behaviour is not in line with cybersecurity best practices. Solutions that utilise a wide array of authentication methods to identify the customer and provide end-to-end protection at the device, the app, the connection and the back-end server are typically the most resilient.
- Ability to easily assign and configure multiple authentication methods to different audiences. Look for a solution that is highly configurable, supports multi-tenancy, and can apply any combination of multiple authentication methods across different banking channels, user populations and banking divisions according to role and policy. Such an approach will allow the bank to lower its cost of operations by managing all of its authentication needs from a single platform, even if it operates through numerous banking divisions and entities located globally. It will also allow customers who have multiple accounts with the bank to log on to these accounts with a single sign-on, thereby improving user experience.
- Mobile application security. With a marked increase in malware targeting mobile apps, the best security solution should address these safety concerns. Solutions should include debugger detection, emulator detection, tamper detection and code obfuscation detection amidst other mobile application protection methods.
- Threat intelligence gathering to spot potential problems based on risk analysis before and after they infect the system and users’ devices. The best mobile security solutions anticipate and recognise both known and emerging potential threats, and can use contextual information to correlate the threat surface against expected user behaviour, device configurations and threat profile.
- Strengthened compliance frameworks. Compliance regulations are far more than a prescribed method for passing an annual audit. Being in compliance with requirements such as PCI strengthens the entire security chain for mobile banking, reducing risk for the banks and increasing confidence for consumers. Your chosen mobile banking solution should support compliance frameworks as integrated functions, not as add-ons.
- Strong authentication without impacting user experience. While it makes sense to use two-factor (or more) for mobile banking security, users don’t want to spend a lot of time validating their identity and user privileges in order to check balances or make payments. Customer friction can be minimised without compromising security by running most authentication methods ‘behind the scenes’, so that user involvement via a step-up authentication is only required when absolutely necessary according to policy settings and risk profile.
Mobile banking – an essential consumer banking method
Mobile banking is here to stay and will only grow in popularity in the coming months and years, With this growth comes renewed security concerns, including the need to protect apps against the spectre of an expanding threat landscape. It is crucial for banks to focus on developing and implementing mobile security strategies to minimise exposure of customer data, financial loss as well as the reputational damage of a severe data breach.
The most effective solution for banks lies in finding a solution that provides watertight security while maintaining a positive user experience. Convenience is paramount for today’s consumers, so striking the right balance between security and experience and providing a seamless experience should be given close consideration if a bank wants to maintain its competitive advantage.
The author of this blog is Olivier Thirion de Briel – Global Solutions Marketing director – Identity and Access Management Solutions with HID Global.
Comment on this article below or via Twitter: @IoTNow_ OR @jcIoTnow