Mobile banking: best practice approach to security

19 October 2011

By Mike Warriner,
chief technology officer,
Intelligent Environments

In the banking and technology communities one of the biggest topics to dominate headlines and boardroom conversations alike is that of mobile security. For those of us that saw the proliferation of online banking 15 years ago, there are similar parallels to be drawn.
The ongoing trade off between security and ease of use, the difference between the perceived and actual threat and choosing the best security technology to mitigate the risk of a breach are all on the agenda.

At the same time, smartphone adoption is unrelenting. With more and more of the global population demanding services and applications that complement their ‘on-the-go’ lifestyle, financial institutions see a significant opportunity to enhance their delivery of financial services via the mobile.

Juniper Research has predicted that one in five mobile users will use some kind of financial service on their device by 2013 (1). However, this adoption will not be without its challenges and the risk associated with mobile, as perceived by many banking customers, is one of the most significant to overcome.

The challenge is that the necessary security techniques often make a mobile application too cumbersome which turns away many potential users and dilutes the value of this interactive channel. So how can the industry overcome the final hurdles to make mobile banking a widespread reality?

The demand for mobile banking

Proving the business benefits of delivering a mobile banking service, Intelligent Environments commissioned a YouGov survey that found that one in four of generation Y (aged between 18 and 34) would improve their opinion of their bank if it offered mobile phone banking services. A separate poll of the financial services industry itself demonstrated that UK bank executives are tuned into these customer needs.

Two in five financial services professionals believe that their banks will have a mobile banking operation up and running within the next 12 months, if there is not one in place already. The survey also found that nearly half (47 per cent) of the respondents expect to see up to 30 per cent of their customer base using these mobile banking services within the next three years.
However, banks are wary about the security challenges that must be navigated. According to the same poll of financial services professionals, one of the primary obstacles preventing banks from providing mobile services is a lack of confidence in available security (20 per cent).

Mobile app or mobile web?

Ironically, the mobile channel can be very secure but this is dependent on a variety of factors such as the operating system of the phone and the way in which a service is accessed. Therefore, financial institutions that are developing their mobile banking strategies must weigh up the different routes to market. Two approaches are ‘apps’ and mobile web - both of which have their own advantages and drawbacks.

Arguably, mobile web is a half way house between online banking and offering a true mobile experience. It does offer some advantages that must be considered - namely mobile web has a more mature security eco-system because, quite simply, any device which can connect to the Internet can access mobile web pages. This means that it is easier to support from an IT perspective. However, the trade-off is a less rewarding end user experience, coupled with a lack of support for the latest generation security mechanisms in modern mobile phones.

On the other hand, mobile applications, allow organisations to provide a highly tailored and valuable service to their customer base. Apps are viewed by many as the preferred approach for providing the richest mobile experience to the end consumer and one which represents the greatest potential for innovation.

When it comes to security, mobile applications can provide extra layers of hardware and software cryptographically to secure the app and your data. This means that logon can be simplified and that confidence in the underlying security can be significantly improved. With the latest mobile banking apps, the user needs only to enter a single secure password to access their account compared to the multi-factor authentication used in previous generations of apps and mobile web access. This delivers secure yet straight-forward access for the user, increasing usage and thus actual long-term return-on-investment (ROI) for the bank.

A plethora of platforms

Mobile security also varies significantly from platform to platform. The most prevalent platforms driving the adoption of mobile apps are RIM (BlackBerry), iPhone, Windows Mobile and Android. BlackBerry is more traditionally associated with the business user and is, therefore, subject to potential usage restriction by corporate IT departments, whereas iPhone and Android are rapidly becoming the defacto choice for the consumer.

There are currently no mobile app security standards across the industry and, as a result, each platform has its own requirements for banks seeking to launch financial services applications. For example, applications being put forward for the AppStore for Apple undergo stringent security tests and can be cryptographically signed by both the vendor and Apple itself, whereas on the Android platform, there currently is not a single trusted distributor of applications.

It is important to consider the various security requirements and factor them into the mobile development project timeline. Some financial institutions are opting to roll out one app at a time to make the process easier, reflecting the challenge that in-house teams currently have in terms of the right resource to deliver their mobile strategy. However, this approach is not ideal as it means the service is not available to the widest pool of customers.

What is needed is specialist vendors who can deliver the underlying secure banking capability across all the major device platforms and allow banks to deliver the key innovative solutions without being challenged by the huge variations in the platforms they must support.

Balancing the user experience with security

How a bank asks its customers to identify themselves and then check that they are who they say they are is critical to both security and the user experience. There are multiple approaches around customers supplying various inputted credentials but banks need to be careful that the process is not too complex as this increases the likelihood that customers will revert to other banking channels.
Instead, security must be balanced with the end user experience; for example, relatively light authentication to simply check a balance but more additional layers added for tasks such as paying a bill or transferring money.

Maintaining customer security in the event that a customer loses their mobile device is also an important factor within the customer experience. Banks with reputable apps should design a robust process to ensure that the application allows for the remote wipe of data as quickly as possible and that this takes place before any transactions or updates to personal information can be completed.

The future of mobile banking

It is clear that the threat of malicious activities aimed at mobile consumers will never go away and that these threats should be tackled pro-actively. There is a new story every week that uncovers security vulnerabilities and flaws in mobile devices and, as a result, consumers can be nervous.

Smartphone vendors are responding to these concerns and even using hackers themselves to protect against the threat of a security breach. Apple has partnered with Nicholas Allegra who was made famous by creating a website that enables iPhone users to ‘jailbreak’ the operating systems on their handsets. Google has taken a similar approach by hiring Florian Rohrweck, who hacked various Google applications and revealed their code.

However, mobile applications and services may be more secure than many realise and in the case of smartphone apps, they offer a degree of security in advance of the online world. Spreading this message will be crucial if the anticipated widespread adoption of mobile financial services is to become a reality.

(1) Rapid take-off sees 1 in 5 mobile users register for mobile money services in some developing regions by 2013 according to new Juniper report

Become a bobsguide member to access the following

1. Unrestricted access to bobsguide
2. Send a proposal request
3. Insights delivered daily to your inbox
4. Career development