Balancing Convenience and Security: What to Do Now to Secure the Mobile Channel
Mobile banking is growing quickly, as is the sophistication of those who seek to exploit mobile devices and other digital banking channels. By keeping our focus on the broader security picture – rather than chasing the latest "attack of the week" – we can best manage and mitigate risk.
Our world is different today than it was when online banking was new. Over time, we've all become consumers of information through a variety of different channels and devices. The recent proliferation of mobile devices, combined with the fact that digital banking customers often access accounts using multiple devices, has made authentication and management of users and devices more complex. To provide the most secure mobile environment, financial institutions must be mindful of the challenges and opportunities associated with the mobile channel.
Consumers seek out the mobile channel because they are looking for convenience, so we need to be cautious about making them jump through unnecessary hoops. Yet, we need to also ensure that we don't under-secure an application.
Luckily, there are certain aspects of most mobile device platforms that provide a good starting point from the security perspective. Modern mobile operating systems take advantage of the knowledge and historically difficult lessons gleaned from security experiences on earlier computing platforms, such as desktop operating systems. What we learned resulted in profound architectural changes. However, it's important to recognize that each major operating system – Android, Apple's iOS, BlackBerry and others – has its own unique security profile and capabilities. Users must keep their device operating systems up to date and stay alert for news of exploits affecting their devices.
A Layered Security and Defense Strategy
One security best practice is to implement a layered security and defense strategy in which control capabilities and scrutiny are applied in every stage and layer. Controls should be employed for the variety of layered interactions according to risk, from user enrollment and authentication to data encryption and transaction auditing.
How does an institution know the systems and software it relies upon are well-secured? Ask your mobile application vendors how they protect their apps and how they have designed security into their software. Every institution should be aware, as part of their overall risk assessment, how third-party vendors and their respective technologies fit into the institution's overall risk and mitigation plan.
Conducting negative-case testing, in the form of automated security tests as well as "ethical hacking" via manual application penetration tests, is considered another industry best practice. Mobile application providers may be willing to share the methodology and findings of their own internal testing, or even coordinate with their financial institution clients to conduct collaborative application penetration tests.
The Weakest Link
People are often the weakest link in the mobile channel's security chain, and as such, educating the institution's consumers and employees is essential. Make sure customers know to never open or download files sent to them directly via email, nor respond to inbound calls, emails or texts requesting their personal or account information such as identification information or passwords.
The mobile channel brings with it a few new challenges from a member awareness perspective. Encourage your service's end users to maintain their phones and tablets in a secure state by using a device passcode. Education is key so that device owners are aware of security best practices, such as avoiding modification of the device's built-in security controls. There are inherent risks in modifying the mobile operating system via "jail-breaking" or "rooting," which results in an insecure mobile operating system more vulnerable to attack or compromise via malware or other means. All devices are not created equal, and consumers should remain aware of security issues with their type of device.
Balancing Security With the User Experience
Like all security mechanisms and controls, the utilization of mobile security functionality must be balanced with the user experience and needs to effectively protect against threats and vulnerabilities inherent to the specific application and system. Consumers seek out the mobile channel because they are looking for convenience, so we need to be cautious about forcing them to jump through unnecessary hoops. Yet, we need to also ensure that we don't under-secure an application.
Approaches to security can vary by specific mobile banking transaction or function. As an example of how an institution might balance security controls with access to information, consider the idea of prelogin balance viewing: Account balances are often not particularly sensitive information, but being able to access them quickly can be a huge convenience to the person using the mobile app.
A number of financial institutions are enabling access to balances with a swipe of the screen after opening the mobile banking app, but before logging in. Among the extra controls they put in place is the requirement that the user opt in to the feature, rather than it being enabled by default. Activities requiring strong authentication – making payments and transferring funds, for example – are available only after logging in and being properly authenticated via a secure browser or app. Determine what the appropriate level of risk is for each function and execute a security strategy and design accordingly.
The mobile channel is designed with security as one of its top architectural priorities. In the financial services industry we need to be sure we stay on top of the latest threats, and do so primarily through a well-considered and carefully designed security strategy and set of controls. By proactively assessing security needs and planning with the bigger picture in mind, we can minimize the impact of emerging threats to the mobile channel and ensure we are prepared to address whatever comes next.