The Scope of the Mobile Banking Problem

Financial institutions present many opportunities for electronic theft, and cyber-attackers’ improved techniques and ever-more-aggressive malware makes them increasingly vulnerable, writes Jan Valcke

The proliferation of mobile devices increases the complexity of the security problem for banks. The number of connected devices now exceeds the number of people on the planet. There are so many passwords, accounts, channels and different ways to do mobile banking (ATM, phone, web) that hackers are targeting everyone, everywhere, and by any method possible.

Let’s examine some of the best practices for financial institutions to protect mobile applications and their customers, while making mobile banking easier and more productive.

Improve Authentication Methods to Meet User Needs

Some of the older password options are no longer useful or secure enough in a digital, hyper-mobile, and constantly connected world. But using newer technologies such as token OTP (one-time password) or voice prompts to provide mobile access to financial services is not always convenient. Other technologies, such as visual transaction signing and risk-based authentication improve security and also accommodate the demand for flexibility, ensuring that mobile users benefit from both robust authentication and transparent signatures.

Strengthen Client-Side Protection

Simple authentication with a username and PIN is no longer sufficient for mobile banking, because many users share these combinations with a variety of online services. When it comes to applications and mobile users, a better solution is to have the PIN of a user combined with other information (something the user knows) to better secure a mobile phone and an account.

Banks can also use risk-based methods to determine if a device is in an acceptable geo-location to add additional levels of protection.

Strengthen Security for Client-Server Communication

There are user cases where multi-factor authentication makes sense. Some devices (or software tools), for example, can generate an OTP and can transmit the password via a Bluetooth connection. With this method, the OTP is sent directly to the application, so the user does not have to enter the password.

Use a Variety of Risk-Based Methods

Users want to do more with mobile banking and have more services. But this means that banks have to consider the additional risks and scale their security accordingly. The fact also remains that while encryption tools get better, hackers do too. This creates demand for stronger, transparent signatures that can be sent digitally and without worry or fear.

Be Proactive with Fraud Prevention

Blocking potentially hazardous activities before they occur is essential. With mobile applications incorporating risk-scoring capabilities, organizations can proactively prevent fraudulent activities, creating a barrier that a hacker can’t easily bypass, with no impact on the user experience. The functions of risk-scoring may limit the risk before a transaction takes place client-side. If the operation is still allowed, instruments such as adaptive or risk-based authentication on the server side can reduce the risk further.

Conclusion

Ultimately, security in mobile banking involves a secure application running on a secure platform through a secure communication channel. It should also be able to collect and analyze data and user sessions to take in real-time risk-based decisions to prevent fraud.

Putting these concepts together in a single mobile banking security strategy can meet the needs of banking organizations with respect to security and the provision of services. At the same time, it can also meet mobile banking customers’ requirement for functionality and convenience, as well as data and identity protection.

What’s Hot on Infosecurity Magazine?