Mobile Authentication in Financial Services

By Todd Wasserman

Banks used to try to one-up each other by offering lower interest rates and free toasters, but since the focus is now on convenience, mobile banking is catching on quickly.

In the last year or so, Citi, Chase, Wells Fargo, Wachovia and SunTrust, among others, have rolled out applications that let consumers check their balance or execute simple transfers via their cell phones.

While it's unclear whether consumers are taking to the new applications, competition and peer pressure mean CIOs in the financial services industry are likely to have mobile banking applications on their plate in 2008.

The rise of mobile banking has the potential to cause a huge headache. The combination of sensitive financial information and mobile access means CIOs will have to balance customer convenience with heavy duty security.

To make the task even more complex, there are three basic platforms to consider:

• Browser/WAP
• Downloadable Applications
• SMS/Text Messaging

Each of these applications carries its own risks. A browser/WAP of the sort used by MShift and M-Com, among others, sports 128-bit data encryption, but the necessity of entering a URL leaves consumers open for phishing attacks, which would work the same way they do online: A fraudster sends a misleading email, which sends the consumer to a fraudulent Web site. There's also a risk that a criminal will obtain the consumer's user-name or password to get access to the online account.

Downloadable applications are used by mFoundry and Firethorn, and while they also include standard encryption, they are vulnerable to mobile malware.

Finally, SMS/Text Messaging, which is used by ClairMall and Fronde Anywhere, does not include encryption protection and is subject to phone number spoofing and, again, mobile malware.

An April 2007 report by Javelin Strategy & Research, of Pleasanton, Calif., found that, in a poll of 2,230 consumers, 69% felt that downloadable mobile applications from their banks were the most secure. But Rachel Kim, a Javelin analyst, notes that all three are vulnerable to attacks. Moreover, many banks are leaning towards offering more than one platform to their customers. For instance, Wells Fargo offers SMS- and browser-based applications.

The good news is that despite dire predictions by some, no major security breaches have been reported on the mobile banking front.

"From interviews with banks' mobile divisions, we're not really seeing a ton of this happening just yet," Kim says. "As we see it, the mobile channel presents some security advantages."

Such advantages include:

• Because they rely on private networks, security holes or weaknesses can be closed up right away.
• Although there are some 400 mobile viruses, according to Kim, they don't spread nearly as easily as Internet-based ones do. Moreover, consumers can limit the spread of those viruses further by turning off their Bluetooth functionality when they're not using their mobile devices. Kim says that Bluetooth is the chief conduit of many virus transfers these days.
• Finally, even if a consumer lost the mobile device and a criminal had access to the password and sign-on, there's not a lot they can do with the information. The worst they could do is make a transfer between accounts.

Says Kim: "The information residing on the phone is no more than what you'd find in an ATM receipt."

But Natalie Lambert, a senior analyst with Forrester Research in Cambridge, Mass., says that just because there haven't been any attacks on mobile banking applications doesn't mean there won't be.

"It's something you should absolutely be thinking about," she says. "As more and more financial services companies offer this, this is going to be seen as a target of attack."

That said, Lambert believes the issue isn't that difficult from a security standpoint.

"Treat the mobile device as a laptop," she says. "Make sure you have the traditional anti-spyware and anti-virus protection."

Worries about mobile banking security threats may turn out to be moot, though, at least in the short term. In survey after survey, consumers say they are wary of mobile banking.

"Our research shows that among segments that should be most amenable to it, like young people, there's not a tremendous amount of interest, like in the single digits," says Brad Strothkamp, a senior analyst at Forrester. "Most people say 'I just don't need that.'"

Todd Wasserman has more than 15 years' experience writing for The New York Times, The Industry Standard and Business 2.0, among other publications. He is currently editor of Brandweek magazine.