Mobile Banking: Security Is A ProblemSecurity Experts Agree Mobile Banking Needs Some Work
I got an exclusive opportunity this week to attend the Mobile Financial Services Forum in Arlington, Va. Hosted by BITS and the Financial Services Technology Consortium, both divisions of The Financial Services Roundtable, the two-day forum attracted a nice mix of payments vendors, mobile providers and financial institutions. It also brought together a number of security professionals, and the overarching theme across all of the presentations and panels? Mobile is vulnerable, to things we don't even know about yet.
A quick side bar: I posted a few tweets from the event. If you want to catch up, follow #MobileForum, a list I created.
Bankers are aware that risks are involved; the problem is identifying those risks.
One presenter I found especially intriguing was Jason Rouse, a financial-security consultant who focuses on mobile and wireless technology. Quite simply, Rouse refers to the mobile channel as second only to the online channel, where security risks are concerned. But, given the relative maturity of the online-banking channel -- financial institutions are more familiar with the ins and outs of online breaches and phishing attacks -- the unknowns of mobile trump online unkowns, and that puts mobile at the top, where security and risk are concerned.
"By itself, radio frequency communication is probably the most vulnerable mode of communication we have ever created," Rouse says. "Don't be fooled. However, we have had decades of experience leveraging secure communications protocols over wireless. In this case, we need to tread carefully to ensure that we not only select the right protocols but also implement them correctly. In the past, that has proven hard to accomplish on consumer devices." But he's quick to follow that up with definitive support for a move into mobile. Basically, mobile banking is the future, and banking institutions that don't jump in will be left behind.
Bankers are aware that risks are involved; the problem is identifying those risks. When asked about malware attacks, one presenter suggested that malware attacks on mobile are possible, but because of the diversity in mobile operating systems, threats of malware are, well, not quite so significant, at least for now. Of course, that comment raised a few eyebrows, mine included.
We've already seen mobile take a malware hit. Does Zeus Mitmo ring a bell? In September, researchers at S21sec, a technology security firm, confirmed that Zeus had hit mobile-banking users at 12 banks in Spain. And the frightening thing about the Mitmo attack is that had the ability to hijack a mobile user's address book - basically giving the fraudsters behind the attack complete control to approve financial transactions via SMS/text without the user even knowing.
Yes, it's a scary environment, and even the experts are having a hard time keeping up with the rapidly changing threats that seem to crop up daily. Take authentication as an example. And in this context, we can talk about authentication from a couple of angles.
Let's take a look at authentication of mobile transactions. Authenticating a user's identity on a mobile device is challenging, if not impossible, at the moment. Mobile devices can be lost, the sender of an SMS/text message can not truly be verified and trying to authenticate a transaction based on an IP address, as can be done via the online channel, is impossible. As Rouse rightly points out, IP addresses on mobile devices are fluid - users are browsing from diverse locations all the time. They browse when they travel; they browse when they are at home. It's not stagnant.
The use of biometrics could help, but in what capacity? Voice biometrics is reliable, but how many so-called mobile bankers call their financial institutions when they conduct mobile-banking transactions? A relatively small percentage, I would venture to guess.
And what about two-factor or out-of-band authentication - the kind of authentication that incorporates the mobile and online channels, with the mobile channel serving as the second layer? An online-banking user logs on and is asked to enter a mobile number so that a code can be SMS/texted to the user's device. Once the code is received, the user has a brief window of time to enter that code on the website. Well, the Mitmo attack got around that. In fact, a compromise of the online channel led to the compromise of the mobile channel. The SMS/text that was sent to users at those 12 Spanish banks contained a link to malware.
For those reasons and others -- the forum also addressed mobile payments and mobile's chip connection to EMV -- I was very pleased with the event. If we don't have dialogue, we've no hope of getting a handle on this explosive and emerging channel.
"As new product channels develop, we realize there is an element that wants to exploit those," says Paul Smocer, president of the Financial Services Technology Consortium. "That's something we need to address now, before this channel develops much further."
I agree, and the steps the industry has taken so far, by simply looking to online security measures for the security roadmap it lays for mobile, are not sufficient. Mobile needs its own guidance, its own oversight and its own mandates. I know that's not something the industry likes to hear, but I think everyone would agree with the sentiment.