By Thomas Schmidt
Recent studies indicate that Americans aren't convinced mobile banking is all it's cracked up to be. In fact, a study released by Sybase 365 in September found that only 24% of Americans consider mobile banking to be secure.
This insecurity may be due to the newness of mobile banking technology. Sybase 365 found that 59% of Americans don't even know if their bank has mobile services, "which suggests that banks have to get the word out that mobile banking is available and safe."
"Online banking is currently the number one way consumers check their account, but it didn't become mainstream overnight. Mobile banking is well on its way to gaining the same widespread popularity among consumers," says Marty Beard, president of Sybase 365. "Consumers are already dependent on having many conveniences at their fingertips, and eventually that will expand to include banking abilities. Financial institutions will soon have to meet consumer demands and market mobile offerings to remain competitive."
This article looks at some of the key considerations regarding mobile security, with special attention paid to what financial institutions can do to educate their customers and their employees about the current threat landscape.
Hackers' next destination
While it's true that the threats to so-called "smart devices" are still relatively rare compared to those targeting PCs, smart devices are likely the next destination of hackers. Threats such as spam and phishing are increasingly "going mobile."
It's not hard to see why.
Users of mobile devices typically perceive messages received by SMS as being more personal than those received by email on a desktop computer. (SMS, or short messaging service, is used for sending short text messages to mobile phones and other mobile text devices.) And, since the threats against these devices have been rare so far, users are more likely to trust those messages and to act on them.
A recent study commissioned by the National Cyber Security Alliance and Cisco appears to bear that out. The study, released in August, was based on interviews with 700 mobile workers in the United States, United Kingdom, Germany, China, India, South Korea and Singapore. Among the study's findings, 73% of the mobile workers said they aren't always aware of security threats and best practices when working on the go; and 28% of them admitted that they "hardly ever" consider security risks and proper behavior.
A perfect storm brewing?
Some observers have gone so far as to say there's a "perfect storm" brewing in the area of mobile security as a result of a number of key factors.
First, adoption rates for smartphones are on the rise. Researchers at Gartner predict that sometime in 2008, smartphones will outship PCs. Fellow researcher IDC, meanwhile, reports that by 2009 the number of mobile workers in the United States is expected to reach more than 70% of the country's total workforce.
Second, the technical capabilities of smartphones are catching up to PCs at a rapid rate. Email, instant messaging, online banking, online shopping and Web surfing are all possible. In fact, in a study released earlier this year, TowerGroup noted that smartphones and wireless PDAs are "particularly attractive" to fraudsters given their capabilities to support PC-like applications including Web browsing and instant messaging. (TowerGroup estimates that employees at 80% of U.S. financial institutions are already using smartphones, including BlackBerrys, in a mix of professional and personal capacities.)
And third, since 2004, the number of threats targeting smart devices has doubled every six months. In addition, Javelin Strategy & Research, a financial services survey company, estimates there were about 60 viruses using mobile operating systems in 2006; this year, that number is expected to rise to more than 400 viruses.
As a result, users need to secure their smart devices in the same way that they secure their laptop or PC. That means they need:
- Antivirus protection to provide protection against mobile threats with negligible impact on the smartphone
- Antispam for SMS to eliminate unwanted spam messages that may also contain viruses, spyware and other malware
- A firewall to control inbound and outbound network traffic on the mobile device
- Data encryption technologies that encrypt data on the device and memory cards in case it is lost or stolen
What banks need to do
At the same time, financial institutions must step up their efforts to extend security capabilities to their customers to protect them as they bank online. It is imperative that financial institutions make it easy and convenient for customers to safeguard themselves from phishing, crimeware attacks and identity theft at the moment they begin sharing their sensitive financial information. Customers must be able to know when they are on the legitimate site of their financial institution and when they have come upon an imposter.
The following guidelines have been established to help customers protect themselves online:
- Keep the device updated with the latest patches and updates as soon as they become available.
- Make sure the device is configured securely, especially when it comes to configuring the Web browser and email software. Security and privacy settings can be configured without any special expertise, simply by using the "Help" feature of your software, or visiting the vendor's Web site.
- Choose strong passwords and keep them safe. Strong passwords have eight characters or more and use a combination of letters, numbers and symbols.
- Review bank and credit card statements regularly.
- Protect the device with security software, including a software firewall and antivirus protection.
- Exercise caution when sharing any personal information online.
- Keep in mind that online offers that look too good to be true usually are.
As for financial institutions themselves, TowerGroup recommends that CIOs and IT managers take the following steps to protect against virus attacks on mobile devices and the infiltration of these viruses into institutional networks and databases:
- Create enforceable policies regarding mobile usage that are communicated to employees, including what type of mobile downloads are safe and allowable.
- Require wireless carriers serving an institution on an enterprise level to install and monitor mobile safeguards.
- Restrict the use of personal mobile phones that can be used for corporate activities, mirroring the security and protocols now in place for PCs.
- Evaluate which combinations of network-based and device-based security solutions represent the right fit for the institution and prioritize their deployment.
Mobile payments
Looking ahead, cell phones will soon use what are called near-field communication (NFC) chips to communicate with special readers in stores, allowing users to purchase items through their cell -- and eliminating the need to carry a credit card. If that happens, says CNET security expert Robert Vamosi, "Visa and MasterCard, both of which are testing this technology, will need to overcome the biggest problem facing mobile users: loss or theft of the mobile device. And, if your mobile device does become an electronic wallet containing personal information more valuable than just custom ring tones, you can bet mobile phones will become an even bigger target for thieves, both real-world and virtual."
John Fricke, chief of staff of the Financial Services Technology Consortium, cites several advantages to this mobile wallet, perhaps the primary one being that such a device would be a wallet/checkbook/address book/navigator rolled up into one. While transferring funds via a cell phone isn't common, Fricke points to IBM Global Services research indicating that mobile payments could grow to $80 billion. Already, several large banks and telecommunications providers are working together to ensure the security of mobile payments.
Conclusion
In today's mobile world, using smartphones for everyday tasks such as sending emails or banking online should be a convenience, not a worry. Consumers should feel safe accessing confidential information without having to fear that it will end up in the wrong hands.
At the same time, if consumers are to get the most out of these devices, it's essential that they receive the education they need to practice good security behavior. That's why it is so important for financial institutions to educate their customers and employees about the current threat landscape, as well as provide them with information that will make their online banking experience secure. Only then will their devices -- and their privacy -- be safeguarded from the latest mobile threats.
Tom Schmidt writes frequently about information security topics. He has more than 15 years' experience as a writer and editor in high-tech publishing.