sign in sign up
<<
Home , Mobile banking

Mobile Banking: Rewards and Risks

obile banking is a relatively new banking service that is Mobile Banking Delivery Mrapidly gaining popularity Channels with consumers and businesses. More than half of the 100 largest in Mobile banking is offered through the United States offer mobile - three delivery channels: ing1 and approximately 19 million U.S. households use this service.2 Analysts „„ /short message estimate use of mobile banking will service (SMS) continue to grow, potentially expand- „„ Mobile-enabled Internet browser ing to 38 million households by 2015.3 However, with more widespread use „„ Mobile applications (apps). comes the potential for increased fraud To appeal to a greater number of that could harm financial institutions customers, some financial institu- and customers. tions are finding it advantageous to Mobile banking is the use of a mobile offer mobile banking through multiple device, commonly a cell phone or delivery channels. In fact, nineteen of , to conduct banking the fifty-four largest banks that offer activities, such as balance inquiry, mobile banking use all three channels account alerts, and bill payment. It and seventeen offer two of the three 4 is not the same as mobile payments, channels. which uses the same mobile devices to initiate payments from a person SMS-based mobile banking was the to other people or businesses. first channel that enabled customers Mobile banking is offered by insured to interact with their bank using a depository institutions while mobile . SMS messages are short, payments systems can be offered by typically limited to 160 characters per many types of companies. message, and can be sent and received by most mobile phones. The finan- This article discusses the technolo- cial institution and customer use text gies used to deliver mobile banking messages to exchange financial infor- services, identifies the potential risks mation and instructions within the to financial institutions and customers, parameters set by the bank. and describes strategies for mitigating these risks. The information provided With the advent of smart phones, in this article represents the informed mobile banking has become more perspective of the author and is offered attractive and user friendly. During the as a resource for financial institutions past two years, smart phone owner- 5 offering mobile banking services to ship increased 127 percent. As of their customers. This article should not July 2011, 34 percent of all consum- 6 be considered supervisory guidance. ers owned smart phones. Using a

1 First Annapolis Consulting, 2010 Mobile Banking and Payments Study (2010) (private study available for a fee) (on file with author). 2 Report, no. 188, Jan. 18, 2011, at 5 (private study available for a fee) (on file with author). 3 See id. 4 See First Annapolis Consulting, supra note 1, at 17. 5 Javelin Strategy and Research, Banking Security: Mobile Banking Stalls on Consumer Fears (2011) (private study available for a fee) (on file with author). 6 See id.

14 Supervisory Insights Winter 2011 smart phone or tablet computer with an embedded browser, customers can Channel-Specific Mobile visit the institution’s online banking Banking Risks Web site from virtually anywhere. This provides customers with an online SMS is considered an unsecure chan- banking experience similar to what is nel because text messages cannot be available on desktop computers. encrypted, increasing the likelihood that SMS-based mobile banking users As smart phones are now capable of may be susceptible to scams. Using a running many applications, and porta- tactic known as “social engineering,” ble tablet computers are increasing in fraudsters send text messages that popularity, more financial institutions may mislead customers into believing have introduced mobile application- they are communicating with their based banking. This form of mobile and then reveal- banking uses a custom-designed ing sensitive informa- application installed on the tion, for example, account number, customer’s mobile device. The applica- logon ID, or password. tion is unique to each device, providing the most user-friendly experience of More secure than SMS, Web-based the three delivery channels. In fact, mobile banking takes advantage of app-based mobile banking is now the established Internet security protocols, fastest growing delivery channel.7 and the service can be used on mobile devices with wireless Internet access. Although use of mobile banking However, mobile browsers displayed services continues to grow, the rate on small screens, particularly smart of increase slowed during the past phones, generally do not display the two years due in part to consumer visual security clues more easily seen concerns about security. The results of on the full-scale browsers of large a study conducted by Javelin Strategy screens. Thus, customers may miss a and Research, a California-based firm visual warning that their online bank- focused on global , ing session has been compromised. show that the number of consum- ers rating online banking unsafe rose Mobile application-based banking also from 26 percent to 40 percent during is considered more secure than SMS. this time.8 Security concerns pres- However, security professionals debate ent significant challenges for financial whether this delivery channel is more institutions providing mobile banking or less secure than Web-based mobile services, and each delivery channel banking. The development of mobile poses unique risks for institutions and applications using secure coding tech- customers. niques may limit the ability of fraud- sters to intercept and control a mobile

7 W.B. King, “Getting Smart – Mobile Banking Continuing to Gain Momentum,” Business, http://www. creditunionbusiness.com/2011/09/15/getting-smart-mobile-banking-continuing-to-gain-momentum, (last visited October 20, 2011). 8 See Javelin Strategy and Research, supra note 5, at 12.

15 Supervisory Insights Winter 2011 Mobile Banking continued from pg. 15 banking session or capture sensitive user at an increased risk of identity customer information. However, in theft or other financial fraud. the rush to get mobile applications to market, secure code review and testing Although the results show a signifi- may not be sufficiently robust. Also, cant share of all four types of appli- mobile banking can be compromised cations failed the test, the financial by the installation of rogue, corrupt, or services industry had the largest malicious applications on a customer’s percentage of apps that passed the test mobile device. (see table below). These results suggest that even though the financial services A recent study looked at the security industry has more work to do to of four types of mobile applications – ensure mobile applications do not store financial services, social networking, sensitive information unnecessarily or productivity,9 and retail.10 The study unencrypted, at least for purposes of focused on the types of sensitive data this study, this sector outperformed that mobile applications store on the the others.11 device and whether these data were stored securely. Each application Given the unsecure nature of SMS- was rated “Pass,” “Warn,” or “Fail.” based mobile banking, this channel A “Pass” rating means sensitive data would seem to be much more appropri- are not stored on the device or are ate for communicating non-sensitive encrypted. A “Warning” rating means information, which may include certain data are stored on the device, confirming transactions initiated but this does not put the user at signifi- through another channel, rather than cant risk of fraud. A “Fail” rating indi- initiating transactions such as bill cates sensitive data, such as account payments, funds transfers, or adding numbers and passwords, are stored new payees. Institutions should make on the device in clear text, placing the reasonable efforts to migrate customers

Mobile Application Security by Type of Application

Industry Pass Warn Fail

Financial Services 44% 31% 25%

Social Networking 0% 26% 74%

Productivity 9% 49% 43%

Retail 0% 86% 14%

Source: ViaForensics.

9 Productivity applications are intended to help a user be more productive, for example, allowing the user to access a variety of e-mail accounts from one central application or update a blog while away from his computer. 10 Security Study: appWatchdog Findings, viaForensics, http://viaforensics.com/education/white- papers/appwatchdog-findings-mobile-app-security--android/ (last visited October 18, 2011). 11 See id.

16 Supervisory Insights Winter 2011 from SMS to more secure Web- or app- based mobile banking platforms. As Other Mobile Banking Risks mobile devices and browsers become more sophisticated, financial insti- In addition to the risks specific to tutions should use the advances to delivery channels, financial institutions improve the security of Web-based should consider the following risks and mobile banking. The goal should be vulnerabilities when offering mobile to make Web-based mobile banking banking services to their customers: as secure as online banking from a customer’s personal computer. Secure of mobile As is the case with any banking customers product or service involving a third- The portability of mobile devices party provider, financial institutions enhances their usefulness; however, it that offer app-based mobile banking also means these devices are suscep- are expected to work with reliable, tible to being lost or stolen. To mitigate knowledgeable, and reputable vendors this risk, financial institutions should to develop applications using secure implement controls to verify the coding techniques. Appropriate steps person accessing the mobile banking should be taken in coding and test- service is the customer. The Federal ing to ensure the application does Financial Institutions Examination not contain exploitable weaknesses. Council (FFIEC) recently issued super- Perhaps most importantly, institutions visory guidance on strong customer should distribute applications and authentication that applies to mobile updates securely and make reasonable banking.12 Possession of the mobile efforts to educate customers that bank- device alone should not be enough to ing applications should be downloaded permit access to the mobile banking from reputable sources, such as the application. At the very least, access institution’s Web site or other desig- to the device should be password nated download sites. When vulnerabil- protected and users seeking access ities are discovered, the financial insti- to the mobile banking service should tution has an obligation to promptly be subject to strong authentication as develop and deploy security patches. described in the FFIEC guidance.

12 FIL-50-2011, “FFIEC Supplement to Authentication in an Internet Banking Environment” (June 29, 2011) at http:// www.fdic.gov/news/news/financial/2011/fil11050.html; see also FIL-103-2005, “FFIEC Guidance on Authentication in an Internet Banking Environment” (October 12, 2005) at http://www.fdic.gov/news/news/financial/2005/fil10305. html.

17 Supervisory Insights Winter 2011 Mobile Banking continued from pg. 17 Mobile and viruses Neither the customer nor the financial institution can ensure a public WLAN To date, problems involving viruses is secure, and incidents have occurred and malware targeted at mobile devices where banking credentials were stolen have been limited; however, the from an unsecure WLAN. ubiquity of mobile devices, common operating systems, and downloadable applications make them a prime target. Compliance risk The market for mobile antivirus and malware detection security software is Compliance risk often arises from continuing to evolve. Financial institu- violations of or regulations, finan- tions should monitor these develop- cial institutions operating inconsis- ments and consider when to recom- tently with supervisory guidance, or mend mobile banking customers run institutions’ noncompliance with inter- security software on their devices, nal policies, procedures, or business including whether the institution standards. Generally, the consumer should make the software available laws, regulations, and supervisory guid- directly to customers. ance that apply to traditional financial services delivery channels also apply to services provided to consumers Data transmission security through mobile banking. Mobile devices generally are designed However, the relevant laws, regula- to accept instructions from cell towers tions, and guidance will apply differ- and search for the strongest cell tower ently, depending on how a financial signal. Mobile devices must authenti- institution is involved in mobile bank- cate themselves to the cell tower using ing. Financial institutions that enable the unique information on the device’s consumers to access deposit and subscriber identity module (SIM) services through their mobile device card to show it is a legitimate device. should ensure that any applicable However, cell towers are not required disclosure requirements, including to provide similar authentication to format, content, timing, and manner mobile devices. Telecommunications of delivery, are fully accessible to the standards and mobile devices are customer. In addition, institutions designed to be backward compatible; using the mobile banking channel to if the cell tower operates on an older provide information about products standard (e.g., instead of or and services to consumers should ), the mobile device will adopt the verify compliance with applicable less secure standard to complete the advertising rules and regulations. For wireless connection. Therefore, it is example, banks advertising credit prod- possible to build and operate a rogue ucts subject to the Fair Housing Act cell phone tower, trick mobile devices are required to display the Equal Hous- into connecting to the rogue tower, and ing Lender logo and legend. Institu- hijack the mobile session, potentially tions advertising deposit products and compromising mobile banking sessions. services are required to comply with Regulation DD advertising disclosures In addition, most mobile devices can and, if relevant, display the official connect to wireless local area networks advertising statement found in the (WLANs) used by many custom- FDIC’s regulations. ers to minimize telecommunications expenses and optimize connection The rapid pace of development in speeds. However, financial institutions mobile financial services will require should caution customers against using that compliance officers, manage- public WLANs for mobile banking.

18 Supervisory Insights Winter 2011 ment, and system designers work Institutions should also review the closely together to effectively use following regulations and supervisory the new technology while assessing, guidance: identifying and controlling for compli- ance risks.13 Therefore, a financial „„ Interagency Information Security institution should broadly consider Standards15 the impact of its mobile banking strat- „„ Interagency Regulations and Guide- egy on operations and take steps to lines on Identity Theft Red Flags16 ensure the compliance management system addresses the types and level of „„ FFIEC Guidance on Risk Manage- mobile banking technology used by the ment of Capture17 institution. „„ Guidance on Electronic Finan- cial Services and Consumer Compliance18 Regulatory Considerations „„ Guidance for Managing Third-Party Although mobile banking is a rela- Risk19 tively new service, many associated This body of supervisory guidance risks are present in other banking addresses steps financial institutions technologies and services. Financial are expected to take to protect sensi- institutions should review other regula- tive customer information, prevent tions and supervisory guidance issued identity theft, enable secure online by the federal banking agencies, such transactions, communicate appropriate as the FFIEC IT Examination Hand- consumer disclosures, and manage the books on Development and Acquisi- risks associated with the use of third- tion, Outsourcing Technology Service party service providers. Providers, E-Banking, and Information Security.14

13 The examples in this section are provided for illustration and do not constitute a complete list of mobile banking capabilities or consumer compliance matters associated with this delivery channel. 14 FFIEC IT Examination HandBook InfoBase, http://ithandbook.ffiec.gov/it-booklets.aspx. 15 12 CFR § 364, Appendix B. 16 FIL-100-2007, “Interagency Regulations and Guidelines on Identity Theft” (November 15, 2007) at http://www. fdic.gov/news/news/financial/2007/fil07100.html. 17 FIL-4-2009, “FFIEC Guidance on Risk Management of Remote Deposit Capture” (January 14, 2009) at http://www. fdic.gov/news/news/financial/2009/fil09004.html. 18 FIL-79-98, “Guidance on Electronic Financial Services and Consumer Compliance” (July 16, 1998) at http://www. fdic.gov/news/news/financial/1998/fil9879.html. 19 FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6, 2008) at http://www.fdic.gov/news/news/finan- cial/2008/fil08044.html.

19 Supervisory Insights Winter 2011 Mobile Banking continued from pg. 19 As the demand for mobile banking services continues to grow, finan- Conclusion cial institutions should conduct a comprehensive risk assessment or With greater use of all types of mobile update existing assessments during the services, mobile banking is expected design, testing, and implementation to continue to grow. Mobile bank- of a mobile banking product. Guid- ing provides greater convenience for ance for performing an effective risk customers as it allows them to accom- assessment is available in the FFIEC IT plish tasks “on the go.” However, this Examination Handbook on Manage- service is not without risks. Finan- ment.20 Risk assessments should be cial institutions are challenged to updated in response to changes in ensure their mobile banking service technology, business strategy, security is designed and offered in a secure threats, product functionality, and legal manner, and customers are made requirements. Should a risk assessment aware of steps they can take to protect identify new risks or vulnerabilities, the integrity of their mobile banking financial institutions should address transactions. them promptly to appropriately and effectively mitigate the risks for the Jeffrey M. Kopchik institution and its customers. Senior Policy Analyst [email protected]

20 FFIEC, IT Examination Handbook on Management 15-24 (June 2004) available at http://ithandbook.ffiec.gov/ it-booklets/management.aspx; see also FFIEC, supra note 10; see also Paul M. Onischuk, “Customer Information Risk Assessments: Moving Toward Enterprise-wide Assessments of Business Risk,” Supervisory Insights (Winter 2009) at http://www.fdic.gov/regulations/examinations/supervisory/insights/siwin09/si_win09.pdf.

20 Supervisory Insights Winter 2011