Mobile Maturity

Here’s a conundrum: Is the rising concern over security as it relates mobile banking a sign that mobile banking is gaining legitimacy?

Sadly, yes.

There’s been a lot of talk here and in plenty of other places how mobile banking is being adopted more broadly by providers and consumers alike. With a little push on the innovation front, it’s likely to gain even more traction as the social media generation comes of age. Walking into financial institutions, or even sitting down in front of the PC, is too much work; let your phone or tablet do the banking. We’re surely about to see a plethora of mobile apps that enable us to deal with our finances in ways we never have before. As with every other shift in technology, this is turn will affect our behavior—perhaps even our attitude toward our personal finances.

The flip side to all this, of course, is the downside— a new breed of criminal that poaches on looser protection standards. The goal: to secure access to insecure data.

But again, as with the emergence of every new platform, form factor or application, security takes on a new urgency. The very point of mobile adoption is convenience—everything absolutely must get easier. Now, if something is easier, does that mean it’s automatically less secure?

Let’s hope not, but there’s more work involved to make that happen. Every financial institution is currently rushing products to market, knowing that there’s a huge potential audience for something customizable, unique and useful (so much easier said than done). But given the need for speed, is security getting the attention it should?

In an interview with BankInfoSecurity, Joe Rogalski, information security officer at New York-based First Niagara Bank, warns of the perils of this trade-off. He stresses that every product offering related to mobile banking—be it remote check deposit or just bill pay—needs to be evaluated from a fraud perspective before it goes to market.

But we all know that in the real world, getting there first can be more important than being the best. Is the threat of a serious data breach somewhere down the road worth losing critical market share now?

Just to be clear, even the PCI Security Standards Council is continually playing catch-up with regards to protocols and best practices—the whole field is still too new, and in perpetual motion, to set comprehensive standards. For their part, the bad guys have no trouble finding weaknesses and loopholes. For example, we’re only just starting to learn about a new breed of attack that fools consumers out of their SIM cards. (This mode should concern telecoms as much as FIs.) This is particularly troubling because SIM cards are the favored tool for securing mobile payments at many mobile payment schemes around the world, ironically because it gives the telecom provider more control.

The problem is that too much of this discussion remains in the theoretical realm, and belongs in the real world. So let’s take it as an article of faith that consumer adoption will continue to grow, that FIs will continue to push products out to market that makes diverse banking processes easier, and that criminal elements will use any tactic they can to steal access, steal data and steal money. Because they will.

Moving forward, we need ironclad guidelines, rock-solid processes and innovative technologies to (try and) stay one step ahead of the downside. Mobile banking is natural, beneficial and inevitable. It’s up to us to minimize the threats that emanate from it.