FITCHBURG, Mass.-Mobile banking is secure, for now, according to credit unions participating in a Credit Union Journal mobile banking security roundtable.
"Fraudsters could only inflict a limited amount of damage in mobile banking," explained Chris Saari, AVP-Internet banking at Worker's CU here. "Fraudsters want to break in, transfer money, and get out. There's no fast cash available to fraudsters, because our mobile banking doesn't allow inter-institution transfers. And you can pay a bill, but you can't set one up."
But that could change as CUs expand mobile banking capabilities-and if members become careless, suggested Mark Brewer, VP-IT at the Summit FCU in Rochester, N.Y.
"Members need to start thinking about their mobile device as a computer, not a phone," Brewer explained. "Members act smarter on their computer than their mobile device. Viruses and worms will be targeted to the mobile device, and some members think that if their mobile device is compromised, it's just the inconvenience of losing their contact list. But a mobile device contains confidential information that a fraudster could use to exploit the member."
Credit Union Journal Mobile Security Roundtable Participants
Mark Brewer, VP-IT
The Summit FCU, Rochester, N.Y., $650 million
Mobile banking launching in October: WAP, APP and SMS via Intuit Financial Services
Tom Kuang, director, information services
Schools Financial CU, Sacramento, Calif., $1.3-billion
Mobile banking for one year: WAP and APP developed in-house with Access Softek
Adoption: About 10% of Internet banking users
David Thibodeau, VP-IT and Chris Saari, AVP-Internet banking
Workers' CU, Fitchburg, Mass., $800 million
Mobile banking for two years: WAP, APP and SMS via Intuit Financial Services
Adoption: About 10% of Internet banking users
Andrew Jaquith, CTO
Perimeter E-Security, Milford, Conn., provider of information security services, including firewall management and monitoring and intrusion detection and prevention
Here's how the roundtable responded to questions about security, risk and member perception:
CU Journal: Why is mobile banking secure?
Saari: Before you log in to mobile banking, you have to register through online banking layers of security, which include challenge questions and a PIN. We also monitor e-mail address changes, which can be the first sign of potential fraud.
Brewer: Depending on the how the credit union implements security, you have multi-factor authentication on the mobile device and verification of the user from the device phone number, as well as balance alerts that could prevent fraud.
Members are savvier than years ago, and credit unions are more cautious. FFIEC regulations are forcing credit unions to ask the security questions they should be asking.
Thibodeau: Member data held in our internal network are secured by Perimeter anti-virus, firewall, web content filtering and VPN. We try to educate staff and members to detect social engineering. We're not seeing a lot of fraud in mobile banking.
Kuang: We've implemented a very rigorous change-management process for e-services, so we know when changes are authorized on the server, as well as a rigorous patch-management process.
Perimeter-intrusion detection prevents attacks from a member's mobile device targeted to our mobile banking site.
Jaquith: Mobile can take advantage of code signing (to verify software publishers) and Trusted Boot (to verify system launch), which make malware a lot less likely.
CU Journal: What's the biggest risk in mobile banking?
Thibodeau: Bad applications. Members download applications onto their devices, and they have no idea where they came from. The apps know the member's location. There's a lot of unknown as to what's going to hit and when, but I could see fraudsters hiding viruses in music, for example.
Jaquith: We view the dominant issues as privacy-related and data leakage as opposed to malware infestations. But we're toying with the idea of piping the traffic off the phone and running it through cloud data filtering first to block malicious software or bad destinations.
CU Journal: How confident are members about mobile banking security, particularly in light of a Javelin Strategy and Research report saying that mobile banking usage on smartphones is stagnant, even as smartphone ownership has spiked.
Brewer: I don't think there's member fear about mobile banking security. The demand for mobile has greatly increased among our membership.
Kuang: The convenience factor outweighs security concerns from the member's perspective, especially since the member knows Schools Financial will guarantee against any fraud loss. We expect 25% of homebanking members will use mobile banking within the year.
CU Journal: What about securing your mobile workforce?
Brewer: The Summit executives don't want Blackberries any more. They're telling me "I want an iPhone. Other credit unions have them, and I blame you." I tell them they can't have one because I'm not comfortable with the degree of security and access management offered by iPhone. I could let Perimeter house my iPhone records and gain a level of security, but there's always the cost-benefit analysis to consider.
Jaquith: We help companies enforce their security policy and allow them to remotely wipe compromised devices, including iPhones. We give assurance that employee data aren't transferred to places they shouldn't be and that the device is being used the way it should be.