SAN FRANCISCO-A new Javelin Strategy & Research report finds that traditional authentication methods used for online banking do not work for mobile banking and new approaches are needed that exploit mobile phone security features.
The report, "Online and Mobile Device Identification: Is Your Online Authentication Security Strategy Ready to Go Mobile?" suggests that attacks in general and specifically on nationwide financial institutions are on the rise, leaving consumers vulnerable, it is up to those financial institutions and their vendors to integrate strong security into the very foundations of their offerings.
"Banks and credit unions are currently challenged with how to authenticate a customer accessing a bank through a mobile phone," said Mary Monahan, Research Director. "While mobile malware is still rare, as more and more consumers adopt mobile banking, there is an increasing need for workable security solutions that transcend both the online and mobile channels."
Many consumers are wary about how secure mobile banking is and yet some bypass data charges and access online banking via WiFi on their smart phones, which makes them susceptible to man-in-the-middle attacks and malware. Some consumers also delete cookies from their mobile phones, making this method of authentication unreliable. Because of these factors and others-and because criminals can often spoof authentication or seize control of banking sessions-layered security is needed for authentication.
Among the other findings:
• As of August 2010, 65% of national banks-a huge uptick-were targeted by online attacks while the number of attacks on regional banks or credit unions decreased.
• Smart phone owners-the most likely mobile bankers-make up one-third of mobile phone users; this number will double by 2015 and mobile banking will also increase.
• Geolocation can provide information about users, but security concerns about opt-ins to tracking need to be addressed.
• The more information a financial institution collects about an account holder, the more accurate its risk assessment will be.
"Although criminals may be able to guess traditional authentication like passwords and security challenges and spoof other identifying factors, they may not be able to spoof the hardware itself," said Robert Vamosi, Risk and Fraud Analyst. "The key to identifying that the user on a mobile device is who he or she says they are may ultimately lie in chip-level authentication."