SAN JOSE, Calif.-Conditions are perfect for an avalanche of data theft this year as hundreds of credit unions deploy mobile banking services and hackers hit mobile devices for usernames and passwords.
"I believe we are at the tip of the iceberg of mobile security risks," said Victor Smilgys AVP, eCommerce, at $1.3-billion Technology CU here. "There will be more and more cases of trojans, spyware and key loggers." Tech CU launched Web-based mobile banking in 2007 and last year was one of the first CUs to offer an iPhone mobile banking application.
More members may be vulnerable to malware as access to mobile banking expands. At least half of the CUs surveyed for Callahan and Associates' 2009 Technology Guide said that in 2010 they plan to launch at least one form of mobile banking-downloadable applications, Web-based or SMS.
Downloadable mobile banking applications are perhaps the greatest risk, mainly because they are ubiquitous and members may be duped by realistic "spoofs," said a number of CUs.
"Downloadable apps are becoming more popular and new apps are launched every day, which increases the attraction to fraudsters," explained Smilgys. "As we've seen with Web security, these fraudsters are very sophisticated and very good at tricking the consumer. In some cases, the applications are even guised as security safeguards."
About 50 fraudulent mobile banking applications that may have stolen users' banking information were discovered at the Google Android Market and removed by Google in December, but supposedly not before consumers had purchased some of the apps, developed by "09Droid." Google did not comment on the alleged spoof.
"The Google Android store doesn't appear to be closely monitored for rogue applications," said Matt Fagala, application support manager at $600-million Vantage CU of Bridgeton, Mo., the first financial institution to deploy mobile banking via the popular Twitter social network.
There's less chance that the "09Droid" applications would have made it to the Apple App Store because Apple requires an authentication process for new applications, Fagala continued.
Spoofed applications aside, member data stored on a mobile phone still may be vulnerable to an application built with weak security, he said. "Depending how the application is designed, if a phone is stolen, it's possible someone could gain access to sensitive information or transfer money."
CUs should tell members to be certain an application is legitimate and necessary before downloading it, suggested Jason Duplant, marketing director at $286-million Neches FCU. The Port Neches, Texas-based CU has offered Web-based mobile banking for three years.
"The downloadable applications are riskier than SMS or Web-based mobile banking technologies because there is a greater chance that you may not know what you're downloading," he said.
In contrast, OnPoint Community CU of Portland, Ore., believes SMS mobile banking is the least secure, according to Jim Armstrong, SVP-technology at the $2.8 billion-CU. "SMS does not use encrypted messages. As a result, we do not allow transactions where a member's account information would ride across SMS. It's used simply for members to obtain balance inquiries." The CU offers all three mobile banking modes.
There's no one technology that's worse than another, said Cindy Gribben, CEO at $48-million Natco CU in Richmond, Ind. "All mobile banking technologies pose equal risk since the most common risks these days have more to do with social engineering than the technology itself." Natco has offered SMS mobile banking for nearly two years.