Subscribe Advertise
Go to Preview
Login for full Magazine

May 2012 – Vol. 35 No. 5

Articles Header

  • General Management

  • Board

  • Human Resources

  • Operations

  • Marketing

  • In Every Issue

Columns Header
E-Newsletters Header
Archives Header
Daily Deposit
How Secure is Mobile Access?
December 2011 – Vol: 34 No. 12
by Karen Bankston

Conflicting views on whether safety concerns will keep members away

December 19, 2011

Editor’s Note: This is Web-only bonus coverage from “Marketing Mobile” in the January 2012 issue of Credit Union Management.

Two gift-giving metaphors may serve to illustrate the range of ways people think about the security of mobile access:

  • You give your dad the latest smartphone and assure him he will love how easy, useful and fun it is. He smiles bravely and, after the holiday gathering, tucks it away safely. He barely uses the flip phone he’s had for five years and doesn’t trust the whole idea of accessing the Internet from a device that can fit in his hand.
  • You give your niece a new bike, which she loves so much that she climbs aboard and barrels wobbly out into a busy street, oblivious of her safety.

In a consumer survey conducted by ThreatMetrix in conjunction with The Ponemon Institute, 29 percent of respondents had tried mobile banking, half of them drawn by the convenience of this new channel. The majority of those who hadn’t accessed their accounts from a mobile device cite concerns about security and privacy. Only one in five respondents said they would feel safe from fraud while using mobile banking.

Alisdair Faulkner, chief products officer for ThreatMetrix, San Jose, Calif., says the split over embracing/avoiding mobile banking is largely along generational lines, with older users wary of the threat of identity theft and younger users eager to venture wherever mobile access can take them.

Concerns about security are warranted, Faulkner says, calling some app stores “among the greatest distribution platforms for malware ever invented.” It is difficult to police applications for mobile phones and relatively easy for fraudsters to sneak in their code aimed at pilfering personal financial data, he warns.

Many people who have embraced mobile access for all kinds of uses, including managing their financial accounts, assume their phones are “more locked down” than they really are, Faulkner suggests. Many people don’t have virus protection for their phones, perhaps on the assumption that because their phone is “personal” and for their use only (as opposed to shared household computers), there is less cause for concern.

As a result, credit unions face the dual challenge of needing to respond to the demands of some members for mobile access—what Faulkner calls the “consumerization of enterprise”—and of carefully vetting the security of the third-party platforms or customized solutions available within their means.

Taking a wait-and-see approach to mobile access may not be an option as members decide to use their smartphones to access your online branch with or without an app or dedicated website. Credit unions may be confident about the security of their online branch, but mobile access presents a new threat. Simply put, “it’s harder to know you are who you say you are when you sign in from your phone,” Faulkner says.

In response to those concerns and recent electronic invasions of some online financial services, the Federal Financial Institutions Examination Council has implemented new security guidelines calling for enhanced multifactor authentication. Complying with those guidelines will require credit unions to interact with members to gain additional information to set up challenge questions and new layers of security. Those interactions offer the added advantage of demonstrating how secure the mobile channel is—as Faulkner puts it, “another opportunity to build trust” with members who are simultaneously curious and cautious about mobile services.

Proof in Adoption Rates

Some recent reports about consumers’ fear around the security of mobile access have been “overblown,” contends Carlo Cardilli, SVP/sales and business development at mFoundry, Larkspur, Calif. “The emphasis is misplaced—consumers are adopting mobile banking in droves. The real question is: Are the vendors and the institutions doing enough to safeguard the security of the consumers?”

For example, mFoundry performs stringent vetting on new employees, is moving from the antiquated SAS-70 certification to the Service Organization Control standard (a more stringent audit for security standards) and employs multiple firms to do specialized penetration and ethical hacking on its service.

“But we don’t see other vendors taking the same precautions, nor the institutions requiring these standards in their due diligence,” he says. “I know of a competing vendor that runs its production environments using Amazon EC2s with their developers in the Ukraine. If I ran a credit union there’d be no way I’d trust that those developers’ machines were properly secured unless I checked them myself.”

Of the three forms of mobile banking access, apps provide the safest route with device-level security that allows providers to track usage individually and quickly shut down access from lost or stolen phones, Cardilli explains. But for members with security concerns, he suggests they start with SMS, which lowers the potential fraud threshold by providing access only to checking account balances or transferring funds within credit union accounts. Alert options can help members monitor transactions and account balances as further protection against unauthorized access.

In focus groups that $380 million/26,000-member Verity Credit Union, Seattle, conducted before launching mobile banking, “the ‘gadget guys’ had no concerns about security,” says SVP/Chief Marketing Officer Shari Storm, a CUES member. “They said, ‘We trust that you’ll figure it out.’ But security was a very big issue for the group of older, affluent members.”

Securing the mobile banking channel is a trade-off between making the passwords very secure and harder to access, or making access easier with less secure passwords. “We’ve gone with the former, but I’ve read on a lot of consumer blogs that many people would like it to be easier,” Storm notes.

Verity CU also offers members a guide to safe surfing via their smartphones on its Mobile Basics website.

Member education is crucial in responding to security concerns, which remain the primary obstacle for more widespread adoption of mobile banking, says Brian Day, product development architect with CUES Supplier member The Members Group, Des Moines, Iowa.

“People need to be informed that mobile access has the same level of security as online banking, with some additional safeguards on top of that,” Day says. “And you can pass on to members additional recommendations about how they can secure their cell phones.”

The first step, though, is ensuring the security of your credit union’s mobile banking service. For credit unions looking for guidance in evaluating the security of mobile banking platforms, Faulkner suggests enlisting third-party analysts and/or networking with peers. “We always say, ‘Compete on customers; collaborate on fraud,’” he adds.

Karen Bankston is a long-time contributor to Credit Union Management and writes about credit unions, membership growth, marketing, operations and technology. She is the proprietor of Precision Prose, based in Stoughton, Wis.

 

There are errors, please see below for details.

Your name:

 

Your e-mail Address:

 

Recipient's e-mail Address:

 

Subject:

 

Message:

 
Send