As people turn to mobile phones and tablets as their preferred way to access the Internet, eBankers are seizing the opportunity to significantly enhance the security of their online banking and e-commerce, enable peer-to-peer mobile money and develop a new mBanking channel.
According to the International Telecommunications Union (ITU), there are 5.3 billion mobile phone subscribers (that’s 77% of the world population). At the end of 2010, there were one billion high-speed mobile Internet subscriptions, up sharply from 600 million a year earlier. The ITU projects that mobile devices will overtake PCs as the most popular way to access the Web and even today, comScore research shows that in the United States and Western Europe, 90% of mobile subscribers have an Internet-ready phone.
Forrester Research estimates that 12% of American adults used some form of mobile banking last year. They forecast that will grow to 50% by 2015. Given those trends, eBankers around the world are already finding ways to use mobile phones for mBanking.
What is mobile banking? IDC Financial Insights analyst Trevor LaFleche defines mBanking as any use of a wireless device connected to the Internet to conduct banking transactions, either using a regular mobile browser, a dedicated phone application or even text messaging to check balances or receive transaction notifications.
For this post, let’s talk more about securing banking apps with the mobile phone. First, using the mobile phone as a one-time password (OTP) generator is a strong contender for increasing online banking security whether the end user is using the browser on the phone or their PC, or using an mBanking application on the phone.
Mobile OTP adds “something you have” security to the login and transaction signing. It can also provide challenge/response security for standard transactions and “Sign What You See” (SWYS) dynamic verification for high-risk transactions.
Mobile OTP provides more security than SMS/text messaging of one-time passwords. We have already seen evidence of hacker toolkits targeting text messaging with the new ZeuS mobile Trojan. There is a solution that prevents this type of “man-in-the-mobile” attack. For an example, download Try Ezio for iPhone on Apple’s App Store and request an ID by emailing firstname.lastname@example.org.
In fact, this type of solution requiring the “out-of-band” authentication or verification of certain high value and/or anomalous transactions is one of the recommended controls in the new online banking security guidelines from the U.S. Federal Financial Institutions Examination Council (FFIEC), announced in June 2011.
The highest level of security for mBanking is the SIM for mBanking authentication. In Sweden, Swedbank worked with mobile network operators TeliaSonera and Telenor, along with Valimo to become the first bank to launch Mobile BankID, a PKI certificate application available in the SIM card. The reason this is so secure is each bank connection is unique and the SIM card can work with the network to prevent man-in-the-mobile attacks.
As eBankers develop the mBanking ecosystem, it is essential they remember the security lessons learned in recent years from online banking. The mobile channel carries the same opportunities and risks.
At the same time, eBankers have the opportunity to deploy a completely new architecture for mBanking, one that delivers even higher levels of security than are currently available in most online banking implementations. The reason is mBanking includes the mobile device itself, which can serve as “something you have.” That is mobile banking’s big advantage. Using it to secure logins and transactions will make mobile banking more secure than most online banking implementations are today.