Mobile Banking Proliferation and Application Security

Financial Services|Risk Advisory/Internal Audit

By Chris Debo

According to a new report from Forrester Research, 46% of all U.S. bank account holders will be using mobile banking by 2017.  If the report holds true, mobile banking adoption will more than triple in the next four years.  Mobile banking is also quickly surpassing online banking as the preferred mechanism for accessing and processing account information electronically.  In fact, the second largest bank in the United States announced in October that its customers are logging into the bank's mobile platform more than its online platform.  And while most users are currently only using mobile banking to check balances (45%) and transaction histories (61%), many are also using it to perform transactions such as transfers between accounts (35%).  The rate of transactional activity via mobile banking is sure to increase as consumer adoption of mobile banking grows.  First Niagara Bank – which just introduced mobile banking in January 2013 – is a perfect example:  More than 25% of the bank’s online banking customers registered for the mobile banking service within six months of the service’s launch.

As the demand for mobile banking solutions continues to grow, so do the challenges of meeting consumer expectations.  A key challenge is gaining consumer trust and confidence in the security of services.  In a 2012 Federal Reserve study, 32% of respondents rated mobile banking as somewhat/very unsafe, while 34% were not sure.  Consumer doubt about mobile banking security should not come as a surprise: Bank accounts represent the Holy Grail for hackers looking to capitalize on vulnerabilities.  Once an account is compromised, the capability to move funds is often immediate and can be difficult if not impossible to remediate.

Currently, mobile malware such as ZitMo (Zeus-in-the-Mobile) that are unknowingly installed by mobile device users represent one of the biggest threats.  Trojan software such as these can intercept customer account information (including access credentials) by hiding in the background and capturing actions such as keystrokes.   Trusteer, a major U.S. internet security provider, estimates that more than one in 20 of all Android phones and iPads/iPhones could be infected by mobile malware.  Additionally, the amount of malware targeted at mobile devices rose by 155% in the 2012 according to a recent Juniper study.  The people targeting mobile devices are also increasingly more sophisticated; attacks such as these are expensive to carry out and therefore are usually performed by well-funded criminals.

Unfortunately, aside from education and awareness, banks can do little to prevent end-users of mobile banking from exposing their devices to malicious software.  While customer education can be effective, there are other steps that banks can (and should) take to ensure that their mobile banking applications are developed in a secure manner:

  • Utilize a System Development Lifecycle (SDLC) approach for application development
  • Ensure that appropriate change management controls are in place, including segregation of duties
  • Enforce minimum password standards including length and complexity
  • Capture and record all relevant session activity for audit trail purposes
  • Limit application functionality to only those transactions and interfaces that can be effectively secured
  • Follow the guidance suggested by the Federal Deposit Insurance Corp. (FDIC FIL-103-2005) regarding authentication
  • Enforce session expiration after a period of time or upon device lock
  • Assess the security around your mobile application servers, including logical and physical access
  • Ensure that mobile applications don’t store sensitive customer data locally
  • Obtain third-party professional assessments of application security
  • Ensure that SMS is not used as a channel for money movement and other high-risk transactions
  • Implement a third-party vendor security program (if applicable)
  • Employ mutual authentication and encryption through client-server SSL
  • Use two-factor authentication
  • Send account access and transaction confirmation messages via SMS
  • Employ server-side monitoring of customer behavior for abnormal session and transaction activity
  • Utilize state management to prevent session ID specification in the message
  • Automate the push of software updates to devices (where possible)
  • If mobile check cashing is available, do not permanently store the image on the mobile phone and limit the dollar amount and number of checks a customer can deposit during a given day and week

While the list of applicable precautions can be exhaustive, this represents a good starting point for evaluating the strength of mobile banking application security.  If you are a financial institution with a mobile banking solution or a vendor of mobile banking products, it is recommended that you have a third-party perform a periodic risk assessment of your mobile banking infrastructure and application.  This comprehensive review will assist in risk mitigation, and will also reassure your customers that their money and data are safe.

For more information on how properly managing mobile banking risk can benefit your organization’s bottom line, please contact Chris Debo of Schneider Downs by phone at 614-586-7108 or via e-mail at cdebo@schneiderdowns.com.

© 2013 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

This advice is not intended or written to be used for, and it cannot be used for, the purpose of avoiding any federal tax penalties that may be imposed, or for promoting, marketing or recommending to another person, any tax related matter.

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at contactSD@schneiderdowns.com.

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2019 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.