Mobile Banking Security and Antivirus Protection (NetBanker)

Last week, we received a tremendous comment/question from one of our readers, an officer in the risk-management department at a very large U.S. financial institution. His question, “I may have overlooked it, but did not see too much discussion around mobile banking fraud threats, such as mobile malware and smishing. Are these threats real? If so, what controls are financial institutions putting in place to mitigate these risks? Are there other mobile banking risks on the horizon?”

That's a great question. Yes, threats of malware are real, and I expect to see the number of attacks grow exponentially greater over the next 18 months. However, so far only a handful of attacks have been recorded. See Wikipedia for a listing of mobile viruses.

The next question, “What controls are financial institutions putting in place?” The majority of financial institutions with mobile banking are using a vendor product; therefore, they are relying on the tools built in to the solution. In my previous entry on the subject (see Mobile Banking), I explained that after reviewing solutions from numerous vendors I believed they all had done a top-notch job making information security the number one priority. So, unless you are going to follow Bank of America and Wells Fargo down the path of an in-house WAP solution, you should find that the vendor has already addressed the issue on your behalf (see note 1).

That said, there is one HUGE security risk not receiving the attention it deserves and that is – THE CUSTOMER. As with online banking, the most critical element in reducing fraud is to simply educate the customer. Education can take a number of forms, including awareness campaigns, security checklists, recommended settings, and providing examples of how other clients have been deceived.

One good resource is the Microsoft page:

“Help avoid computer viruses that spread over mobile devices”

Also, there are a number of companies already providing mobile antivirus security software including (note 2):

Bullgard
MyMobiSafe
Symantec
UMU
AirScanner
Kaspersky
F-Secure
Trend Micro

And as my Apple friends already know, the iPhone utilizes the OS X platform. While there is no guarantee, the accepted belief is that viruses are not an issue for Apple and that security software is not needed (note 1).

I hope this provides a better understanding of the mobile security environment. I encourage others to comment or send questions.

Brandon McGee is vice president and senior product manager at The Huntington National Bank. He is not only the real deal, a genuine industry insider, but also knows exactly what's on the minds of financial service pros as they contemplate the various mobile options. For more great content, check out his blog, Mobile Banking.

Notes:
(1) This is an opinion and not an implied guarantee of security or performance.
(2) This is in no way an endorsement of the product(s) or guarantee of performance. These were the top search results for the keywords “mobile antivirus security.”

1 Comments

By Anonymous on September 7, 2007 8:30 AM

While always wise to vet any application vendor's security capabilities, it should be noted that mobile security really should be addressed at multiple levels. These should include network, device, application and policy.

The first two are in the domain of the wireless network operator. As such, it would seem prudent to work directly with the carriers or a provider that the carriers specifically endorse to ensure your offering is taking full advantage of the network and device strong points they are already building in.

Application security would ideally be addressed by both the app developer and with network operator (through policies, certification processes and development support).

Policy considerations can help to eliminate potential vunerabilities by ensuring that the minimum amount of sensitive information ever even shows up on the application. An example would be restricting bank account names to proxies or nicknames as opposed to actually displaying a full, live account number.

Just my two cents...

Events

FinovateSpring 2010 -- Dozens of handpicked fintech companies demoing their newest innovations in the entrepreneurial hotbed of San Francisco. 7 minutes each on stage to demo. No slides. A single value-packed day on 5/11/2010. Get your early-bird ticket today!

FinovateFall 2010 -- Dozens of handpicked fintech companies showcasing their latest & greatest in the financial capital of the world -- NYC. 7 minutes each on stage to demo. No slides. A single value-packed day on 10/05/2010. Get your early-bird ticket today!

Research

NEW! Making the Case for Person-to-Person Payments: Does mobility provide the tipping point for bank-branded P2P? - Find out more

NEW! Attracting Small Businesses with Online & Mobile Banking: Underserved segment is prime candidate for alt-delivery - Find out more

2010 Guide to Online & Mobile Banking Products, Pricing & Strategy: Your roadmap for business planning - Find out more

Improving Online Account Opening ROI: Ten strategies to increase online application conversion rates - Find out more

Connecting to Customers with Twitter: The comprehensive guide to Twitter for financial institutions - Find out more

Selling behind the Password: Leveraging the marketing potential within online banking - Find out more

New Techniques in Secure Online Finance: Sandboxing, keyboard encryption, and real-time mobile integration could lock in more online customers- Find out more