This is a somewhat perplexing message to receive after logging in to online banking. It seems almost phish-like (especially with that old-school corded phone in the picture):

A recent review of your account indicated that we are missing your date of birth. We use this information to help verify your identity. Please call us at the 1.800 Customer Service number on the back of your credit card so we can update your file.

I guess I can understand the bank wanting my birth date, but it brings to mind several questions:

1. Why are they asking me now? I've three accounts there, with one dating back to the 1980s. Is something wrong? Has my account been accessed by someone else? Then my more cynical side thinks, did this request come from the marketing dept. or the security folk?  Bottom line: the bank should provide a more detailed explanation via a "more info" link.
2. I have to CALL, really? Why can't I do this online? Will I have to endure a cross-selling session when I make the call? Will I have to go through the entire phone tree to get to an operator? The least the bank could do is provide a direct line for the task.

The whole thing seems like a ridiculous waste of time. A five or ten-minute journey through call center menus in order to provide six numbers to a live operator. Plus, won't this extra call-in requirement drastically reduce user response? 

Bank of America interstitial after logging in to online banking (14 Oct 2009, 5 PM Pacific)

Pennsylvania State Employees Credit Union is the latest big-name client for Trusteer's anti-malware Rapport browser plug-in. The CU's 350,000 members, or anyone else for that matter, can now download the free program via a link on the PSECU security page.

Current clients of Trusteer:

• ING Direct (USA and Canada)
• RBS (RBS, NatWest, Ulster)
• Pennsylvania State Employees Credit Union
• Central Bank (Kentucky) was announced Feb. 23, but the program is nowhere to be seen on its website today
• (Updated 10 June): Zions Bank, which is the only client featuring the program on its home page (screenshot here)

For more information and analysis, see previous posts on Trusteer and our Online Banking Report on New Security Techniques.

Trusteer homepage showcases ING Direct and PSECU (8 June 2009)

PSECU "security software" page (link, 8 June 2009)

Last May, Trusteer launched an optional added security measure for customers of ING Direct in the United States (note 1, see previous post). Although, it's not perfect, users of the Rapport service are less vulnerable to viruses and malware running on the their PCs. We gave the new service an OBR Best of the Web award last fall in our Online Banking Report on Security Innovations.

Although, ING Direct is a great reference account, being endorsed by Royal Bank of Scotland, really puts Trusteer on the map. The security solution is offered for download at both Royal Bank's RBS and NatWest sites (see screenshots below). Anyone visiting the banking sites can download the software, you don't have to be an RBS/NatWest customer. 

Trusteer also lists Huntington Bank as a customer but there is no mention of Rapport on the bank site yet. Other providers include Authentium's SafeCentral (note 2) and Check Point's ZoneAlarm (note 3). 

Bottom line: Security is an issue for many bank customers, now more so than ever. Extra security options deserve consideration to improve customer satisfaction/trust and help reduce fraud losses. 

Rapport download page at NatWest (link, 23 March 2009)

Rapport download page at RBS (link, 23 March 2009)

Notes:
1. Later ING Direct Canada and ING Direct's Sharebuilder added Rapport support.
2. Authentium demo'd SafeCentral at FinovateStartup 2008 (video here). A new version of SafeCentral is in the works. 
3. Check Point demo'd ZoneAlarm at Finovate 2008 (video here).

Last week, the Puget Sound Business Journal reported on a Pacific Northwest stealth startup that's receiving a lot of attention from Silicon Valley, at least measured in dollars. The $10 million round for Finsphere is an impressive endorsement, especially given the apparent involvement of prominent VC Mohr Davidow.

There's not a lot we know about the company other than the founders are out of the wireless industry, and the company's services are described as "location-based transaction verification services." That sounds like using the GPS-based or triangulated location of mobile phone users to authenticate card transactions and/or online banking logins. Armed with the GPS reading, card companies would know that you (or at least your mobile phone) are where your credit card activity says you are, e.g., buying a tank of gas in Washington D.C.

With GPS capabilities coming to the iPhone next month, this could be a very large market indeed. If we are right about the product, we'll try to convince the company to demo at one of our Finovate conferences. 

Last week, we received a tremendous comment/question from one of our readers, an officer in the risk-management department at a very large U.S. financial institution. His question, “I may have overlooked it, but did not see too much discussion around mobile banking fraud threats, such as mobile malware and smishing. Are these threats real? If so, what controls are financial institutions putting in place to mitigate these risks? Are there other mobile banking risks on the horizon?” 

That's a great question. Yes, threats of malware are real, and I expect to see the number of attacks grow exponentially greater over the next 18 months. However, so far only a handful of attacks have been recorded. See Wikipedia for a listing of mobile viruses.

The next question, “What controls are financial institutions putting in place?” The majority of financial institutions with mobile banking are using a vendor product; therefore, they are relying on the tools built in to the solution. In my previous entry on the subject (see Mobile Banking), I explained that after reviewing solutions from numerous vendors I believed they all had done a top-notch job making information security the number one priority. So, unless you are going to follow Bank of America and Wells Fargo down the path of an in-house WAP solution, you should find that the vendor has already addressed the issue on your behalf (see note 1).

That said, there is one HUGE security risk not receiving the attention it deserves and that is – THE CUSTOMER. As with online banking, the most critical element in reducing fraud is to simply educate the customer. Education can take a number of forms, including awareness campaigns, security checklists, recommended settings, and providing examples of how other clients have been deceived.

One good resource is the Microsoft page:  

Also, there are a number of companies already providing mobile antivirus security software including (note 2):

Bullgard
MyMobiSafe
Symantec
UMU
AirScanner
Kaspersky
F-Secure
Trend Micro

And as my Apple friends already know, the iPhone utilizes the OS X platform. While there is no guarantee, the accepted belief is that viruses are not an issue for Apple and that security software is not needed (note 1).

I hope this provides a better understanding of the mobile security environment. I encourage others to comment or send questions.

Notes:
(1) This is an opinion and not an implied guarantee of security or performance.
(2) This is in no way an endorsement of the product(s) or guarantee of performance. These were the top search results for the keywords “mobile antivirus security.”