Layered Security for Mobile Banking
American Banker published a great article last week covering some of JPMorgan’s security strategies for mobile banking. Lloyd O’Conner explained the importance of layering multiple security technologies to protect their clients — as well as their own company — from the growing cyberthreats that not only target the online channel but are zoning in on the mobile channel as well.
O’Conner discusses some critical layers, including:
- Authenticating to the device: advanced measures (including biomtetrics) beyond simple PIN protection
- Authenticating the mobile device to the banking application: leveraging device certificates and device registration
- Authenticating the user to the application and encrypting the communication channel.
While I agree 100 percent with JPMorgan — after all, they are demonstrating clear innovation and leadership in mobile banking here — I think there is another layer that needs to be called out as well.
While varied identity authentication layers are critical, some forms of advanced fraud attacks (e.g., man-in-the-browser) have proven to defeat a broad range of authentication approaches. Adding real-time fraud detection to flush out behavior anomalies is a critical layer to help detect MITB and, fortunately, is totally transparent to the mobile user.
By deploying a layered security framework, FIs can help defeat advanced MITB malware attacks. This approach not only provides world-class fraud prevention, but also helps enhance the end-user experience.