According to a recent Deloitte study, “Mobile Financial Services: Raising the Bar on Customer Engagement,” 61 percent of respondents cited security as the main reason they did not conduct banking with mobile devices. All of the respondents owned a smart device and it is unclear if these same respondents also use a desktop device for banking.
In a previous blog post, “Playing in the Digital Sandbox: Mobile versus Desktop Security,” we compared desktop and mobile security.
Deloitte’s survey determined that the factor most influencing this security concern is the lack of Wi-Fi and mobile network security (36 percent of respondents). Moreover, 80 percent of respondents agreed that creating a “more secure Wi-Fi and mobile network” is an appealing security mitigation. It is unclear, however, what Deloitte was implying with the term ‘mobile network’ as mobile devices, desktops and other computing systems do not generally distinguish a specific “mobile network.”
Properly Weighing Reponses from the Non-Technical Audience
When presented with an arbitrary list of technical security concerns, a group of non-security professionals is going to reach for straws. The question may be leading the respondent toward specific technologies. The results should be read as meaning less about “mitigating mobility security concerns” and more about, “what would make the mobile experience more appealing”?
This is acceptable from the standpoint of the survey’s purpose, but there is minimal value in the answers with respect to prescribing real security.
Mobile vs. Web Banking — The Path of Least Resistance
Let’s assume that all of the ‘appealing’ mobile security mitigations in Deloitte’s list are implemented at a given bank and that this drives mobile-banking adoption. Let’s also assume that the same bank also has a Web-based banking interface with single-factor authentication — most likely username and password.
As an attacker, the path of least resistance is the weak authentication of the Web interface. The bank has increased mobile adoption, but may not have lowered risk. If we are talking about real security, we need to address all aspects of banking transactions — whether they are done from desktop or mobile devices.
Simply, it is unacceptable for banks to offer weak authentication for both desktop and mobile devices. Username and password is a very weak form of authentication. We have also seen successful banking attacks for those using SMS as a second factor of authentication. Strong forms of authentication that leverage smart devices exist, so let’s use them.
Second, account insurance and fraud guarantees are important, but should not be considered security. That’s very much like saying a homeowner doesn’t need locks on their door because they should just take inventory of their belongings every day.
Last, malicious attacks are successful when they are allowed to happen silently. As a retail-banking customer, I was glad to see that my bank enabled me to receive SMS messages when specific banking transactions occur.
Presumably, if I receive an SMS message about a transaction I do not recognize, I have time to notify my bank. It was easy to set up and manage, but both the bank and I know that this is not strong security. The bank gave notice that the SMS messages were for informational purposes only, and that there was no guarantee that I would receive the SMS message (e.g., if I was under attack).
This transaction notification idea is very good if only it could have a stronger channel of communication than SMS. Is it possible that this transaction notification could be done in a secure channel, leveraging mobile devices, while at the same time being appealing and easy to use? Yes, that technology exists today.
Does Location-Based Security Reduce Risk?
Let’s compare transaction notification to the location-based security mitigation in Deloitte’s list. When a customer is in a specific location and their mobile device coordinates match the location, this is a positive attribute indicating lower risk.
The problem is that your location is not a secret. An attacker can spoof their own location to match their victim’s. Even though location is a reasonable attribute to measure risk, and could be used as a layer of security, it is an incomplete security solution in itself.
The average retail-banking customer should not be forced to choose from half-measures toward security. Even though a security mitigation may appeal to retail-banking customers, it alone may not equate to real security.
Protect Customer Profiles
My risk profile is very different than that of a bank. A bank can balance fraud risk and security expenditure to a point, whereas I am not tolerant to any risk. I simply cannot afford to lose money to an attacker, regardless of assurances that I might get that money back. Even though financial institutions will likely always measure out risk this way, they can still make good decisions about what kinds of security it can offer its customers.
We should be considering banking attacks from a threat-centric viewpoint and without limiting or categorizing ourselves into relying on a single technology. The attackers will continue to seek easy targets and will always regard technology systems holistically. The goal of banks and security vendors, should be to actually make identities and transactions harder to attack — but using security that is also appealing to the customer experience.
This will be a win-win for banks and their customers alike.