Financial institutions strategically aim for customers to do more with mobile while minimizing fraud exposure tied to untrusted, high-risk devices. To enable growth in the mobile channel, financial institutions need to provide fast, convenient and frictionless high-value services delivered as securely and fraud proof as possible. To achieve this goal, building more trust is priority one.
Banks strive to meet mobile users’ expectations and many customers try basic services via mobile that don’t require a high level of trust, such as checking balance and limited fund transfers. But long term, mobile banking customers want more than just basic services. Many are waiting for banks to step up and prove that offering high value banking services via mobile can be made trustworthy enough to earn their business as well as their loyalty.
Before banks can crack consumers’ psychological apprehension regarding mobile security, they must address technical issues that are unique to mobile. Banks and financial institutions need to see mobile security as a complete picture, to create a dedicated, multilayered and up-to-date strategy focusing on mobile security.
Here are eight tips for banks to successfully approach a mobile first strategy:
1. Banks need simple, quick but secure authentication
While mobile baking customers’ preferences vary somewhat by generation, for the most part, customers want a secure, frictionless mobile experience that gives them the ability to utilize more services using their mobile device. Banks strive to provide faster, convenient logins by replacing complex passwords with simple PINs, fingerprint scanning or other biometrics. While banks need convenient options, if they are not implemented correctly, they will not be secure. The convenience versus security argument can be solved if banks develop an underlying security framework to make PIN as well as biometric authentication options secure.
2. Provide a frictionless experience
A 2016 U.S. Federal Reserve, Board of Governors, Consumers and Mobile Financial Services Report, emphasizes the low risk nature of most consumers’ interactions on mobile devices, 94 percent of mobile phone users checked account balances or reviewed recent transactions in the last 12 months. Friction dampens consumer enthusiasm for mobile banking as the login and authentication stage is where delay most often occurs. While most consumers are used to clicking through multiple screens to complete an action on a desktop, they expect their mobile banking to be a much more simple experience.
Reduced friction enables these rapid and repetitive actions, while providing a positive user experience. Your mobile banking app and supporting IT will use multiple security technologies for securing devices and communication. Look for ways to tie these processes together without requiring extra actions by customers. For example, a mobile device can authenticate itself when a new session is started. In addition to device authentication, the latest behavioral authentication technology is another frictionless option that should be considered.
3. Protect Mobile Banking Apps
The increased popularity of mobile banking has created a highly competitive and challenging environment, especially among mobile app developers. As a result, releases are often rushed, creating vulnerabilities in the application layer. The potential for malware in banking apps is well documented. In fact, these attacks are growing in both number and sophistication. The BankBot Android mobile banking malware, for instance, targeted more than 420 leading banks in countries such as Germany, France, Austria, the Netherlands, Turkey and the United States.
Using a technique known as overlay, the malware allows attackers to create windows that sit on top of legitimate Android applications and intercept user information that can compromise transactions and privacy. From an application perspective, it’s important to harden the app via mobile app shielding and, specifically, Runtime Application Self-Protection or RASP. This keeps the app (and your backend systems) safe even when the app is running on devices with disabled OS protection, or devices already infected with malware. For example, in the BankBot malware instance, if RASP determined the app was at risk of an overlay attack, it would shut down the app and open a browser to notify both the IT admin and the end user that an attack occurred.
4. Measure Risk on Each Mobile Device
The foundation of strong security is multi-layer controls. If a hacker manages to thwart one layer, other controls mitigate malicious activity. Among these are technologies that analyze each mobile device and associated behaviors of its user while engaged with a mobile banking app. The goal is to score the risk of each device and provide actionable data for implementation of policy when critical thresholds are too high. For example, unpatched versions of OS or app software carry more risk. So does use of an unknown public Wi-Fi network, a new password, or new biometric factor. Analysis and scoring must automatically occur in real-time to ensure strong security.
5. Adopt an Omni-Channel Approach
To stay competitive you need to seek ways to achieve a great user experience across channels – including mobile. The challenge for customers is that different channels often require different ways to prove user identity and to authorize operations. Differences can lead to friction and frustration. Using an omni-channel approach optimizes security without impacting usability. Look for ways to eliminate friction by injecting a simple, intuitive experience with fewer required interactions.
6. Combat Social Engineering and Other Threats
Phishing and other types of social engineering by hackers work because most people have a natural human tendency to trust. Hackers exploit this trust to steal valuable information such as usernames, passwords, credit card numbers or other sensitive data. Many banks have responded with tougher security for users. Even with education and additional user controls, however, phishing is still successful. The simple reason is that the final decision to complete a transaction is made by the user who authenticates to the bank, not vice versa. Today, however, social engineering is not limited to email solicitation. Vishing — where a victim is manipulated by phone into disclosing confidential data, which can then be used for fraud, is also on the rise. When it comes to combating social engineering schemes in the banking industry, a signature should be generated only for requests known by the bank. The mobile device should automatically reject requests not coming from the bank. And there should be no way to generate a signature without an interaction with the bank.
7. Be Ready for Regulation
Due to global payment fraud, the banking industry is one of the most heavily regulated, and more regulations are on the way. For example, in the EU, the new Payment Services Directive 2 (PSD2) is already in effect. It regulates the security of electronic payments — including mobile banking and retail payments’ security — and establishes a minimum security level for payments in the EU. Other regulations such as GDPR and PCI-DSS require multi-factor authentication to protect data or access control. Deploy solutions that fulfill requirements of PSD2 and other similar regulations.
8. Electronic Document Signing
As digitization efforts mature and organizations realize the benefits in customer experience, compliance, productivity and hard cost savings, they are looking for ways to rapidly extend those benefits to every business line, channel and area of the organization. This requires an electronic signature platform that has the flexibility to accommodate the requirements of any business process and can be implemented across any channel — online, the call center, the retail branch and mobile. E-signatures allow employees to securely send and manage document-based transactions, while ensuring customers can quickly and easily sign documents – anywhere, anytime and on any device.
Going mobile is unquestionably a strategic necessity for banks and financial institutions. They must start taking the initiative to rethink the mobile customer journey. Applying these eight steps ensures that organizations maintain a seamless and secure mobile banking experience for their customers.
David Vergara, Director of Security Product Marketing at VASCO
Image Credit: MK photograp55 / Shutterstock