Today mobile banking is one of the fastest growing applications in financial services and is fast emerging as an indispensable business asset for banks to retain customers. However considering the security aspects of Mobile banking, end-users seem to be in a dilemma in accepting this service. This article enlightens the overall concept of mobile banking with respect to security.

Is the mobile banking (m-banking) services offered by few banks secure? This is the billion dollar question that has been asked by many of us. Seven years ago, I started banking online. At the time, it was a radical idea, the security of the Internet that is, performing personal financial transactions, or even buying online was in doubt at the time, but I'd grown tired of calling the automated number and punching in additional digits just to navigate. Online banking allows you to check balances, view activity, order checks, transfer funds, even pay bills 24-7. Now banks would like to go one step further by offering services via mobile. Once again, there are security concerns, but the banks feel they have a handle on it this time around.

Mobile banking is a new trend in the retail banking industry. More and more banks around the world see the mobile banking as the leading edge of the movement to deliver banking services to customer's cell phones and PDA's. Today the mobile banking is one of the fastest growing applications in financial services and there is a promising interface between mobile phones and ATM networks.

Since the mobile phone is a subject of attack from various malicious sources, security is the buzzword for common users when mobile banking services are widely offered by various banks.

In the U.S., there are an estimated 1.5 million banking customers who receive some kind of banking information via their cell phones. This estimate includes 500,000 users from Bank of America, who uses the mobile banking services.

Customers of banks offering mobile banking via cell phones and smart phones can check their account balances, transfer funds between existing accounts, and with some services pay bills online. While the exact number of banks now offering mobile banking services to customers in India isn't pinned down yet, it is estimated that after the mobile banking "breakdown" in the 2000-2001 timeframe, the number of banks beginning to offer mobile banking to customers is rising rapidly.

Security experts say that most of the banks offering mobile banking to customers have taken the approach to deliberately make it as safe as possible to encourage adoption by customers. The majority of mobile banking services now offer the same functionality as an ATM, and it is more informational and less emphasis on transactions.

Research Survey on m-Banking

A research presented at Cardtech SecureTech (CTST) conference in San Francisco shows that people are uneasy about handling their financial services needs on a mobile phone. According to Javelin Strategy & Research, a financial services survey company, across all age groups, 33 percent of those surveyed thought mobile banking was too risky, while 34 percent were unsure if it was a good idea. The bright spot, they found was, in the 18-to-24 age range, where respondents were decidedly more interested in using mobile banking and less concerned about security.

The latter is not too surprising. The 18-to-24 group doesn't remember the online viruses and notorious Internet hacking of the early 1990s, when online banking was trying to gain a foothold. Unlike the online world, mobile systems have yet to be marked with viruses and malware. That's about to change. In 2006, there were about 60 viruses using mobile operating systems; in 2007, more than 400 viruses were on the prowl. Add to that snoopware, spyware written especially for mobile devices with cameras and the relative dangers of online transactions versus mobile transactions become roughly similar. Yet banks are proceeding cautiously with their offerings, propelled, in part, by the 18-to-24-year-olds who currently live and die by their mobile phone usage, and the belief that carriers and phone users will start using security software to protect the various assets currently stored on mobile devices.

According to Javelin Strategy & Research, a financial services survey company, across all age groups, 33 percent of those surveyed thought mobile banking was too risky, while 34 percent were unsure if it was a good idea.

How Safe is m-Banking?

Security analysts predict that—as consumers have embraced the new ability to check their accounts via their cell phone, and security limitations seem to be no barrier to acceptance.

A major information security vendor, sees the mobile market as a place of "converging dynamics". A perfect storm of customer demand and the increasing use of the cell phone for more than just voice. Security experts are of the view that banks offering mobile banking to customers need to think out carefully their encryption strategies, and what steps should be taken for wiping information off of lost cell phones.

While some banks offer only limited mobile banking services as most of them allow you to only view recent activity and check balances - this should not be seen as a cause of dejection. That way, if your phone is ever stolen, the thieves would be able to see only how much you have in your account and not have transaction rights to transfer money from your account. Lately, more banks are allowing customers to transfer funds, with an eye toward allowing stock trades later on.

The security vendors see mobile phones as an increasingly targeted end point that the hackers will want to go after, with more attacks like the spam and viruses. Security experts describe one vector where mobile phones could be most vulnerable to attack. For the hackers, Phishing is primarily an attack that is sought over email. It moves the victim to a fraudulent website, with mobile there is very little integrity in any of the channels. In such a scenario, there are multiple channels users have to be aware of. If, for example, an SMS message comes laden with a virus, it can then infect via Bluetooth all the other phones in the area equipped with Bluetooth.

From a fraudster's perspective, banking by cell phones will be an absolute goldmine, once real transactions begin. To prevent fraud, banking institutions will have to go "out of channel" to authenticate a transaction. For example, the bank would send an SMS message to the customer, and they would have to send a reply back in order to authenticate a transfer. Security experts see at this point the mobile market is not very robust, and still is struggling with a very low degree of standardization across the mobile environment in terms of technology.

Technically, cell phone signals are harder to hack into, thus cell-modems are a much safer way for a laptop to connect to the Internet than public Wi-Fi. However, many new mobile phones are now integrating Wi-Fi services, so traditional hacking methods may soon come into play with mobile banking. To counter this, some of the banks offer encrypted user names and passwords. Visa USA goes further, allowing customers to disable an account from a lost cell phone by going online. MasterCard is using a one-time password for each session.

Security Challenges for m-Banking

For providers and regulators alike, the idea of mobile banking is inseparable from the question of mobile security.

The banking institutions should examine the new threats to which consumers are exposed through mobile banking, including hacking, phishing attacks, loss or theft of one’s mobile device, unfamiliarity with new technology or products, unfamiliar, bogus or criminal websites.

In Western Cape—South Africa, exactly a year ago, Derick Lindsay went online to check his email and discovered a shocking message from his bank confirming a R80,000 payment to an unknown property company. The transaction had taken place on the day his SIM card was swopped, when he was on holiday. The transfer was possible as the crooks had received an SMS once-off password from his bank, via Lindsay's hijacked cellphone number - a security measure used by banks to authorize payments to new beneficiaries.

Known as the SIM swop scam, this is one of the challenging aspects of securing mobile banking. When stories like this popped up, about dozens of mobile banking clients defrauded in South Africa earlier this year—it raises warning flags for some. But are questions about mobile security really new questions, and does it provide cause to pause in pursuing mobile banking?

A new study from Bankable Frontiers digs deep into the issues. Some issues are very familiar: the use of outsourced IT providers, customers protecting their PIN numbers. Several are newest, but really permutations of issues with any electronic banking channel, the reliability and end-to-end security of communication networks carrying sensitive data.

These factors do not make most mobile banking channels more or less risky than other forms of e-banking. In fact, the range of m-banking technologies already available includes some with the highest degree of security possible. But automatically requiring the most technically secure platform carries substantial tradeoffs, not least of all that high-end technologies are substantially less likely to be suitable for low-income clients.

Providers targeting the unbanked may also prefer basic technologies. Smaller banks and entrepreneurs which see the unbanked niche as attractive are—due to their size—likely to lack bargaining power with mobile operators. They face a tough time negotiating the right to put a mobile banking application directly onto the sim card in mobile phones (which enables a higher standard of end-to-end encryption). And even large banks may prefer technologies that work on any handset and any operator network. They want to ensure all bank clients can access the service, and it eliminates the need to negotiate any revenue sharing with operators: the bank keeps the whole pie. This explains why Unstructured Supplementary Service Data (USSD)—with a decidedly un-pretty user interface, and lower security—is still attractive to some banks.

It is possible to offset the lower security qualities of less secure mobile technologies by introducing operational controls. Balance and transaction limits can put a cap on risk, for clients and providers. The Bankable Frontiers report ends with advice for regulators: be careful not to entrench technology-specific standards in regulations which stifle m-banking development. Instead, they should create a flexible, proportionate framework which requires an active supervision of mobile financial services.

Mobile Phone Security Requirements

Security of financial transactions, being executed from some remote location and transmission of financial information over the air, are the most complicated challenges that need to be addressed jointly by mobile application developers, wireless network service providers and the banking sector's IT departments.

The following aspects need to be addressed to offer a secure infrastructure for financial transaction over wireless network:

1. Physical part of the hand-held device. If the bank is offering smart-card based security, the physical security of the device is more important.
2. Security of any thick-client application running on the device. In case the device is stolen, the hacker should require at least an ID/Password to access the application.
3. Authentication of the device with service provider before initiating a transaction. This would ensure that unauthorized devices are not connected to perform financial transactions.
4. User ID / Password authentication of bank’s customer.
5. Encryption of the data being transmitted over the air.
6. Encryption of the data that will be stored in device for later/off-line analysis by the customer.

RBI Regulation and Secure SMS

The Reserve Bank of India (RBI) guidelines state that technology requirements are “indicative” and banks should “endeavor” to secure end-to-end encryption. The RBI guidelines call for a two-factor authentication for validation of a customer. The industry has reacted to this by interpreting that two-factor authentication can be supported only by GPRS and not through SMS. Media has also criticized the RBI by saying that the new mobile banking regulations such as the two factor authentication do not facilitate financial inclusion since basic mobile phones owned by majority of people in rural India do not support GPRS.

Secure transactions can happen even via SMS. SMS’s are of two types—Normal and Encrypted SMS. Normal SMS is what we use for day-to-day communication and is not secure. The SMS is not encrypted when it passes through the pipe it can be accessed. On the other hand, an encrypted SMS is converted into non-readable text using a RSA / AES security algorithm. The text that can be encrypted are numbers from 1-9, capital letters from A-Z and small letters from a-z. Special characters cannot be encrypted. When the bank client sends a SMS from his phone to the server, a SMS along with an encrypted key is sent to the server. If the encryption algorithm is strong enough, it is not possible to read the SMS. The server then decrypts the encrypted key using a RSA encryption algorithm. This technology is perfectly secure and GPRS is not mandatory. Not many phone users in India subscribe to GPRS and even fewer have phones that can support GPRS. Around 60 percent of the 306 million handsets or mobile connections in India are without GPRS and WAP. Security experts are of the opinion that due to lack of GPRS connectivity, Smart Trust applications, securea SMS based applications will be prominent at least in the initial years of mobile banking.

What Banks should do to Assure Security?

Banking institutions should first understand the customers’ fears. It is obvious that—the desire for mobile banking is one thing, security concerns are another. Banks should offer the assurance of safety and security that consumers demand from your institution - whether it's in person, at the ATM, via the Internet or on their cell phone. Let your customers know what you've done to ensure the security of their information when they bank via cell phones. While Gen Y is notably less private than previous generations (evidenced by MySpace, Facebook, and the popularity of blogs), identity theft is still very real to today's consumer, so confidence and security are key when offering mobile platforms.

Weigh your customer's wants. Mobile banking is clearly the "next big thing," but the question remains—is it in line with consumer demand? Consider conducting focus groups in your community or surveying your customer base to assess their desires and potential fears about mobile banking. As the old saying goes - give them what they want without compromising security.

Enhancing m-banking Security

As mobile banking has a promising future - as long as the right security is in place, there is always additional ways to enhance security. Banks must undertake the same liability for mobile banking as for online banking. While most security solutions in m-banking are still software-based, solutions for mobile banking using smart cards can be considered. These include the Mobile Security Card, a flash card with additional smart-card chip, enabling various encryption options.

Considering the cost factor, this type of implementation can have a negative opinion from the banking institutions. But the banks should weigh the security of its customers with respect to security against the cost factor for implementation.

The Bottom Line

Mobile banking can be viewed as a hook for customer acquisition, but takedown shouldn't be relied on for customer retention. With respect to security, this tool of convenience cannot be taken as a conventional offering to customers, but rather the banks should periodically update the appropriate safety mechanisms and implement the security process.

With the introduction of any new channel or technology such as the use of mobile devices for banking activity, banking institutions must ensure that the perceptions and the realities surrounding security are successfully managed, both to ensure adoption and protect customers and the banking institution from emerging threats. The key emphasis of this article focuses on the approach that banking institutions should take toward consumer security education, as well as the need for strong collaboration among vendors, banks and carriers for effective implementation.

—By: R. Manoj, Assistant Editor, 'InfoSecurity' magazine.