Modern life has changed so much, so fast. Nearly everyone today has a smartphone, and we become more reliant on them every day. That’s a good thing for financial institutions that have invested in mobile banking platforms: you’ve positioned yourself exactly where consumers want to interact with you. Just don’t get burned by letting your institution or its customers take this channel’s security for granted.
Mobile Phones Are Man's New Best Friend
The dog has been replaced by the mobile device—and certainly not just by younger generations. In its study Consumers and Mobile Financial Services 2016, the Federal Reserve notes that “mobile phones have increasingly become tools that consumers use for banking, payments, budgeting, and shopping.” The study also revealed that almost 8 out of 10 adults in the U.S. now own a smartphone. Of those smartphone owners surveyed by the Federal Reserve, 53 percent claimed to have used a mobile banking app and 28 percent to have made a mobile payment within the previous year.
This mobile frenzy is a real boon to financial institutions. In its recent guidance on mobile financial services, the FFIEC agrees, “the mobile channel provides an opportunity for financial institutions of all sizes to increase customer access to financial services and decrease costs.” Unfortunately, that high-frequency usage and ease of access also make the mobile device a potential boon for cybercriminals.
Cybercriminals are Still Testing the Mobile Waters
Cybersecurity experts have been warning us for some time now about the potential vulnerabilities of the mobile device, but the big wave of mobile cybercrime has yet to occur. In fact, the Verizon 2016 Data Breach Investigations Report claims that “those looking for proclamations about this being the year that mobile attacks bring us to our knees . . . you will be disappointed. We still do not have significant real-world data on these technologies as the vector of attack on organizations.”
Still, don’t assume your institution is off the hook. The Verizon report goes on to warn that the data’s “absence is not a suggestion to ignore these areas in your risk management decision-making.” In truth, cybercriminals are still weighing the cost and benefit of jumping full tilt into the mobile arena. They’re a business, albeit an illicit one, but they make decisions just like legitimate organizations. Once their profit margins in mobile cybercrime outweigh their costs, that big wave will hit–and likely hit hard.
Is your institution ready for this wave? That’s what the FFIEC wants to know, hence its Appendix E of the Retail Payments Systems Booklet. In a nutshell, this guidance, which regulators can now use during your IT examination, sets the expectation that, “management should identify, measure, mitigate, and control the risks involved and be familiar with technologies that enable MFS (mobile financial services).” The problem for bank boards and senior management is that the guidance expects them to gain a fairly in-depth understanding of the technologies that enable MFS, a subject far removed from deposits, loans and investments. And even if they gain the appropriate knowledge, the end user still has control of the mobile device, creating a real wild card for institutions.
Five Ways to Protect Your Institution from Mobile Cyber Attacks
Rather than throw your hands up in surrender to that wild card, take these five preemptive steps to protect your institution and its customers from falling victim to mobile cybercrime.
- Pay Serious Attention to Your Risk Assessment: Start with your risk assessment, as the FFIEC guidance is clear, “management should identify the risks associated with the types of MFS being offered as part of the institution’s strategic plan.” Keep in mind that “mobile” includes the use of mobile apps, mobile-enabled websites, mobile messaging (SMS technology) and mobile payment systems. Pay particular attention to how these services affect your strategic, operational, compliance and reputational risk. At a minimum, explore your exposure to operating systems updates, consumer inattention to mobile security, jail-broken devices, malicious apps that may access data and trojans.
- Select App Vendors with Care: The market is flooded with vendors who want in on this new “it” space in technology, which means financial institutions must take particular care with the due diligence and ongoing monitoring of mobile banking app vendors. Specifically, the FFIEC guidance warns that a “significant portion of the innovation in the industry is driven by entities outside of the traditional financial services sector. These entities may be unfamiliar with regulatory requirements and supervisory expectations that apply to regulated financial institutions and their service providers.” Make sure your mobile app vendor is as concerned with regulatory obligations as it is with app functionality, and only use a vendor who has taken the time to understand the risks and regulatory requirements.
- Make App Security a Top Priority: In speaking about the security vulnerabilities of mobile banking, American Banker noted that, “the issues here are vast and will only grow. Banks that haven’t set aside a portion of their budget to mobile app security need to make that a priority.” To that point, ensure you are taking advantage of as many security controls on your institution’s mobile banking app as possible. The FFIEC’s Appendix E outlines its app security expectations, which include the following:
- Robust and layered authentication methodologies for signing into the app and verifying the end user’s identity, like two-factor authentication and biometrics
- Coding that prevents the app from running on jail-broken or compromised devices
- Out-of-Wallet identity verification processes at app sign-up
- Use Server Side Controls to Your Advantage: In addition to shoring up your mobile banking app security, take advantage of server side controls at your disposal, including the following:
- Frequent transaction monitoring to help detect potential red flags
- Geo-location technology to identify a device being used in an abnormal area for the user
- Strong fraud detection, prevention and notification practices to address issues in real-time
- Anomaly detection techniques that can quickly recognize unusual mobile transactions
- Help Consumers Understand What's at Stake: The FFIEC guidance puts the onus of consumer awareness squarely on financial institutions, indicating that they “should make reasonable efforts to educate customers about the need to maintain physical and logical security of mobile devices.” At a minimum, your customer awareness campaign about mobile security should . . .
- Steer them to your website to download your mobile banking app to ensure they are using the legitimate app and not a malicious lookalike
- Urge them to invest in anti-malware or virus protection for their mobile devices to increase their security and protect their identity
- Explain the importance of downloading operating system updates as soon as they become available to ensure the continuous security of their mobile devices
- Discourage them from altering the manufacturer-installed security controls, which could open their device to invisible, malicious intruders
- Describe the various types of malware and explain how cybercriminals use them to eavesdrop on other apps running concurrently to collect data on the device’s owner
- Help them understand that even legitimate apps can open a mobile phone to security vulnerabilities if the app isn’t designed with security in mind
- Teach them how to be savvy about their app selection to avoid the trustworthy-looking app that actually contains malware
Mobile is a Big Deal
Both consumers and financial institutions enjoy the benefits of mobile technology, but neither group is likely as knowledgeable about its security as it should be. While institutions are ahead of consumers on this knowledge curve, they still have a lot to learn. To begin, take the preemptive steps above and carefully review Appendix E in its entirety. BankInfo Security speculates, “Examiners likely will immediately start using this guidance during their IT assessments.” Pledge now to make mobile security a priority it should be at your institution.
Steve Sanders, CSI vice president of Internal Audit, oversees the evaluation of risks associated with IT, financial and operational systems. He has a strong knowledge of cybersecurity and privacy, accompanied by an educational background in computer security and data protection.