Blog article
See all stories »

Is 'good-enough' security good enough for Mobile Banking?

CEB TowerGroup predicts mobile banking usage will reach 17 billion transactions in 2015. At the same time, customers are still worried about security, which is the number one fear among potential mobile banking customers (according to a recent Javelin study). Yet this fear has to be balanced with usability. Some banks have turned to the concept of ’good-enough’ security to manage this gap. Is this the right way forward?

Banking apps are undoubtedly the most critical mobile applications. The highest security is expected. According to the research conducted last year by IOActive, 90% of mobile banking apps from leading banks have serious vulnerabilities that could compromise sensitive user data. The most common faults are missing protection against JavaScript injections or Man in The Middle (MiTM) attacks. This study brings to light that financial institutions need to increase the security standards of digital banking solutions, not just in online but mobile solutions too.

Meanwhile, mobile manufacturers have been working on implementing security solutions in their devices. Mobile biometrics (fingerprint, voice and face recognition) and sophisticated privacy settings have evolved into commonly used features in smartphones to ensure enhanced security.

The good news is that, for today, the fear is worse than reality. Even though there is more to be done, heavy investments in mobile security in the last few years have made a big impact. Financial services providers continously try to improve perception and change the way consumers think about security. There is no way institutions can prepare for all security incidents, but they can be prepared to handle them and react immediately.

While the improvements in security are crucial, Consult Hyperion’s Dave Birch said at MobeyDay conference in Barcelona, "Future is not about security, its about convenience!". In other words, noone will use a banking application because it is secure, if it is impossible to use. Innovators in the market (Huntington Bank, Ohio Bank) are already lowering security regulations on mobile and letting customers access their balances and limited functionality without logging in. Disruptive startups are rethinking the whole banking process and applying so called ’good-enough’ security principals. Good user experience can no longer be limited by security regulations. Successful startup applications (TransferWise, Simple) offer simple user experience while keeping it secure. Financial institutions can learn from them to combine controls of the smartphone and complement it with behaviour analytics to identify suspicious and out of pattern activities that may raise a flag.

As technology evolves, so will the challenges faced by banks. I've been reading blogs about how to hack Apple's Touch ID, which might not be the most robust security feature. A hacker can copy and use my fingerprint with a gummy bear - indeed it is the most convenient way to do so. A lock on a door cannot keep out determined criminals, although it is effective enough to handle common threats. I believe we must teach customers to be more careful about their mobile habits and choose the level of safety which makes them comfortable.

Is this the way to go? Will it revolutionise what we think about security today? Ultimately, time will tell. But banks must continually consider how best to balance security and user experience.

stolen mobile

Comments: (4)

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 11 November, 2014, 15:132 likes 2 likes

After contributing to and following this topic for years, for reasons highlighted in my comment here, I'm slowly beginning to believe that basic human nature comes in the way of the emergence of a golden mean between convenience and security. One has to take precedence, with the other taking a backseat. Which does what will be driven as much by cultural factors as anything else e.g. security will take precedence in India whereas convenience, in USA.

I think the security lobby is using sensationalism to peddle its wares. Take this Apple Touch ID hack for example. It will compromise my Apple Pay payment only if (1) my iPhone is stolen (2) by a robber who has captured my fingerprint (3) freshly (4) on a gummy bear. I tend to believe that crossing the road might be more dangerous than the simultaneous occurrence of these four events.

A Finextra member
A Finextra member 12 November, 2014, 12:511 like 1 like

Exactly, I cannot agree more. I keep hearing about security gaps and vulnerabilities in mobile payments. This is the same with HCE (Host-Card Emulation) and Mobile Tokens, security experts still believe the hardware is the key to secure multi-level authentications. I believe this is early scepticism which will be convinced by the rapid evolution of such digitalised services.

Dean Wallace
Dean Wallace - ACI - Global 17 November, 2014, 16:14Be the first to give this comment the thumbs up 0 likes

Excellent post Máté. The concept of risk management you outline has long been in place by card issuers and acquirers; its about accepting losses but working on ways to reduce those losses. Security is a given, a must. But to win in a competitive financial services environment you have to win on desirability. Customer experience is "must no. 1".  

A Finextra member
A Finextra member 17 November, 2014, 18:46Be the first to give this comment the thumbs up 0 likes The problem is that no-one can tell what good security is. Please educate me! Start by explaining why most payment apps are insecure. Then take a look at the recent Apple vulnerabilities like Wirelurker. Is it a problem for Payment Service Providers that yesterday good enough thinking suddenly fails? Good enough is all about not trusting the device, make your app self-aware and self-protecting. If done right you can keep simple password - no need for fancy biometry or additional tokens.

Now hiring