Blog article
See all stories »

Security as a Service

One of my pet hates with most mobile banking projects is how security is treated as an adjunct rather than a key scope item.  Any product or marketing manager worth their salt knows the number one reason consumers don’t adopt mobile banking services is security concerns.  The reason security is treated as a ‘black sheep’ is that it isn’t doesn’t deliver tangible customer satisfaction improvements.  And even though customers expect it, they don’t often get excited about it.  A change in mind-set is required. Security should be treated as a service.  If you get it right, and promote it appropriately, it could be the key factor in your bank achieving above normal user adoption.


With more and more threats emerging every day, it is becoming clear that having a secure and robust platform is going to be a key enabler to achieving competitive differentiation.  In a recent US study, the primary reason given for not using mobile banking was security.  Four in ten respondents had concerns that prevented them from using the platform.  Security also closely relates to how quickly a bank can bring new services to market.  One of the longest lead times on any mobile project is security approval.  With security assessments and penetration testing being on the critical path, the more robust your security platform is, the less time you need to spend debating whether your new mobile payments feature is going to create additional loop holes.  Here are ten key items to consider when developing your mobile security strategy:


1. Don’t make the customer work

I hate it when banks make a decision that makes life easier for them but harder for their customers.  One of the best examples of this is the handful of UK banks who have replicated their online banking authentication model for mobile.  DO they honestly expect their customers to carry around card readers on the street?  The key to a successful authentication approach is to not make the customer work.  The security solution needs to be integrated and consistent with the form factor of the device and if that means setting up a tailored approach – go for it.


2. Go Native

One of the common elements often overlooked in the ‘Native v HTML5’ debate is the fact that native apps are intrinsically more secure than web.  By going native, banks can implement a process of device verification whereby the unique characteristics of a mobile handset are used to create a secure key.  This key is validated every time the user authenticates.  This means that a fraudster cannot simply phish login credentials.  They would need to get access to the handset as well.  This significantly reduces the banks threat profile and should be proactively communicated to customers as a benefit.


3. Control your environment

With mobile banking you have an excellent opportunity to maintain control of your environment. Banks can utilise the latest device, behavioural, location and transaction profiling techniques to protect their ground. Organisations such as Trusteer offer banks advanced Malware and Jailbreak detection API’s which can be updated without subsequent client releases.  These can be coded into native app builds using standard code libraries.  Finally banks can use firms like Melbourne IT for rapid identification, takedown and analysis of fake apps and websites targeting mobile products and services. 


4. Always keep one eye open

As more and more people start to use mobile banking, fraudsters will start to follow.  In its '2012 Threat Predictions' report, McAfee forecasts that over the next 18 months attackers will improve on their skill set, attackers are likely to bypass PCs and go straight after Mobile banking apps.  So always keep one eye open through effective identification and assessment of the emerging security threat landscape, from both closed and open sources.  Don’t assume that because you have strong measures in place today, that they will be strong in the future.


5. Roadmap it

Most product, strategy and marketing teams have extensive roadmaps outlining what features they aim to launch over the next few years.  Have you ever seen something similar for security? Rarely.  Banks must set a clear mobile security strategy that links together with the channels product backlog.  Remember what your potential customers are telling you.  The number one reason they are not adopting your new mobile service is because they have security fears.  If customers told you they wanted access to setup direct debits on their mobile you would do it.  So go ahead and alleviate those fears.


6. Track benefits

One of the number one reasons security is not a primary scope candidate is that fraud losses are generally tracked at group level, not at an initiative level.  This is also linked to how security initiatives are structured.  They are generally managed as group initiatives and benefits are not tracked accurately.  By treating security as a feature, you can start tracking its impact on hard benefits such as improved customer acquisition and most importantly a reduction in fraud.  If the product manager for your mobile project felt accountable for these benefit areas, then security would automatically get a higher priority.


7. Create a different perception

Do you know that all major UK banks offer a fraud guarantee?  They guarantee to refund customers who suffer from legitimate acts of fraud via their online and mobile channels? You wouldn’t guess this was the case if you looked at their websites. They are currently caught half pregnant.  If they promote it, they are concerned it will give customers something to worry about, if they don’t, they don’t have a chance to alleviate any fears.  I firmly believe that banks need to start promoting this service.  They should develop an icon that is consistently presented across digital channels at all relevant opportunities – especially login.  Banks also need to ensure that the way they design their mobile service should give an immediate impression of strength and safety.  Use icons, colours, gradients and tone of voice to improve the perception.  Customers will subconsciously notice.  Banks should also provide simple, clear and accessible guidance for customers to ensure safe and secure banking whilst on the move. 


8. Mobile is a horizontal capability

One of the great advantages of Mobile is that it’s with your customers all of the time.  It is the greatest communications tool ever invented.  Mobile should not just be treated as a vertical channel but a horizontal capability that can be leveraged across the bank.  From a security perspective it can be used as a delivery channel for services such as card fraud alerts or to validate card not present transactions.  It can also be used to validate overseas transactions.  Customers can be notified when their card is used, or by validating that they are overseas, they can ensure transactions are not blocked by the banks fraud systems.


9. Set budget aside

The security landscape is constantly moving, as soon as you think you are one step ahead, you are one step behind.  Banks need to be ready to act so they should establish a dedicated Mobile security team that is empowered, funded and resourced to deliver tactical changes in response to evolving mobile security threats.  The last thing you want to do when an issue goes down is be haggling over budgets and resources.  By having funding and resources allocated at the start of the year, small changes, minor enhancements and tactical fixes can be deployed rapidly.


10. Biometrics is coming

Biometrics technology such as iris scans, face recognition or finger print scanning has been touted for years.  Australian bank, ANZ, recently announced that they are looking to deploy finger print based ATM’s.  More locally we have seen excellent traction in schools with WisePay who are deploying finger print scanning technology that allows children to purchase goods in school canteens around the country.  Why aren’t banks doing this yet?  Not sure. There has been a significant improvement in biometric security over the last few years, and of any option available, biometrics is likely to be the solution capable of converting the unconverted.


Comments: (5)

Gary Wright
Gary Wright 29 October, 2012, 16:43Be the first to give this comment the thumbs up 0 likes

Security should be the prime requirement not an afterthought.However with any transaction through the Cloud or any third party will have security concerns. Heck once a firm queried SWIFT security with my firm. So nothing is really totally secure as we all know but you can do the utmost to try and secure. Thats what most ask for

A Finextra member
A Finextra member 29 October, 2012, 18:17Be the first to give this comment the thumbs up 0 likes I guess it's the mentality that most concerns me. It's never let's launch some security features and maybe bundle in a change to our payments flow. It's always about what security items do we need to get our new product feature live.
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 31 October, 2012, 17:50Be the first to give this comment the thumbs up 0 likes

The popularity of services like Mint in the USA, the near-complete absence of 2FA among leading e-tailers in the USA, the dominance of "cash on delivery" as the mode of payment for ecommerce in India - in these, I see evidence of my long-held belief that (a) People don't bother too much about security when a service offers true value (b) Greater security inevitably causes greater friction, so companies anxious to boost conversion rates take the risk of lowering security (c) Where the regulators enforce greater security, consumers resist the greater friction contained in them by opting for unorthodox alternatives that are more frictionless. 

I do agree that native mobile apps are intrinsically more secure than desktop / mobile web apps. However, the same can't be said about the "mobile experience" since I feel very confident that no one can impersonate me at a bank branch or forge my signature or steal my Internet Banking credentials. However, when it comes to my mobile phone, I'm not half as sure that I won't lose it. So, intrinsic security at the level of technology is one thing but what really bothers me about mobile is what would happen if my smartphone fell into the wrong hands even if it happened due to my negligence. Mainstream adoption of mobile banking depends on how well banks and their mobile technology providers address this basic concern. Most people don't use lockscreen passwords on their smartphones, requiring a password for the mobile banking app adds more friction than doing the same on a PC or making a signature at the branch. So, providing this assurance is not likely to be so easy either.

A Finextra member
A Finextra member 31 October, 2012, 20:42Be the first to give this comment the thumbs up 0 likes

There is no one size fits all model with customers.  As humans we are complex and unique.  So whilst I agree that there is a segment of people who 'see value in a service' and therefore are willing to turn a blind eye to security, there are segments that don't. 

Greater security does not necessarily create friction.  I think that is an old belief based on poorly implemented, technology focused solutions.  Using a voice or finger print is surely more convenient that a username and password and it is more secure.  I think we will see start to see less of security = friction.


Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 01 November, 2012, 07:30Be the first to give this comment the thumbs up 0 likes

For over a decade, I've been waiting for the day when security doesn't imply friction. Many people, including me at one point, have expected / promised that "biometrics will become the standard for security in the next 2-3 years" - for the last 10-15 years. "Behind the scenes" security technologies and biometrics still don't cut it since they're still plagued by unacceptably high false-positive levels. This research paper explains very well why, warts and all, passwords "are more widely used and firmly entrenched than ever", why they'll be "with us for some time" and how they "are the solution which best fits the scenario of use". Personally, I find the combination of username, passwords and hardware tokens to strike the best balance between security and convenience, although I've heard several people complain that it's painful to carry hardware tokens around. 

Member since




More from member

This post is from a series of posts in the group:

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

See all

Now hiring