Why is Mobile Banking Considered Unsafe?

According to an American Banker survey conducted this year, the percentage of consumers who consider mobile banking “safe” or “very safe” actually fell in the last 12 months from 42% (2012) to 38% (2013).  The continued low uptake of mobile banking clearly has a lot to do with security. (It doesn’t help either that more than half of those polled said that their banking needs are met without mobile banking, but that’s a topic for another blog.)

So how much of this security fear is warranted? What are the real security issues? Consumers consider that mobile banking is inherently more dangerous than online banking since the mobile phone is physically, well, mobile. Is this justified?

Firstly, a mobile phone can be easily lost or stolen. This is indeed true and every user’s greatest fear. If not well protected, the phone, even turned off and locked, can be compromised in the hands of someone who knows what they are doing.

Secondly, connecting to external networks and Wi-Fi hotspots provides a means by which user credentials (shared between mobile and online banking applications) can be stolen and then used to obtain access to the account from any computer in the world. That’s scary.

Thirdly, mobile apps are also exposed to viruses, Trojan horses, and other inadvertently downloaded malware which allow hackers to access information on the phone. This is particularly relevant to Google Android users: a recent Symantec report highlighted that this open OS continues to be a principal target for malware. This is mostly due to the fact that Android allows downloading of apps from third party stores or by side-loading (via a user-enabled setting). The closed platform offered by Apple allows less opportunity for tampering.

All of these concerns are valid, but they can be easily allayed by coordinated efforts of the bank and the consumer.

The weakest link in the mobile banking security is the user, but simple tips can greatly reduce risk: locking the phone when not in use, using and changing your mobile phone access code, not disclosing or sending passwords, keeping your device updated with the most recent software, applying anti-virus software for Android, using secure networks whenever possible, not jail-breaking your device, and using only trusted apps from official app stores.

From the bank side, a mobile banking app should adhere to industry best practices: limiting the storage of personal information on the device, always using communication via a Secure Socket Layer (SSL) connection, not allowing installation of the app if the phone has been jail-broken, applying a connection timeout, using a three level authentication mechanism (user, password, and reference code – this last can be fixed or a one-time password from a security token), minimizing and obfuscating software code, and using virtual keyboards to mask user-entered passwords and codes.

These safeguards are easy to implement for both the bank and the user, and they can make mobile banking as safe as online banking. The future of mobile banking depends on both sides taking responsibility to reduce risk. Do you think that this will be enough to calm users’ fears and improve next year’s numbers?