Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
May 16, 2011
Practical tips for enhanced mobile security
We recently sat down to talk with Soren Bested to discuss mobile security. Soren, who has more than ten years of experience in high-tech industries, currently serves as managing director of Monitise Americas, a leading provider of mobile banking and payments in both the U.K. and U.S. markets. Mobile security is a hot topic at Portals and Rails. Recent posts have covered common myths about mobile banking and payments and laid out foundational principles for a successful mobile payments ecosystem in the United States. Continuing in this vein, Soren offers some practical tips on using mobile devices to secure financial transactions today.
Mobile security is top-of-mind for consumers, and their concerns about the safety of the mobile channel have limited mobile banking and payments adoption. Soren suggests, however, that mobile has the potential to be "super-secure," and even to enhance the security of existing financial service channels. Financial institutions and technology providers might consider the following recommendations in approaching mobile to take advantage of this potential security.
Match service channel to function
The mobile channel incorporates several different technologies, or service channels: SMS (text messages), mobile applications, and mobile browsers. Each of these service channels has a unique security profile,and as such is best suited for different tasks. SMS, for example, transmits information over the air in an unencrypted format, and is therefore inappropriate for carrying payment or personal identification details. However, SMS is perfect for sending notifications because it is immediate, inexpensive, and convenient. Banks might insist that customers use a password-protected mobile application when they conduct more sensitive business, like initiating a peer-to-peer transaction or transferring a balance between accounts. These examples illustrate that the mobile channel cannot be approached with a single security protocol, but rather that security practices should be tailored to each channel and its unique risk profile.
Use existing industry security guidelines
Soren advises that financial institutions not reinvent the wheel when they design mobile security. The industry can instead apply established security guidelines. These are the PCI DSS (Payment Card Industry Data Security Standards) guidelines for card transactions, the SAS70 operational standards, and the FFIEC standards for multi-factor authentication. Conforming to these existing standards decreases the burden on banks by allowing them to take advantage of existing industry expertise in developing a secure product. Banks can then outsource some security development and auditing functions, in the same way that merchants rely on vendors to ensure compliance with existing PCI DSS requirements. Not only does this improve the customer's security, it also lowers the upfront cost and shortens the timeframe to launch a mobile product.
Implement true two-factor authentication
Strong authentication requires multiple unique factors. Possible factors for authentication include "something you know," like a password or your mother's maiden name, "something you have," like an RSA token or an ATM card, and "something you are," which could be a biometric identifier like a fingerprint or voice pattern. Currently, most online banking security consists of username and password, and sometimes challenge questions—all things that the user knows. This approach is not two-factor authentication, but is essentially single-factor authentication twice, and as such offers only limited security. Mobile financial services can also incorporate passwords but can also add the "something-you-have" factor with the mobile device itself. A mobile phone is a personal device unique to the user in a way that computers often are not. While families may share a computer, usually each person has his or her own mobile phone. In addition, technology allows for the unique identification of any mobile device, tying the device to the individual user. Some companies have even experimented with adding a third factor to mobile banking by enabling biometric voice authentication of mobile transactions.
Mobile phones can also increase existing online banking security by acting as a second factor for customer authentication. The user's phone will often be only a few feet away when they log into online banking on the computer, and the user could take a call or SMS to authenticate the session. Mobile technology may be the key that allows banks to fully implement multi-factor authentication, a gold standard of security.
These are just a few of the ways that mobile technology might lead us to greater security in financial services. But we know many of our readers are also mobile experts, and have even more ideas about enhancing security with mobile. Leave a comment or send us an e-mail with your tips on improving mobile security.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
TrackBack URL for this entry:
Listed below are links to blogs that reference Practical tips for enhanced mobile security:
- AdmiNISTering Passwords: New Conventional Wisdom
- Mobile Banking and Payments—What's Changed?
- Risk Mitigation Isn't Just for Banks
- The Simple Consider Three but Four is the Key
- As with Nuclear Disarmament, So with ACH: Trust, but Verify
- The Personal Cost of Fraud
- When Fraud Hits Home: Questioning Today’s Authentication Methods
- FFIEC Weighs In On Mobile Channel Risks
- Cash: Reports of Its Pending Death Are Greatly Exaggerated
- The 411 on Banning the RCC
- September 2016
- August 2016
- July 2016
- June 2016
- May 2016
- April 2016
- March 2016
- February 2016
- January 2016
- December 2015
- account takeovers
- ATM fraud
- bank supervision
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workplace fraud