Smartphone technology, thanks to consumer demand, is poised to become the most significant technology disrupter since the Internet and will forever change how banks serve their customers.
Smartphones appeal to bank executives because of their labor-saving potential and because they provide another point of competitive distinction as banks race to create innovative handheld applications.
Given the recent cyberattacks on U.S. banks however, one might ask "how safe is smartphone banking?" The answer to that question – indeed to the overall profitability of smartphone banking itself – lies with the customers.
One threat challenging the success of smartphone applications has to do with the physical location of the customer. If their smartphones are operated through cellular data networks, then customers are, for the most part, immune to cyberattacks. That's because major carriers are adding encryption to their voice and data service in anticipation of a spike in smartphone-based activity. The new encryption initiatives will support smartphones and tablets.
If, however, smartphone connections are made through Wi-Fi networks, such as wireless access points in the home, at coffee shops or in airport lounges, then the risks of unsafe networks emerge. It is the endpoint of any Internet connection where risks rise dramatically and, for smartphone users, Wi-Fi can make customers vulnerable to hacking attacks that may result in the theft of their login credentials.
Public Wi-Fi hotspots are also problematic because they expose the bank's internal networks to another potential entry point. Since these web access sites are not necessarily maintained with the latest software updates and the vast majority of routers are open (i.e., not requiring passkeys) or have trivial passkeys that are easily guessed, Wi-Fi connections represent a significant weakness that the bank's risk management team must address. Connecting to a corporate network through a public Wi-Fi connection that has not had its firmware updated is like getting into an elevator that has not been inspected since installation – anything could go wrong.
Another concern for smartphone-based banking applications involves the encryption protocol used by the Wi-Fi device to transmit customer data between the phone and the access point: WPA2, or WiFi Protected Access, 2nd generation, is most secure, WPA (version 1) is somewhat secure, and WEP, or Wired Equivalent Privacy, is insecure. For smartphone banking to work as promised, banks need to educate customers to understand the preferred protocol to use.
A third weakness involves the Bluetooth communications protocol used by smartphones to pair with devices such as wireless earpieces. Since it provides access to the phone's operating system, successfully guessing a 4-digit pin to unlock Bluetooth gives hackers access to all the data going in and out of the device. Here too, customers run the risk of login credential theft. Hence, banks run the risk of fraudulent transactions by imposters.
For smartphone applications to meet expected profit levels, banks must inform customers of these weaknesses and provide basic advice that can help protect parties. This advice can include switching off Bluetooth when not in use or frequently changing PIN codes.
Finally, common smartphone attacks such as eavesdropping (recording the smartphone's signal for later replay and offline descrambling), shoulder surfing (to steal passwords), Trojan horse attacks (setting up fake hotspots to steal login credentials) and outright smartphone theft all represent profit-robbing risks that banks need to consider.
When planning smartphone initiatives, banks need to integrate information security strategy with their business strategy to ensure a smoother outcome.
To summarize, no single information security technology can protect banks from wireless hijacking so it's important to educate customers on safe smartphone use, connecting only to trusted Wi-Fi access points, installing antivirus and using strong passwords. Smartphone banking applications promise too much payoff to skimp on implementation of sound IT security practices.
James Gabberty is a professor of information systems at Pace University in New York City and teaches graduate-level courses in systems analysis and design, telecommunications and information security. He can be reached at James_Gabberty@Sloan.MIT.edu.