While small banks already face a mobile banking adoption deficit to their larger competitors, some community institutions are still questioning the channel's safety, weighing emerging security threats against consumer expectations of new mobile banking services.
"Mobile is still an emerging technology and it isn't fully mature," says John Caton, executive vice president at BankFIRST, a $680 million-asset bank based in Winter Garden, Fla.
Caton says the bank is not offering the latest mobile banking native apps. Part of the concern is the possibility of infiltrations to the native apps' operating system.
According to the bank's website, customers can access some rudimentary services by mobile phone, such as text balance inquiries for customers that are already registered for online banking via their PC. But the more advanced mobile transactions, such as person-to-person payments, mobile check deposit and smartphone-specific apps are still tabled until the bank is comfortable with security protections. "We're primarily focused on securing the PC or a Mac," Caton says. "We are assessing mobile and will offer it eventually, but we won't offer it until we know we can do it securely."
While Caton's worries sound contrarian in an otherwise go-go period for mobile banking, tech providers and analysts say there are threats to mobile banking, including dangers such as new malware strains and hardware vulnerabilities such as stolen or lost devices.
In an interview for an upcoming report on wireless security, IDC Financial Insights practice director Aaron McPherson said mobile devices are behind the curve in terms of security and anti-virus technology, partly because there haven't been enough attacks yet to warrant large-scale development of preventative technology, but that the attacks on mobile banking and preventative techniques will also increase over time.
Amit Ashbel, product manager for the mobile product line at Trusteer, says the exploits and vulnerabilities are increasing rapidly for mobile banking -- in the past three years the number of specific attacks has grown five times as rapidly as during the past 15 years of PC-based Internet banking. "We are seeing a big trend toward an increase in mobile malware that is infecting different smartphone platforms," Ashbel says. "The main threat is the malware that resides on the device," Ashbel says.
Ashbel says the threats include "jailbreaking," in which users gain root access to the operating system, allowing iOS users to download additional applications, extensions, and themes that are unavailable through the official Apple App Store. "That software may be a credential stealing program." Ashbel says mobile malware and jailbreaking threats can be countered by a layer of security software that's added to the browser or native banking app that notifies the bank if the app has been jailbroken or compromised in some other manner. The bank then follows with a series of countermeasures such as denying log in.
Bart Narter, senior vice president at Celent, says mobile banking security threats can also be mitigated by balancing usage parameters against consumer usage patterns.
For example, banks can limit mobile payment to recurring payments to pre-existing payees, rather than allowing new payment relationships from being initialized in the mobile banking application. By forbidding the adding of new payees in the app, it becomes harder for a mobile device to be infiltrated, or stolen outright, by a crook that then initializes him or herself as a new biller, then "pays" himself by using the mobile banking app. While that does limit the app's functionality, Narter says the limitations aren't prohibitive for most users. "You generally don't need to send a wire transfer immediately to a person that you've never sent a wire transfer to before," Narter says.
Narter says similar minor constrictions can be placed on functions such as mobile remote deposit capture. "Some banks will give slower availability of funds to reduce the risk of 'double deposit,' for example."