Bankers Debate Privacy, Security Trade-Offs of Mobile Apps

The explosive growth of mobile applications has inspired financial firms to create tools that aim to make it easier for customers to save, budget, pay bills and send money to friends and family. But the rise of the app has also opened up financial firms to a host of security issues and privacy concerns.

The mobile payments app Venmo emerged as a symbol of the tension among innovation, convenience and security at American Banker's Digital Banking Summit in Austin, Texas, earlier this week. The app's most distinctive feature — a social news feed on which users describe the details of their recent transactions — tends to send shivers down the spines of privacy advocates. But while Venmo's success among millennials might appear to suggest that today's young people have a laissez-faire attitude toward privacy, experts at a peer-to-peer payments panel suggested that the truth is more complicated.

"It's not that millennials don't care about privacy, it's that they care about status," said Kevin Foster-Keddie, chief executive of Washington State Employees Credit Union.

Young people are only interested in letting their peers know they've just snagged a new pair of sneakers because the purchase is symbolic, the theory goes.

"People like to acquire status in lots of different ways, and one way is to talk on social media about what they're doing and the products they're acquiring," Foster-Keddie said. "It's not about the transaction, but what it says about them."

Privacy concerns over Venmo's public news feed may be overblown, according to Shari Krikorian, vice president and senior business leader in the personal payments organization at MasterCard.

"I've talked about this with some younger people at MasterCard, and they say it's all an inside joke," Krikorian said. "You guys just don't get it." In other words, users may be more likely to list payments as reimbursements for experiences like "Chris Pratt strip tease" than to disclose information that would come back to haunt them.

Panelists also weighed in on millennials' attitudes toward cybersecurity in payments apps. Venmo appears to have emerged relatively unscathed from highly-publicized fraud issues earlier this year. This suggests to some observers that young people may be willing to accept the risk of losing small amounts of money for the sake of convenience.

But millennials will revolt against vulnerable financial apps if more of their money starts going missing, according to Armin Ajami, vice president of virtual channels and senior product manager at Wells Fargo.

"Right now millennials don't worry about security, but when they lose a couple hundred dollars and it's hard to get the money back, they'll care," Ajami predicted. "I think security and safety are table stakes for this kind of business."

The security risks involved with mobile apps also provided ample fodder for experts at a separate panel on nation-state cybersecurity attacks. Celent senior analyst Jim O'Neill argued that the proliferation of apps on Apple and Google Play poses a major threat to banks and their customers.

"The biggest issue that bankers need to contend with is that in contrast to the early days of the Internet, where we had two operating systems and maybe three browsers … now we have 2.6 million apps you can potentially download to your phone," O'Neill said. "Throw in another half-million apps that Amazon is introducing for Kindle, and you have a cornucopia of back-door opportunities for malware."

Cybercriminals can now use customer smartphones to create millions of potential points of attack into banks' systems, O'Neill said. He cited a recent incident linked to the release of the satirical film The Interview, which lampooned North Korean dictator Kim Jong-un, as one example of the threat posed by mobile apps.

"A new Android app popped up around that time on Google Play that promised a free copy of The Interview," he said. "But in fact it contained a Trojan directed at South Korean banks and South Korea in general." Over 20,000 devices were affected by malware aimed at stealing smartphone users' banking data, according to The Guardian.

Financial firms may have a tough road ahead in designing defenses against ever-evolving cyberthreats without creating hurdles that annoy customers who just want their transactions to be fast and simple. But at least one banker declared that his institution has found a way to bolster security on its mobile apps while making them easier for customers to use.

USAA chief security officer Gary McAlum championed his bank's decision to roll out biometric authentication on its mobile apps. Starting late last year, USAA began allowing customers to log into its app using facial and voice recognition technology. The bank also offers a fingerprint option.

"It's kinda cool and it's more secure, but the member experience is the key reason it's taken off — it's quick and it's fast. People like that," McAlum said.

McAlum predicted that biometric authentication and other, as-yet-unknown methods will go a long way toward helping banks defend themselves against phishing, malware, data breaches and fraud in the future.

"We see a future where there's no password and no information authentication that will depend on something that's already known" like customers' Social Security numbers and high-school mascots, he said. The identity verification process on banks' mobile apps, websites and call centers "is not going to be nearly as burdensome as it is today."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER