With anti-phishing and SSL encryption toolbar capabilities, PC browsers are designed with security top-of-mind. Cellphone browsers, in contrast, are about "making sure you can download a ring tone or you can buy a wallpaper," says Eric Kraar, a senior systems architect with mobile banking-services provider Firethorn, which is getting a lot of play in the market.
The security gap in Web-enabled cellular phones has been a noticeable, but workable, delineation in mobile banking thus far, since the limited number of launches have largely catered to balance inquiries and ATM-locator maps. But some industry forecasters predict a quick maturity for mobile banking, with so many younger consumers eager to adopt funds-transfer, bill-pay and other higher-risk transactional features that will make banking-on-the-go a prime industry growth channel over the next three-to-five years-mushrooming to an estimated 35 million users.
Whether it takes off quickly or not, fraud will find its way to the channel, as well as questions about making the right choices for current and future threats. Banks have critical decisions to make regarding mobile banking's unique vulnerabilities (such as "smishing," or SMS text-message phishing), and there's been little consensus on the right security play for multi-factor authentication. "To be honest, I don't think [the multi-factor authentication component] is very high up on the list, as far as a priority for banks buying into a mobile-banking solution, which might seem a little bit surprising," says Nick Holland, a senior analyst with research firm Aite Group.
Pioneering mobile-banking institutions have all been adding multi-factor capabilities to their banking-platform purchases or in service rollouts. Those security selections have varied, including extending online banking two-factor systems; adopting stand-alone safeguards from third-party vendors like Actimize or VASCO; or ordering from the menu of their mobile-platform providers, such as Firethorn or mFoundry.
Some banks using SMS-based transactioning and alerts already use the phone as an authentication piece for the online-banking channel, so the phone can serve as a de facto token. However, what many have found in developing mobile multi-factor authentication is that it's not as simple as it would appear.
"Many of the large banks putting out their WAP sites have found that, wow, all WAP browsers are not the same," says Firethorn CTO Derek Porter. Many OEM-equipped handset browsers are usually incapable of being patched or updated, Porter says, and the standard alphanumeric phone keyboard is a pain for applications carried over from the Web channel. "What sounded simple at first wound up being a lot tougher from a user perspective."
"You can't expect a customer to enter a complex password on a cell phone," says BancorpSouth svp Michael Lindsey, manager of electronic delivery services. Firethorn, which has announced the most U.S.-based launches on its downloadable, carrier-based platform, offers client institutions like BancorpSouth a device-based authentication scheme, which uses a six-digit PIN from the customer tied to a proprietary handset or carrier characteristics. (Those can be a manufacturer's code, SIM card information, mobile IP address or customer's phone number).
Core banking clients of Jack Henry & Associates will be offered a mobile platform in November, which will come with an RSA authentication piece. The browser-based solution will work off Jack Henry's bill pay and Web banking offering, says Pete Hopkins, general manager of JH's Internet Solutions.
Firethorn rival mFoundry prefers to offer up a have-it-your-way approach to authentication. Its single publicly disclosed banking client, Citibank, uses a handset-specific token approach, says mFoundry CEO Drew Sievers, but other clients have opted to try capabilities such as extending their RSA Passmark technology for Web banking (involving user-chosen images). "Banks came to us and said, 'we've invested millions of dollars in this-our customers are used to it,'" says Sievers. "We're working with about six banks now, and we don't have a consistent authentication implementation among them."
Banks aren't yet under the gun of any FFIEC-mandated guidance for mobile multi-factor, "but I think what the banks have said is, 'let's get out ahead of this right now," says Sievers. "They are more than willing to step up for it in the beginning."
Firethorn's Kraar says "some see mobile as a direct extension of the mobile Net, and others see it as its own channel with its own unique solutions. The industry hasn't shown whether one's right over the other one."
Anticipating a mobile banking surge (and perhaps the inevitable breach that will heighten consumer awareness of risks), several security firms have begun offering stand-alone mobile-specific security products. Nice Systems' Actimize has extended its remote banking fraud prevention into the mobile banking arena, with consumer behavior as its underpinning. "It's a set of models similar to those that detect unusual activity via online or [landline] phone," says Paul Henninger, director of product management in the Actimize fraud group.
Of course, those mobile banking behavior models don't exist, so all will have to be built "in the context of cross-channel analysis," says Henninger.
Vasco International's widely used Digipass is going mobile soon with the same OTP generation and digital signature functionality for its online banking token systems. The Digipass mobile solution will operate through a downloadable Java applet, which is currently under pilot with a "couple of thousand users," says Vasco vp of sales Kevin Donvan. The mobile security service will also be offered through an API directly integrated into the mobile application, and through SMS messages deliverable from bank fraud alert systems.
Louie Gasparini, CTO of the identity and access assurance group within EMC security unit RSA, says banks have plenty of interest in migrating their existing multi-factor online channel protection to mobile, in order to have the same look and feel across both. RSA has two methods forthcoming: a traditional Web-delivery risk-analysis path (looking at whether or not the transaction looks risky, in combination with account history and mobile device characteristics); and the issuance of a one-time password for the mobile device delivered to a different channel (voice, e-mail). What RSA doesn't do yet is provide a loadable encrypted applet.
Data-sharing arrangements between telcos and banks is one of the technical sticking points in getting to more advanced authentication. Carriers and handset companies have a litany of proprietary information that banks and their security vendors could use as device fingerprints, but AT&T is not interested in sharing sensitive data with thousands and thousands of institutions (and perhaps can't under privacy regulations). That reality is what serves the security foundation put forward by Firethorn, which is building a library of device security attributes through its relationship with AT&T and Verizon.
Firethorn is using the knowledge base to not only determine attributes but to build layered transaction sets that will function differently across differing transaction risks. "We will also have the ability to take all this knowledge gathered from across carriers and devices, and drive that back down into the manufacturer and drive improvements of the security of the device," says Kraar.
