The nature of security threats against banks continues to change, as fraudsters refresh their efforts against digital and mobile banking at warp speed.
With 8.5 million mobile banking users, Bank of America Corp. has one of the most populated mobile channels in the banking industry. It's responding to security challenges by making sure it launches new mobile capabilities only after it kicks the security tires. For existing offerings, it's baking in technologies like device identification that let consumers operate somewhat on auto-pilot. And it's doing more customer education around mobile.
Keith Gordon, a senior vice president for online and mobile channels at Bank of America, recently spoke with American Banker reporter Jeremy Quittner about the evolving nature of security threats in online and mobile banking and what the bank sees on the security horizon.
Following is an edited transcript of their conversation.
How has the online security threat environment changed recently?
KEITH GORDON: Over the past eight months we have seen a significant increase in focus [from fraudsters] on the mobile environment. Previously when we looked at malware and bank attacks on the PC and desktop, it took a while for it to pick up speed and evolve. On the desktop front, there is some really sophisticated malware out there today, but on the mobile front it has been isolated. At the beginning of this year, we started to see a pickup in malware targeting [Google Inc.'s] Android platform primarily, and [Research In Motion Ltd.'s] BlackBerry. Not much is hitting the [Apple Inc.] iOS. The interesting thing is that it is still not really as sophisticated as I thought it would be, considering the proliferation of mobile banking.
How do you think mobile security threats are likely to evolve?
If you look at how fraudsters operate, they go after the point of least resistance for the most monetary gain. The mobile platform today in many environments is primarily a servicing platform. Customers are doing normal things that don't typically involve sending money outside of their normal routines. In many cases banks have significantly limited the ability to send money from accounts or outside existing routines like bill payment.
The area where we are starting to see an evolution is in person-to-person payments in mobile. This is the first evolution of movement of money outside of normal transactions.
We have not seen to date any direct malicious attacks against this ecosystem, but it is just a matter of time before someone figures out a process for diverting these payments.
The threats in the desktop world are pretty well defined; how are they different for mobile?
There are similar types of threats. In mobile there is "Zeus in the Mobile," or Zitmo. It can do a few things. One of the most interesting things — and we have seen this more in Europe than the U.S. — is the ability to remotely shut down the SMS capability on the phone. There is a behind-the-scenes passing of an SMS to another device, and [the customer] doesn't know this is happening; they just didn't receive the text.
In many banks, almost all that's available from SMS is texting balance information. In many experts' assessments, this has little value unless fraudsters are building a profile.
What is Bank of America doing to secure mobile banking?
All of the financial institutions are in the same boat. We want to add more capabilities for customers on the mobile platform. Customers are asking for the evolution of capabilities and functionalities. And with that, we can come alongside the mobile team as they look at functions, we can work with them to identify appropriate security controls and to ensure we have vetted this out.
One thing we have done is hardened certain aspects of the mobile banking application itself. The code on the device has been secured to the point where you can't backwards-engineer it.
But more important, with mobile we physically give you code — it becomes your device, and that code resides on our servers within our environment, and you can't manipulate the code.