It sounds counterintuitive: USAA Federal Savings Bank's customers will soon access a more-secure mobile banking service by entering less information.
The San Antonio financial company hopes to thwart hackers by adapting a technology currently used for online banking that enables its systems to recognize individual mobile phones. Hackers who have obtained a customer's log-in credentials would find the data useless, unless they have also managed to steal their phone.
In the process, USAA is also making it easier for legitimate users to access its mobile banking site and is eliminating a log-in procedure that some customers have complained is too cumbersome.
"Now it's a much more secure access, and definitely a better experience for the customer," Jeff Dennes, USAA's executive director of mobile, said in an interview.
"The reason it's much more secure is it's something they know," a PIN, "and something they have: the phone," Dennes said.
USAA is expected to announce the security feature shortly; it submitted to Apple Inc. Friday an update for its iPhone mobile banking app, and it could be approved anytime.
Beefing up security usually means introducing new barriers for customers. USAA's new app uses software from VeriSign Inc. that adds behind-the-scenes security features that mean the phone is doing more but the customer can do less.
Once a USAA customer registers their phone, VeriSign's technology lets the bank recognize that phone each time it is used to access the bank; confirming the identity of the device helps confirm the identity of the user, said Kerry Loftus, VeriSign's vice president of user authentication.
She said USAA is the first bank to apply this technology to phones, though other financial companies are currently developing similar applications.
"Companies like USAA are trying to get ahead of the curve," she said. "They know that hackers will eventually get to the mobile phone."
Many banks already employ this concept to evaluate the computers people use to access their online banking services; when they use a computer the bank recognizes, it grants them access to the site, but if they use another machine, for example, if they need to check their bank account from an Internet cafe while on vacation, the bank might request additional information to authenticate the customer.
This security method typically identifies specific machines by looking for unique details on a computer — the type of machine, the operating system, the amount of memory.
This technique doesn't work as well with mobile phones, observers say, because there is generally much more uniformity between specific devices.
Instead, the VeriSign software generates a dynamic authentication code — basically a one-time-use password — that the bank recognizes.
Today, USAA customers enter a username and password for mobile access and a PIN to approve any transactions. This is the same authentication system used with its online banking system. Once Apple approves the update that incorporates VeriSign technology, most mobile access would require only the PIN.
Though the initial update will only affect iPhone users, the need for this improvement stemmed largely from users of Research In Motion Ltd.'s BlackBerry handsets, Dennes said.
The iPhone has an on-screen keyboard that has specific keys for people to input numerals, but BlackBerrys use physical keys that must be pushed in specific combinations when people want to enter numbers.
Dennes said this made it hard for BlackBerry users to enter complex passwords. They "were having to not only deal with the small keys on the handset but also have to toggle back and forth between numeric and alpha and remember when they did that," he said.
Some were so frustrated they said, " 'I'll just wait to get back to my computer to log on,' " Dennes said.
An update for users of Google Inc.'s Android phones will follow in 60 to 90 days, and a BlackBerry update will follow thereafter, he said.
Today, roughly 40% of USAA's mobile users have iPhones, 20% to 30% have BlackBerrys and 13% to 14% have Android phones. Android users are being addressed earlier because they are the fastest-growing segment of USAA's mobile users; just four to five months ago, only 1% of USAA's mobile users were on an Android phone, Dennes said.
USAA is emerging as a technology leader in mobile banking. Last year, it began allowing its customers, largely members of the military and their families, to deposit checks electronically by photographing them with a cell phone camera.
Avivah Litan, a vice president and distinguished analyst at the Stamford, Conn., market research company Gartner Inc., said that securing a mobile phone is more challenging than securing a home computer.
"The level of granular information on mobile handsets is much lower, so you can't get as good a data set" to identify the handset as unique, she said.
In addition, the phone itself can no longer be used as a fallback for contacting the customer in the event that suspicious activity is observed, she said. If something weird happens on the personal computer, the bank can call the user's phone to verify the transaction. "What do you do if you see something weird on the phone?" she said.
The VeriSign technology addresses the first concern, since it makes it possible to confirm the identity of the phone, she said.
"The future is definitely adding these applications," she said. For USAA, "it looks like they're a step ahead of the competition."
It may also be a step ahead of the hackers, Litan said.
"The phone browsers, they haven't been attacked yet, but they're open, so they can be attacked," she said.
Even on the computer, dynamic authentication has proven unreliable, Litan said. Hackers can use viruses to intercept the one-time passwords and take over an online banking session as the user logs in, negating the benefit of the added security.
However, USAA's approach to mobile security puts it ahead of what most other banks are doing in either channel, Litan said. "It's more secure than banking on your PC," she said. "It sounds very promising, actually."
Litan said that banks could significantly improve security by introducing dynamic authentication, but customers would consider it less convenient because it would require them to launch a dedicated application; for online banking services, most people simply want to use the Web browser to which they are accustomed, Litan said.
But on the iPhone, people are used to launching specific applications for different tasks, and people consider a banking app more convenient than a mobile phone browser.
Still, she cautioned that USAA and other banks that try to duplicate its model should not get complacent.
"Put it this way: today they're adding security and convenience. Tomorrow," once the hackers have caught up, "it may just be convenience."
