Financial institutions need to step up the security they provide for mobile banking, experts on a panel at the Mobile Banking Summit agreed today.
"Facebook, Gmail, Twitter, and World of Warcraft all have multi-factor authentication," says Robert E. Lee, business analyst at Intuit. "If you're a bank and still using challenge questions, I have to ask you, why is your security worse than an online video?"
In its security assessments, Verizon hasn't seen a lot of data breaches on mobile devices, but the potential for mobile security breaches is very high, says Shahid Shoaib, principal consultant, mobility and M2M practice, Verizon Consulting Services.
"Part of this is at the platform level, we don't get the security we're looking for. Especially on Android we're seeing a lot of malware; phones can easily be jailbroken," says Shoaib. "We recommend that for any app that is accessing customer sensitive information, banks should take security matters into their own hands and not rely on what the underlying platform is giving them. All these platforms have been penetrated a number of times."
Verizon recommends not saving any sensitive user data on the device. "If you start saving data on device, then you're relying on application and platform security," says Shoaib.
However, an even larger real security danger is to back-end databases that contain passwords, according to Phillip Dunkelberger, CEO of Nok Nok Labs. "If you're going to store identity in a centralized place, why go hack a device? You're going to look for the payload at the back end."
Better mobile authentication will be key to secure mobile banking, Dunkerberger says. "Unless we re-think authentication, we're going to be continually in a debate about how to get better ease of use and more people using systems, while at the same time locking them down enough to be secure."
There's also a need to rethink identity, Lee says. "We might collect contact information, but do we verify the information? Identity validation will be huge for us in the years going forward."
Passwords are "a mess," agrees Shoaib. "Many users have the same passwords across devices and they're too simple. Password management is a huge pain." And with social media, hackers can guess a user's password by looking at his LinkedIn and Facebook pages.
The strongest approach to mobile banking security is to have some kind of challenge, such as requiring a one-time password, at every transaction, says Lee. However, this makes the user experience extremely cumbersome.
"That kind of ironclad model doesn't work in America; people would probably switch banks at that point," he says. "The best way to lower the burden on the user is to use real-time risk scoring so you can change the authentication required based on perceived risk."
Of the mobile devices, iPhone is still winning the mobile security battle, Lee says. "Apple only lets you run apps that have gone through their vetting process. There will still be vulnerabilities, times when you could exploit it as an attacker, but it does eliminate the single Trojan. If I created a Trojan today, I could only install it on a jailbroken device."