The new federal guidelines on mobile security held a few surprises, especially for small banks.
Perhaps the biggest curveball was the suggestion that mobile may not be a good fit for everyone.
Most banks would probably say they need a mobile app to be relevant, but the guidelines start out asking them to mull the strategic risks in determining whether they really have to have one. That advice is necessary in many cases, according to one tech expert.
"Mobile is still, for some financial institutions, added on — hey, we have online banking so now we're going to tack on mobile banking," said Mercedes Tunstall, a partner at the law firm Pillsbury Winthrop Shaw Pittman in Washington. "The care and feeding that was given to building a website in the first place, and getting online banking services running, often has not happened in the mobile side."
A lot more effort is needed than buying an off-the-shelf app, Tunstall said. In her view, the regulators are putting banks on notice — don't do it until you can do it properly, and you have to ask questions about security.
Michael Lynch, currently chief strategy officer of the security provider InAuth, reads the strategic-review portion of the guidelines as a call for banks to sharpen their mobile strategies.
"If a bank doesn't have a strategic plan, they're in pretty big trouble here," said Lynch, who was head of digital banking authentication strategy and consumer protection at Bank of America until last year.
Regulators are "basically saying we recognize there are threats and risks associated with mobile financial services that are different than traditional PC-based browser access, so you need a specific strategy for mobile, and you need to show that strategy and show a defense in depth specific to mobile devices," he said.
The Office of the Comptroller of the Currency, Federal Reserve, Federal Deposit Insurance Corp. and the Consumer Financial Protection Bureau — which wrote the guidelines together — all declined interview requests to discuss this part of the rule and others that are sure to catch the industry's attention.
Observers generally gave high marks to the overall guidelines but say banks will have to hustle to comply. The guidelines include some surprisingly specific requirements tied to geolocation, annual security tests of apps and cross-site scripting. Here are some of the potential trouble spots.
Building Safe Apps
The regulators provide a list of suggestions for building secure apps and advise the use of OWASP standards for doing so. "I think they're saying the onus is on either the financial institution or whoever is doing programming for it to make sure that they're following those best practices," Lynch said.
He notes that programs like Arxan and Metaforic can help make sure code itself is protected and cannot be reverse-engineered. "That's a best practice," he said.
The regulators carefully delineate mobile websites from mobile apps, and they suggest banks should refine separate security approaches to each.
"It's been easier for financial institutions to protect their mobile apps because they have more access to the operating system layer of the device itself, so they can look at things like whether the device has been infected with malware, whether it's been jailbroken or rooted," Lynch said.
In addition to being able to detect rooted or jailbroken devices, technology built into mobile apps can tell if the user is hiding the fact that it is rooted or jailbroken, Lynch said. "That's important because that should raise the risk even higher for certain devices," he said. "If someone is hiding that, it's deceptive and it should make that device more suspicious."
Mobile apps can also be written to scout out other kinds of suspicious activity, Lynch said, including a SIM card change, or a make or model or operating-system version that does not make sense for a device — a sign it might be an emulator spoofing a device so as not to get challenged.
On browsers, it is a little easier to perform things like man-in-the-middle attacks, he said, by redirecting the customer to a malicious URL.
One unexpectedly specific recommendation is that banks build in the use of geolocation in fraud control and transaction monitoring. Some banks have built this capability into their apps and it is useful. (My bank alerted me a few months ago to the fact that my debit card was being used to make small payments in Baltimore while my phone was with me in New York. We were able to catch this fraud quickly, before it blossomed into something larger.)
"If the settings are set properly, you can pull the geolocation from a mobile app and match it with where supposedly the transaction is happening and use that to indicate whether it's fraud or not," Tunstall said. She also notes that the capturing of geolocation data raises sensitive privacy issues. The guidance doesn't address this, but Tunstall said that banks will need to clearly disclose to customers that their geolocation data is being pulled for this purpose.
"I don't know that most financial institutions have gone that far," she said.
Another surprise was a clause that banks use white-hat hacking and code analysis annually to test the security of their mobile apps.
"That's new," Tunstall said. Financial institutions tend to do extensive application analysis and testing — sometimes for months — before they roll out an app. They do not typically repeat the process every year, she said.
The guidelines point out that a lot of banks are trending toward personalization in their apps, and that privacy issues could arise around that. Identity theft and other fraud are possible problems. If fraudsters break into a customer's device and understand the customization used in an app, they could learn about that person's favorite colors and that they like the ocean, and use that information to impersonate the customer and commit fraud. On the bank's side, the privacy issue is whether it can use that personal information to market and sell to that customer.
Another unusual aspect of the recommendations is that, along with asking banks to use multifactor authentication, which regulators have urged banks to do for years, this guidance calls for re-authentication when the app is unused for a period of time; the amount of time is not specified.
"Most financial institutions go between three months to six months," Tunstall said. "In my opinion, six months is pushing it a little."
Regulators also want banks to deploy strict authentication measures each time their app is launched. "That's another piece a lot of financial institutions have skipped over, for ease of use," Tunstall said.
Many banks allow customers to check their account balances before official logging into their mobile app, for instance. This again is information fraudsters could potentially use to impersonate customers.
Lynch points out that the level of authentication should be commensurate with the activity. "Logging in comes with a certain level of risk, but then when you go to wire funds, there needs to be an enhanced level of risk detection," he said.
The guidelines repeatedly stress the need for customer awareness and education around security, but they do not suggest how this should be done. That lack of specifics presents a challenge: how do you get customers' attention and get them to care?
Many banks offer security tips on their websites, but it's doubtful that customers actually make the effort to read them. JPMorgan Chase recently tweeted a "Test Your Fraud IQ" quiz. The Twitterverse was skeptical. One critic wrote, "working with #chase to test ur #fraud iq is like working with Jeffrey Dahmer and hoping you don't end up as dinner."
mBank in Poland and U.S. Bancorp have created YouTube videos to make the public more aware of fraud issues that affect mobile banking, and Bank of the West hosts seminars and blogs on the topic. But such initiatives remain rare.
Regulators put "a lot of burden on the banks to increase customer awareness," Tunstall said. "They say banks should take reasonable efforts to educate consumers on things like the physical and logical security of mobile devices."
She suggests banks might offer a security tutorial that pops up when a customer opens a newly downloaded app for the first time. "I think it's more than just have it in some weird corner of your security page on a website," she said.
Overreliance on Vendors?
The recommendations tell banks to forge "well-constructed contracts" with their mobile-banking technology vendors.
"To me, they're saying you need to make sure you're doing more than just the usual master services agreement, that you're making sure the mobile app or the website that is accessed through a mobile browser is designed in a secure manner in a safe environment," Tunstall said.
In the end, much of the burden of complying with these recommendations may be pushed on to the vendors of mobile app platforms and core-banking platforms.
"A lot of those vendors have not been the best at keeping that technology updated and responding to regulatory guidance saying you need to do a better job with how these systems work," Tunstall noted. "I am skeptical that, unless they get a lot of pressure from banks and their customers, vendors will do all these things."
The regulators ask for management oversight of mobile app security. This will typically be a chief marketing officer or head of digital for the bank, Tunstall said, and that person should make sure a report goes to executive colleagues about what the bank is doing to comply with the interagency guidance.
There is more to the guidelines to explore than what's discussed here. Bottom line: Regulators are checking to make sure mobile apps are more than an afterthought.
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.