The increasing functionality and numbers of mobile banking platforms, the growing sophistication of criminals, and the popularity of smart cell phones create the potential for mobile banking security issues, but industry watchers have widely divergent opinions about how serious the threat really is.
Smart phones in particular-devices which can surf the Internet and run applications, such as the iPhone and the Blackberry-are supposedly the latest threat vector. And even banks not in the mobile banking business aren't immune since customers can simply surf to their regular banking Web sites using the browsers on their phones.
Security software vendor SMobile Systems says spyware is becoming increasingly prevalent on cell phones, and hackers are financially motivated to make the programs silent, stealthy and efficient so users won't even know they're there.
"People truly aren't realizing the threats today," says Dan Hoffman, CTO of Columbus, OH-based SMobile. "Banks haven't imposed security measures because they haven't accepted the fact that they have a significant risk-and a significant liability."
And there may be more to come as smartphones gain adoption, making them a more profitable attack target. According to a survey by Pleasanton, CA-based Javelin Strategy & Research, 14 percent of consumers now own smartphones-up from nine percent about 18 months ago. The research found that smartphone users are richer and younger and more tech-savvy than average cell phone users, and are more likely to become regular mobile-banking customers.
And, by 2012, 58 percent of adults with cell phones will be using them for mobile banking or receiving financial alerts, according to Javelin analyst Mark Schwanhausser.
At some point, however, plugging security holes on devices becomes more trouble than it's worth. With multi-factor authentication in place, combined with back-end fraud detection systems, the losses due to mobile fraud may not be high enough to warrant more intrusive security measures. "Banks want uptake at this point in time," says Nick Holland, analyst at Boston-based Aite Group. "They don't want to be scaring people. They absolutely do not want to start telling people that the sky is falling. In most cases, mobile banking is very, very safe."
Many mobile banking systems are designed to limit the kinds of transactions a user may perform, and may include additional safety features-such as checking to see if the customer is using an unknown device, says David Berman, senior solutions marketing manager at Fremont, CA-based ActivIdentity, a mobile security vendor.
In addition, the sheer variety of operating systems currently used by cell phone manufacturers, and the lack of a sufficiently large user base for each device, makes them an uninviting target for large-scale attacks by crime syndicates.
Also, when cell phones are lost or stolen, people immediately notice that they're gone, and have then deactivated, said Javelin analyst Tom Wills, reducing the potential risks associated with active cell phones.
Beating key-stroke loggers is a focus of many of today's mobile security vendors, but that may be a solution in search of a problem. These days less than one percent of all fraud losses suffered by banks come through cell phones and other devices, says Paul Henninger, director of fraud solutions at New York-based Actimize, a fraud detection unit of transaction/interaction monitoring firm NICE Systems of Israel. Actimize counts Bank of America and Citi among its customers.
Though he's seen cases in which customers were sent SMS messages that tricked them into giving up passwords or other key information, he hasn't yet seen any cases in which losses were caused by key logging programs or other malware that infiltrated cell phones. "We have definitely seen a handful of fraud cases involving the mobile channel," he says. "But compared to the online fraud losses, its a very small problem today."
But this was also true of online banking five years ago, he says. "The cause for concern today is not so much the financial impact on the bank but the prospect of history repeating itself," he says.