Security or Convenience? USAA Lets Mobile Users Choose

Bankers have long told their customers to log off after online banking sessions. But with mobile, USAA Federal Savings Bank is explicitly permitting users to stay logged on an extra 20 minutes.

The "Stay logged on" capability, which it added last week, flies in the face of accepted security practices but may be more in tune with the way consumers multitask from their mobile phones, experts say. It also runs counter to the lessons of some early entrants in mobile transactions.

USAA, of San Antonio, argues that it has put enough security into mobile banking to allow this new feature. It does device fingerprinting for mobile devices and is currently piloting some device-wiping programs, which would automatically delete sensitive financial information.

Users' attitudes toward mobile apps have also evolved. Many other apps do not shut down when users switch to new apps, and consumers have come to expect that behavior from most of the apps they use.

"We put this opt-in capability in to take advantage of fast app switching," which is primarily an Apple Inc. capability, says Neff Hudson, assistant vice president of emerging channels for USAA.

When Apple's app store first launched, switching between apps meant shutting them down completely. Apple added fast-app switching last year alongside the launch of the iPhone 4.

The feature allows users to perform other tasks, such as checking email or taking a call, without having to shut down and then boot up each app whenever they switch tasks.

Like most financial institutions, USAA initially structured its mobile banking sessions to disconnect when customers toggle away from it (this remains an option for users today). By contrast, the default setting for browser-based banking has been to provide a 20-minute margin before ending the session.

USAA also enabled the "Stay logged on" feature for Google Inc.'s Android and Research In Motion Ltd.'s Blackberry devices last week, Hudson says.

USAA has frequently pushed the envelope on technological advances: It was one of the first financial institutions to offer remote-deposit capture when many other financial institutions were skeptical about it. It has also pioneered the use of video links between customers at its financial centers and remote representatives.

USAA is forced to innovate, given its customer base of millions of far-flung of armed forces members and their families, experts say.

But one risk of its "Stay logged on" feature is reminiscent of the infamous "Smurfberries" fiasco, wherein parents found their kids were spending large amounts of real money on virtual berries in an iPhone game based on the Smurfs. The reason this was possible was that Apple let users "stay logged on" to the app store for a short period after the game's download – the game did not prompt for a password again when selling berries at a price of up to $99.99 a barrel.

After the issue was publicized Apple changed its policy to require another password prompt for in-app payments. Capcom, the company behind the Smurfs game, also limited users' spending ability within the game.

Another concern with mobile phones is malicious code. Malware targeted at mobile phones is nascent and limited in scope, though it is a growing concern. Zeus, a prominent hacker program for stealing bank details, has started to appear on some smartphones.

However, the risks are lower with mobile banking, since smartphone apps typically restrict users' ability to move money.

"Most mobile-banking functionality is such that you can't cause that much trouble," says Bart Narter, senior vice president of Celent's banking group.

But even if USAA and other banks can allow logons to stay open safely, its new option nevertheless contradicts years of education around online banking security.

"On the surface, this is not a good security practice," says Avivah Litan, vice president and distinguished analyst for Gartner Inc.

Session hijacking is always a risk, whether that is in the desktop environment or on a mobile device, Litan says. In these scenarios, malware allows criminals to maintain a connection after users think they have logged out.

"You always want to keep the user actively engaged to minimize this," Litan says.

USAA has gone to great lengths to secure their users' mobile banking sessions, offering things like one-time passwords generated from the app itself, experts say.

Still, mobile devices can also be easily lost, which creates a problem if users are logged on to their bank accounts at the time they lose them, says Julie Conroy McNelley, senior analyst and fraud expert with Aite Group.

"You need to make sure you think through the security risks for consumers and proactively educate them to make them aware if they choose to stay logged in that they don't lose their phones," McNelley says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER