Mobile banking: Safe, at least for now

Someone asked me recently whether I thought mobile banking was safe or not. I admitted that I don't do it but that doesn't really say much. Then I mumbled something incoherent and vowed to get a real answer.

After talking to a number of mobile and security experts, I've come to the conclusion that far from being less secure, mobile banking may even be more secure than logging on to your bank Web site over your PC. And the consensus is that it's probably less risky than using checks, which can be forged, and credit cards, which can be stolen or skimmed at ATM machines for clones to be made.

As Bruce Schneier, chief security technology officer at BT, summed it up: "Yes, there are going to be security issues and they will have to shake out. The question is, if something happens will the bank make it up to you?"

Apparently it will. The rules regarding liability in mobile banking are the same as they are for other methods of banking, said Jim Van Dyke, president of Javelin Strategy & Research.

"Credit card companies have zero liability policies that apply regardless of channel," he said. For instance, "Wells Fargo has a written guarantee that they will cover all your losses if it is through mobile banking."

That's good news for the brave few who have ventured into the market. Of all U.S. Internet users, 6 percent have done mobile banking in the last week, and 12 percent have done it in the last month, according to Javelin figures.

An estimated 30 million consumers in the U.S. do mobile banking, and half of all consumers think it's not secure, the research firm said in a mobile banking security standards report in December.

Despite the fact that online banking options abound in the U.S.--from AT&T, Nokia, Sprint Nextel, Visa, and the major banks--consumers have been reluctant. That could be for several reasons, my colleague Marguerite Reardon has concluded: they don't like downloading apps to their phones as is required by some banks, they are turned off by the small screen, and they can do it on their PCs more easily.

"We're not hearing of security issues in the mobile world," because the security benefits with mobile banking outweigh the disadvantages, Van Dyke said.

First, the con to mobile banking security:

Mobile devices are easy to lose: "It's more or less as safe as banking you would do from your home computer, maybe slightly more risky, similar to using a laptop at Starbucks," said Charlie Miller, a principal analyst at consultancy Independent Security Evaluators. "The biggest difference is you are carrying the thing around with you and are more likely to lose physical custody of it than a computer."

Even so, the convenience outweighs the risk, he said. "It is no riskier than calling someone using your debit card or buying on Amazon with a debit card."

Now for the pros:

Mobile banking can be done anywhere at any time: Because people can do mobile banking at any time, they are more likely to log on more frequently and thus the chances of them detecting fraud are increased, said Van Dyke.

Mobile has a diversity of platforms: In the mobile world in the U.S., there is no one dominant mobile platform that can be targeted by malicious hackers like there is with Windows in the PC market. The lack of standardization also reduces the chances that malware will be interoperable with a broad range of mobile software and get widely distributed, Van Dyke said.

No banking-related mobile viruses or malware yet: "In the mobile era, we're not seeing any such Trojans," said Roel Schouwenberg, a senior antivirus researcher for security firm Kaspersky, which has partnered with Barclays in the U.K. to offer security software to mobile customers.

Mobile banking functions are limited at this time: In general, U.S. consumers can check their account balances, transfer funds between their accounts, and see recent transactions over their mobile devices.

"You're getting information that is not transactional," said Nick Holland, a senior analyst at consultancy Aite Group. "In most instances, if someone found your phone and logged into your mobile banking account, the worst they could do is pay your electricity bill."

However, things will change as more transaction functions are enabled on mobile devices, the experts said. For instance, point-to-point transactions and cross-border money transfers are on the horizon, according to Holland.

"There will be more risk as payments move over to mobile devices because criminals will put more focus there and you will get spoofing attempts," said Van Dyke.

The ability to use your cell phone to buy things will undoubtedly put a dent in the credit card business, but it will also give mobile carriers additional revenue to make up for voice business they are losing to things like Skype and text messaging, said Jan Volzke, head of global marketing for McAfee Mobile.

"There is no reason people have to pull out a plastic card with a magnetic strip, technology developed 30 years ago, to buy a latte," he said. "Just hold the phone next to a cashier, it goes beep and there you go."

Other countries are already offering mobile transactions. For example, NTT Docomo in Japan, which uses McAfee security software to monitor for malicious activity on its mobile phones, initially started allowing consumers to use their phones to pay for public transport, and then added payments for things like ice cream and eventually banking, according to Volzke.

In the U.S., banks are more cautious. Payments and banking are the biggest security concern for mobile device manufacturers, according to a Mobile Security Report McAfee is set to release on Monday.

At the same time, the manufacturers aren't installing additional security protection on the vast majority of the devices and won't allow consumers to install security software like they can with computers, said Volzke.

To safeguard against security risks, mobile users should use their device PIN codes, download mobile apps only from their financial institution, switch Bluetooth off when not in use, and avoid lending their phone to strangers to minimize the chance of someone downloading a malicious app onto the device.

All in all, "mobile banking is secure and there's not really any cause for concern," said Holland of Aite Group.

[manualfunky]

i'll adopt using my cellphone to pay for things when it is implanted in my body and the only way to get to it is to cut me open and search for it...

[MyMobiSafe]

Mobile Banking Not As Safe As One Might Hope. This is Eric Everson, Founder of MyMobiSafe.com. I noticed this article today and it threw a red flag given all of our research at MyMobiSafe regarding the mobile malware that specifically targets the mobile banking sector. In your article you quote Mr. Roel Schouwenberg, a senior antivirus researcher for security firm Kaspersky, who suggested, ?"In the mobile era, we're not seeing any such Trojans" (regarding mobile banking-related malware or viruses). Not to ruffle the feathers of our friends at Kaspersky, but there is a major mobile malware file ?Trojan-SMS.J2ME.GameSat.a? that should be on every mobile security provider?s radar. This is a new Trojan-style application that is specifically targeting the Asian mobile market, but given its broad spectrum threat as a J2ME-based malware (Over eighty percent of the active handsets in America are J2ME-enabled) this virus could create serious issues in mobile banking over the next few months.

As a mobile security expert, I feel that the title of your article ?Mobile banking: Safe, at least for now? may be misleading about the actual threat that the ?Trojan-SMS.J2ME.GameSat.a? poses today to the mobile community at a global level.

Your friend in mobile security.
Eric Everson (Founder ? MyMobiSafe.com)
EricEverson@Hotmail.com

[lcm327]

Check out my blog to see how Mobile Banking is affecting Africa. http://www.smudailymustang.com/?p=6582

[Willy Wonker]

I rather use my card. Don't really know about the phone. I don't like the idea of it.

[wurtis65]

Mobile devices have a lot of hurdles to cross before they can be considered secure. Consider these emergent threats:

1) Mobile devices have finally become numerous enough to make it worth hackers? while to attack them. It?s estimated that within 10 years, the Internet will need to accommodate over one **trillion** devices. "No mobile attacks?" Check out http://blogs.zdnet.com/security/?p=2415&tag=nl.e550

2) Well-documented development tools have become available for popular mobile device platforms. Vendors have been releasing documentation, code and SDKs, as well as opening up their architectures. While this trend toward openness makes it easier for third parties to develop applications and services, it also greatly facilitates the development of malware and viruses for those device platforms. Check out this recent attack against Android: http://www.nytimes.com/2008/10/25/technology/internet/25phone.html

3) Mobile devices have become critical business, military and industrial production tools, carrying valuable data well worth destroying, corrupting and, most importantly, stealing.

4) Mobile operating systems and communications protocols are typically less secure than their PC counterparts, and possess vulnerabilities that hackers can exploit. In addition, the growing size of code bases inside of modern consumer electronics means more defects that can be exploited. Experts estimate that the average mobile device contains at least 5 exploitable code defects.

Our company, Mocana, specializes in non-PC device security. If you'd like to learn more, visit our website for a free whitepaper at http://www.mocana.com

[ferretboy88]

I would never use my phone for this.