Mobile banking is a relatively new channel for delivering banking products and services that is rapidly gaining popularity. As with any new technology deployed for financial services, there are risks associated with the use and storage of personal information of the user. A recent article by Jeffrey M. Kopchik in the FDIC’s Winter edition of Supervisory Insights (available here) discusses the rewards and risks of mobile banking solutions. The article discusses the technologies used to deliver mobile banking services, identifies the potential risks to financial institutions and customers for each technology, and describes strategies for mitigating these risks.
Based on data from First Annapolis Consulting, the article notes that more than half of the 100 largest banks in the United States already offer some form of mobile banking and approximately 19 million U.S. households use mobile banking services. Nineteen of the 54 largest banks that offer mobile banking use three channels—text messaging, web-based applications, and native mobile applications—to deliver mobile banking and 17 offer two of the three channels.
The article discusses the risks associated with each delivery channel, with a focus on the security of native mobile applications. While native mobile banking applications are considered more secure than SMS mobile banking, the article notes that there is a debate by security professionals over whether mobile applications are more secure than web-based applications. The article includes a mobile application security study conducted by viaForensics.
The study looked at mobile applications in the financial services, social networking, productivity, and retail segments. The mobile applications were tested to determine what types of sensitive data the mobile applications store on the device and whether these data were stored securely, and given a “Pass,” “Warn,” or “Fail” rating. A “Pass” rating means sensitive data are not stored on the device or are encrypted. A “Warning” rating means certain data are stored on the device, but the stored data does not put the user at significant risk of fraud. A “Fail” rating indicates sensitive data, such as account numbers and passwords, are stored on the device in clear text, placing the user at an increased risk of identity theft or other financial fraud.
While the financial services industry had the largest percentage of apps that passed the test (44%), the results show that more work needs to be done to ensure mobile applications that use a customer’s financial data do not store sensitive information unnecessarily or in an unencrypted form. Further details concerning the ratings given to applications in various industry sectors can be found in Mr. Kopchik’s article.
The article also briefly touches on other mobile banking risks such as the secure authentication of mobile customers, mobile malware and viruses, data transmission security, and compliance risk.
While the article includes some recommendations regarding mobile banking, it is not to be considered supervisory guidance.
Subscribe to this blog via RSS
Join the Discussion on Facebook
Follow Us on Twitter