3 minutes
This is bonus coverage from “Are We Safe Yet?” in the October 2015 issue of Credit Union Management magazine.
Mobile banking has become an increasingly important component in how members manage their finances and interact with their credit unions. As with any financial service, security is a primary consideration. Focusing on the broader security picture – rather than just chasing the latest “attack of the week” – is the best way manage and mitigate risk.
The proliferation of mobile devices, combined with the fact that digital banking users often access accounts using multiple devices, has made authentication and management of users and devices complex. For example, it’s important to recognize that each major operating system – such as Android, Apple iOS, and BlackBerry– has its own unique security profile and capabilities.
Defense in Depth
One valuable security best practice is a layered security and defense strategy in which control capabilities and scrutiny are applied in every stage and layer. Controls should be employed according to risk, from user enrollment and authentication, to data encryption and transaction auditing.
Credit unions should also ask their mobile application vendors how they protect their apps and how they have designed security into their software. Every credit union should be aware, as part of its overall risk assessment, how third-party vendors and their respective technologies fit into the institution’s overall risk and mitigation plan.
Conducting negative-case testing (designed to determine the response of the product outside of what is defined) and “ethical hacking” via manual penetration tests are industry best practices. Mobile application providers may be willing to share the methodology and findings of their internal testing, or coordinate with their credit union clients to conduct collaborative tests.
Members and Employees Play a Role
People are often the weakest link in the mobile security chain and, as such, educating members and employees is essential. Teach members never to open or download files emailed to them, nor to respond to inbound calls, emails or texts requesting their personal or account information.
Also encourage members to maintain their phones and tablets in a secure state by using a device passcode. Device owners should avoid modifying the device’s built-in security controls. There are inherent risks in modifying the mobile operating system via “jail-breaking” or “rooting,” which results in an insecure mobile operating system, more vulnerable to attack or compromise via malware or other means. Members should also understand that all devices are not created equal, and remain aware of security issues with their particular device.
Security Approaches May Vary by Function
Like all security mechanisms and controls, effective mobile security functionality must be balanced with the user experience. Consumers seek out the mobile channel because they are looking for convenience, so credit unions are faced with delivering a secure service that doesn’t force users to jump through unnecessary hoops.
One way to handle this is to vary security approaches by the risk associated with each specific mobile banking transaction or function, so activities requiring strong authentication – making payments and transferring funds, for example – are available only after logging in and being properly authenticated via a secure browser or app. Other activities, such as viewing an account balance, may not require quite as much security scrutiny and proof. Determine what the appropriate level of risk is for each function and execute a security strategy and design accordingly.
The mobile channel is designed with security as one of its top architectural priorities. In the financial services industry we need to be sure we stay on top of the latest threats, and do so primarily through a well-considered and carefully designed security strategy and set of controls. By proactively assessing security needs and planning with the bigger picture in mind, credit unions can minimize the impact of emerging threats to the mobile channel and ensure they are prepared to address whatever comes next.
Greg Hughes is information security officer for digital channels at CUES Supplier member Fiserv, Brookfield, Wis.
