WHITE PAPER
Mobile Security:
Customer Education for Secure Mobile Banking and Payments
JULY 2011
MOBILE SOLUTIONS
Executive Summary
Security concerns and potential identity theft and fraud threats present major obstacles to widespread customer adoption of mobile banking and payments. The direct relationship between mobile banking adoption and return on investment makes it imperative that financial institutions (FIs) implement a mobile banking security strategy comprised of four key elements:
This white paper focuses on the first of these elements, customer education. It discusses the various mobile security threats prevalent in the market, and demonstrates how an effective customer education program can teach FI customers to protect themselves from these threats.
MOBILE SOLUTIONS
One of the biggest barriers to mobile banking adoption and usage is consumer fears surrounding security. Javelin Strategy & Research finds that mobile banking security is a significant impediment holding U.S. consumers back from banking with their handset, as over half of consumers (51 percent) perceive mobile banking as unsafe or very unsafe and only 17 percent view it as safe or very safe.1 According to Javelin, the top reason among smartphone users not to use mobile banking is fear about security (48 percent). Among iPhone owners, an even greater number (59 percent) are held back by security concerns.2 New research from Accenture shows that nearly three-quarters (73 percent) of the most active mobile device users worldwide believe that using a mobile phone for payments makes them worry about their privacy, and that 70 percent feel that mobile payments increase their risk of identity theft and fraud.3 Given the direct correlation between mobile banking adoption and return on investment, financial institutions (FIs) should select a solution that is not only technically designed end-to-end with strong security, but also has a clearly defined strategy to specifically address and overcome consumers security concerns.
MOBILE SOLUTIONS
Glossary of mobile security threats Malware: A term for malicious software that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity or availability of the victims data, applications or operating system, or otherwise annoying or disrupting the victim. A report by McAfee revealed an astounding 6 million new pieces of malware in the first quarter of 2011, a trend expected to surge as cyber criminals catch up with the latest mobile technologies.4 Spoofing: A fraudulent process in which a person or program masquerades as another in order to acquire sensitive personal information, such as usernames, passwords and credit card details. Examples of spoofing include phishing, SMiShing and vishing: Phishing: Luring unsuspecting customers to provide sensitive personal information or downloading malware through an email. Popular scams including phishing emails that appear to be coming from a FI and contain a link to a spoofed website; the site tricks victims into logging in using their personal credentials, which are then captured by the criminal. SMiShing: A contraction of SMS and phishing, in which criminals pose as a FI and use SMS in an attempt to gain access to confidential account information. The typical scam informs the mobile device owner that the persons account was compromised or credit/ ATM card was deactivated. The victim is directed to call a phone number or visit a spoofed website to reactivate the card. Once at the website or through an automated phone system, the victim is asked for card, PIN and/or account numbers. Vishing: A contraction of voice and phishing, in which victims are tricked into disclosing sensitive personal information through a phone call. Hijacking: A type of network security attack in which the attacker takes control of a communication between two entities, masquerading as one of them. Man-in-the-Middle Attack: An attack in which the attacker positions himself between the FI and customer with the intent to intercept and alter passwords or sensitive information passing between them. Replay Attack: An attack in which a mobile web session is captured and then replayed later by an attacker in an attempt to fool a computer into granting access.
MOBILE SOLUTIONS
Customer education is a critical aspect of any successful approach to mobile banking security. A knowledgeable customer is less likely to be tricked by phishing or other attempts at fraudulent activity. For example, FIs can train customers to avoid clicking links in emails that purport to come from FIs; an attacker may use this method to direct the customer to a malware or phishing site. Informing FI customers of the mobile banking services being offered and the security measures being taken are an obvious first step to end-user education and can help increase mobile banking adoption. Customers should know what mobile banking services are being offered, how authentication works, how and when to expect communications from the FI, and any precautions to be cognizant of (e.g., We will never ask for any person information via text or email). Sharing details on security features and any security policies, such as zero liability, can have the added benefit of encouraging customer adoption. Customer education should also promote the fact that the mobile channel may be used to proactively monitor customer accounts and to deliver alerts for suspicious or potentially fraudulent activities. Oftentimes, addressing mobile security is more about perception than reality. Customers should be reminded that the mobile channel is as safe, if not safer, than any other channel and can even be used as a tool to increase security (through multi-factor authentication, for instance).
MOBILE SOLUTIONS
Context-specific help: Whenever possible, it is valuable to have context-specific help built into the solution. For example, the solution should, at various points in a specific transaction, be able to provide instructions as to how to proceed. Clear and open communication channels: The customer should always feel comfortable that they can access accurate support and information from trusted channels and sources.
Clairmail Solutions Multi-Layered Security The Clairmail solution employs many layers of security designed to protect both the FIs customers and information technology (IT) infrastructure, including: Validated identity Multifactor authentication Escalating authentication Out-of-band authentication Anti-tampering technology Delegated authentication Extended authentication Protection of confidential data Encryption For a more detailed discussion of the Clairmail solutions multi-layered security features, download the Clairmail white paper, Mobile Security: Four-Point Strategy for Secure Mobile Banking and Payments.
MOBILE SOLUTIONS
Conclusion
Customer education is a vital component of a successful mobile banking security strategy, inasmuch as a well-informed customer is less likely to be ensnared by attempts at fraudulent activity. Tangentially, a knowledgeable customer is more likely to have the comfort level needed to adopt and use the FIs mobile banking solution. FIs can enhance their customer education efforts by effectively training internal staff for high-touch customer interactions at the branch and other channels, along with leveraging interactive education tools and context-specific help functionality. FIs can also help their customers to protect themselves from potential security attacks by providing clear direction on how to protect their credentials and supplying other guidelines to ensure a secure mobile banking experience. To learn more about Clairmails secure mobile banking and payments solution, sign up for a demo meeting by visiting Clairmail at www.clairmail.com, emailing info@clairmail.com, or calling (415) 526-7000.