MOBILE SOLUTIONS

WHITE PAPER

Mobile Security:
Customer Education for Secure Mobile Banking and Payments

JULY 2011

Mobile Security: Customer Education

MOBILE SOLUTIONS

Executive Summary
Security concerns and potential identity theft and fraud threats present major obstacles to widespread customer adoption of mobile banking and payments. The direct relationship between mobile banking adoption and return on investment makes it imperative that financial institutions (FIs) implement a mobile banking security strategy comprised of four key elements:

Customer education Business controls Real-time notifications Multi-layered technical controls

This white paper focuses on the first of these elements, customer education. It discusses the various mobile security threats prevalent in the market, and demonstrates how an effective customer education program can teach FI customers to protect themselves from these threats.

Security Concerns Impede Mobile Banking Adoption

MOBILE SOLUTIONS

One of the biggest barriers to mobile banking adoption and usage is consumer fears surrounding security. Javelin Strategy & Research finds that mobile banking security is a significant impediment holding U.S. consumers back from banking with their handset, as over half of consumers (51 percent) perceive mobile banking as unsafe or very unsafe and only 17 percent view it as safe or very safe.1 According to Javelin, the top reason among smartphone users not to use mobile banking is fear about security (48 percent). Among iPhone owners, an even greater number (59 percent) are held back by security concerns.2 New research from Accenture shows that nearly three-quarters (73 percent) of the most active mobile device users worldwide believe that using a mobile phone for payments makes them worry about their privacy, and that 70 percent feel that mobile payments increase their risk of identity theft and fraud.3 Given the direct correlation between mobile banking adoption and return on investment, financial institutions (FIs) should select a solution that is not only technically designed end-to-end with strong security, but also has a clearly defined strategy to specifically address and overcome consumers security concerns.

Ensuring Mobile Banking Security: Four Keys to Success

Security should be a top priority in FI product and marketing budgets because it is a critical and immediate key to consumer acceptance and the growth of mobile banking. Without adequate up-front investment in security and security-related communication to customers, FIs will experience difficulty in maximizing customer adoption and usage. Clairmail recommends that FIs implement a mobile banking security strategy comprised of the following four elements: Customer Education: Teach current and potential customers about the identity theft and fraud threats looming in the market (see Glossary of mobile security threats), instruct them on how they should protect their credentials and recommend guidelines to ensure a secure mobile banking experience. Business Controls: Implement proper security policies and procedures, fraud identification and tracking systems, investigative programs and customer-facing programs such as identity theft prevention services based on ongoing risk analysis. Real-Time Notifications: Deputize customers in the fight against fraud and identity theft by offering real-time alerts, which will empower them to quickly spot suspicious transactions or account activities and immediately take action. Multi-Layered Technical Controls: Employ multiple layers of security to protect both the FIs customers and its IT infrastructure. Completely secure the hardware and software that comprise the end-to-end network stack and the interactions between them. This white paper will focus on the first of these elements: customer education.
Javelin Strategy & Research, 2010 Mobile Banking and Smartphone Forecast, September 2010. Javelin Strategy & Research, 2010 Mobile Banking Scorecard Shift in Smartphone Ownership Calls for a Shift in Focus, August 2010. 3 Accenture, Survey of Tech-Forward Consumers from 11 Countries, February 2011.
1 2

MOBILE SOLUTIONS

Glossary of mobile security threats Malware: A term for malicious software that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity or availability of the victims data, applications or operating system, or otherwise annoying or disrupting the victim. A report by McAfee revealed an astounding 6 million new pieces of malware in the first quarter of 2011, a trend expected to surge as cyber criminals catch up with the latest mobile technologies.4 Spoofing: A fraudulent process in which a person or program masquerades as another in order to acquire sensitive personal information, such as usernames, passwords and credit card details. Examples of spoofing include phishing, SMiShing and vishing: Phishing: Luring unsuspecting customers to provide sensitive personal information or downloading malware through an email. Popular scams including phishing emails that appear to be coming from a FI and contain a link to a spoofed website; the site tricks victims into logging in using their personal credentials, which are then captured by the criminal. SMiShing: A contraction of SMS and phishing, in which criminals pose as a FI and use SMS in an attempt to gain access to confidential account information. The typical scam informs the mobile device owner that the persons account was compromised or credit/ ATM card was deactivated. The victim is directed to call a phone number or visit a spoofed website to reactivate the card. Once at the website or through an automated phone system, the victim is asked for card, PIN and/or account numbers. Vishing: A contraction of voice and phishing, in which victims are tricked into disclosing sensitive personal information through a phone call. Hijacking: A type of network security attack in which the attacker takes control of a communication between two entities, masquerading as one of them. Man-in-the-Middle Attack: An attack in which the attacker positions himself between the FI and customer with the intent to intercept and alter passwords or sensitive information passing between them. Replay Attack: An attack in which a mobile web session is captured and then replayed later by an attacker in an attempt to fool a computer into granting access.

McAfee, McAfee Threats Report: First Quarter 2011, June 2011.

Customer Education for Mobile Banking Security

MOBILE SOLUTIONS

Customer education is a critical aspect of any successful approach to mobile banking security. A knowledgeable customer is less likely to be tricked by phishing or other attempts at fraudulent activity. For example, FIs can train customers to avoid clicking links in emails that purport to come from FIs; an attacker may use this method to direct the customer to a malware or phishing site. Informing FI customers of the mobile banking services being offered and the security measures being taken are an obvious first step to end-user education and can help increase mobile banking adoption. Customers should know what mobile banking services are being offered, how authentication works, how and when to expect communications from the FI, and any precautions to be cognizant of (e.g., We will never ask for any person information via text or email). Sharing details on security features and any security policies, such as zero liability, can have the added benefit of encouraging customer adoption. Customer education should also promote the fact that the mobile channel may be used to proactively monitor customer accounts and to deliver alerts for suspicious or potentially fraudulent activities. Oftentimes, addressing mobile security is more about perception than reality. Customers should be reminded that the mobile channel is as safe, if not safer, than any other channel and can even be used as a tool to increase security (through multi-factor authentication, for instance).

Customer Education Tips for FIs

Clairmail recommends that FIs keep the following education tips in mind when developing their customer education strategies for mobile banking and security: Education begins internally: Effectively training internal staff should be the FIs first point of education and awareness. Customer education and support will always be lacking if staff, at all levels, do not understand the offering or the security accompanying it. Moreover, internal training should not be a one-time exercise. Ongoing education and awareness campaigns should be implemented and monitored regularly. High-touch registration and security education: The physical branch will never be phased out; rather, the function of the branch will evolve. Customers feel more comfortable when a human being is there to support, assist and educate them on the security features of the FIs mobile banking solution. The value of this high-touch interaction should never be underestimated. Interactivity: The more interactive the education, the better. Using flash demos and emulators are excellent tools to educate customers about how to use the offering, creating a safe and secure environment for the customer to take the solution for a test drive. Customers prefer to try the solution first, particularly when they are feeling at risk of making a mistake that could potentially affect their own personal finances.

MOBILE SOLUTIONS

Context-specific help: Whenever possible, it is valuable to have context-specific help built into the solution. For example, the solution should, at various points in a specific transaction, be able to provide instructions as to how to proceed. Clear and open communication channels: The customer should always feel comfortable that they can access accurate support and information from trusted channels and sources.

Clairmail Solutions Multi-Layered Security The Clairmail solution employs many layers of security designed to protect both the FIs customers and information technology (IT) infrastructure, including: Validated identity Multifactor authentication Escalating authentication Out-of-band authentication Anti-tampering technology Delegated authentication Extended authentication Protection of confidential data Encryption For a more detailed discussion of the Clairmail solutions multi-layered security features, download the Clairmail white paper, Mobile Security: Four-Point Strategy for Secure Mobile Banking and Payments.

Mobile Banking Security Tips for Customers

Clairmail recommends that FIs provide the following security tips to their customers in order to help protect them from potential identity theft, fraud threats and other security attacks: Use your devices power-on password feature, if available. Dont configure auto-login. Never share your private information (password, PIN, etc.) with anyone. Never enter your PIN unless you are absolutely sure that you are communicating with your FI. Dont save private information on your mobile device. Immediately report the loss or theft of your mobile device to both your FI and carrier. Save mobile links as bookmarks to avoid mistyping the URL. Before downloading any applications to your device, check your FIs website to learn about their mobile offerings and secure download locations. Add your FIs short code to your devices contact list with a distinctive name, so that you will recognize incoming messages are from your FI and not spoofed. Use account nicknames instead of account numbers. Do not include any digits from your account numbers in nicknames.

Mobile Security: Customer Education

MOBILE SOLUTIONS

Conclusion
Customer education is a vital component of a successful mobile banking security strategy, inasmuch as a well-informed customer is less likely to be ensnared by attempts at fraudulent activity. Tangentially, a knowledgeable customer is more likely to have the comfort level needed to adopt and use the FIs mobile banking solution. FIs can enhance their customer education efforts by effectively training internal staff for high-touch customer interactions at the branch and other channels, along with leveraging interactive education tools and context-specific help functionality. FIs can also help their customers to protect themselves from potential security attacks by providing clear direction on how to protect their credentials and supplying other guidelines to ensure a secure mobile banking experience. To learn more about Clairmails secure mobile banking and payments solution, sign up for a demo meeting by visiting Clairmail at www.clairmail.com, emailing info@clairmail.com, or calling (415) 526-7000.