The future of mobile banking – getting security right – David Frost, Solutions Consultant, ACI World


Mobile banking is heralding a new generation of location-independent financial transactions. Services such as electronic account management, management of investments, and financial information and alerts, are enabling banks and network operators to achieve additional revenues, increase their competitive edge and strengthen customer loyalty. While development and adoption of mobile banking varies across the world, one thing is certain: the future of mobile banking everywhere depends on getting the security right.

At the end of the 1990s, underperforming handsets and slow internet connections were presenting considerable obstacles to mobile banking services. However, mobile and internet technologies have been revolutionised in recent years and the mobile phone now provides banks with a fully-fledged transaction and communication channel, allowing them to offer customers real added-value. Indeed, a recent Juniper Research report predicts that the number of consumers accessing banking services and products via their mobile phones will reach 816m by 2011 – a tenfold increase on the number using such services in 2007.

Mobile banking involves using mobile devices to execute bank transactions and access financial services. It incorporates three main services: electronic account management, portfolio management services, and financial information and alerts. The up-take of these services depends largely on three main factors: the banking system in the country concerned; consumer acceptance of mobile devices in connection with financial transactions; and opportunities for co-operation between network operators and banks.

Mobile banking today is most often performed via SMS or by connecting to the web browser on a phone or PDA, but programmes (such as Java) can also be customised to enable this functionality. As the trend shifts from traditional telephone or internet banking to customers accessing financial services on mobile devices, the banks and network operators are considering how best these new services can be delivered. It is clear that mobile banking has a promising future, but only as long as the right security is in place.

Unless security issues are fully addressed, they could prove the single biggest barrier to widespread adoption of the mobile banking service. An International Communications Research poll conducted in the UK in May 2008 revealed that 32% of people surveyed believe mobile transactions are ‘not very secure’ and about 24% think the method is ‘not secure at all’.

It is clear that, facing these consumer doubts over security, banks must undertake the same liability for mobile banking as they have done for online banking, which also faced consumer security concerns during its early days. The good news is that many of the same technologies used to secure the online channel can be extended to protect mobile banking.

As security issues, such as Trojans and malware, migrate from the internet to mobile phones, banks can learn from the challenges they are overcoming with online banking and apply the same protection to the mobile channel.

Internet Protocol (IP) profiling has emerged as a powerful tool to detect and combat fraud in the online banking arena and should be viewed as part of the wider security solution for mobile banking, in particular via the mobile internet. It allows security teams to identify information on the IP, such as locations and type.

IP profiling allows financial institutions to set up monitoring based on customers’ IP addresses and ports. Fraud teams can then compare these addresses against known or suspected fraudulent addresses or simply track if an IP address being used is outside of a custome’s normal activity patterns. When combined with other security tools such as two-factor authentication and a multi-channel fraud monitoring system within the bank, it can help get closer to the challenging goal of absolute security.

National Australia Bank (NAB) has used IP intelligence and profiling to detect fraudulent activities affecting internet and mobile banking since 2005. About two years ago Australian banks experienced a surge in the amount of internet banking fraud, despite the country’s well-established approach to online banking services. Banks were forced to consider a new approach to minimise these financial losses. In the case of NAB, customers were targeted by fraudsters removing savings from bank accounts within a short period of time.

To combat this fraud, NAB introduced a number of measures including a robust two-factor authentication service that complemented IP intelligence fraud detection. Through this combined approach, NAB was able to cut its internet banking losses by approximately 99% compared to the same period the previous year.

The bank detected strong trends around IP addresses and customers’ internet banking accounts that had been compromised. By establishing customer and geographic based IP patterns using real-time monitoring techniques, NAB was able to identify a significant portion of compromised accounts before funds had even been withdrawn.

IP intelligence and profiling allows banks to detect fraudulent activities and it also prohibits around 98 per cent of all dubious transactions before they can actually take place through establishing a pattern before the rules are even applied. This method together with two-factor authentication tools enabled NAB to detect virtually all internet banking fraud.

As mobile banking increases in popularity, and as internet fraud techniques are replicated on the mobile channel, a combination of IP intelligence and profiling will provide an extra layer of fraud prevention and play an important role in achieving customer confidence in the new banking channel. This is vital to the successful adoption of the service.

If the security groundwork is successfully put in place for mobile banking, it will encourage the development of mobile technologies as they evolve beyond banking services to support mobile payments. In June 2008, a mobile payments agreement was announced in Europe between the GSM Association, which brings together the world’s major mobile operators, and the European Payment Council, the body representing the EU banking sector. The first widespread deployment of the new payment system is expected by late 2008 or the beginning of 2009 following the trials which are currently underway across the world.

Without a doubt, the mobile phone represents the banking and payment device of the future. For consumers in developed markets, using a mobile phone for banking services is a smart and desirable add-on to a bank’s branch network. For people in the developing world, the arrival of mobile banking (and payments) is potentially revolutionary.

However, in order for banks, telecom operators and consumers worldwide to benefit and for the service to become mainstream, overcoming security issues must become the priority. Financial institutions do have some time on their hands as fraudsters are unlikely to migrate in large numbers to this new channel until the already-familiar internet banking channel is made harder to crack. However, this is not a reason for the industry to rest on its laurels. The much-needed regulation or standards governing mobile banking and payments will take time to thrash out and so if banks and telecoms operators want to be part of the first wave of organisations to benefit from this emerging channel, they need to agree their security strategies now.