Mobile banking and how to stay secure
We live in an app world. We shop through apps, we catch up with the latest news, we follow our sports teams, we listen to music, we communicate with friends and we do our work through apps. We also do our banking through apps, albeit to a lesser extent. Although figures from CEB TowerGroup, cited in this Finextra article, suggest that is changing with 17 billion transactions being predicted for 2015. Security is obviously a big factor in the uptake of mobile banking; banks and customers are quite rightly worried about how much risk is involved. But if banks and other financial services companies put too much emphasis on security, apps will become slow and cumbersome and customers won’t use them. I’m sure we’ve all had mobile experiences so frustrating that we’ve just abandoned whatever we were doing and switched to a PC, or got on the phone. Having said that, there is also the danger of going to too far in the opposite direction - sacrificing security to improve usability. The Finextra article mentions that some banks are in fact allowing customers to check their balance (along with other, limited functionality) on a mobile app without even logging in! That is a very dangerous game to play. While it is clear that convenience is incredibly important, banks should think about the repercussions of “good enough” security. Who will the customer blame if someone gains access to their account and steals money because of a flaw in the app? Their bank, of course. Lawsuits would probably follow, leading to a financial loss and a damaged reputation. So the key is to find a balance between security and usability, and in our opinion that means assuming everyone is infected. If a bank approaches security from that point of view, then the emphasis shifts away from the device that is being used and instead focuses on ensuring the data is secure. It’s something that we at F5 Networks have talked about previously: forget the device and concentrate on protecting the sensitive data that is flowing across the network. An additional, transparent layer of protection - away from the device - increases protection for the business without impacting the usability of the application. If a business takes the view point of not trusting any device then that is a good start. It removes confusion for end users; they don’t have to worry about Man in the Middle (MitM) attacks or other malware that could interrupt the mobile banking session and take extra money out of the user’s account, for example. Before mobile banking becomes truly universal, banks and financial institutions must consider the balance between security and usability. Stripping back security to ensure a smooth and fast user experience is simply the wrong way to approach it, as is adding in so many layers of security that the app becomes unusable. Instead, take the device out of the equation: focus on securing the data. That is, after all, where the value is.
Published Dec 03, 2014Version 1.0