In a world where increasing numbers of customers are engaging with mobile banking, cyber resilience expert Adam Philpott, EMEA president at IT security firm McAfee, gives his view of how banks need to respond.
The mobile ecosystem is a feature-rich environment. Applications offer the ability to control everything from home heating and lighting to real-time processing of payment transactions.
Statistics show the average person as having between 60 and 90 apps installed on their mobile phone.
Today, the majority of us are reliant on mobile technology, and of course this is no different when it comes to financial services. More and more people are embracing the convenience of mobile banking and payments.
In fact, recent research suggests 92.5% of bank customers in the UK now use mobile or online banking.
However, as theft of financial credentials from mobile devices is on the rise, Britain’s banking chiefs have been labelled “overconfident and oblivious to the risks posed by major tech projects”.
That’s according to the Financial Conduct Authority’s Cyber and Resilience Report published last December — a study which also pinpointed that most firms rank cyber resilience as their top concern today.
Security awareness needs to be cultivated by banks in the mobile environment
Cyber criminals are targeting account holders at both large multinational and small regional banks.
They continue to innovate in different distribution vectors, from phishing SMS messages (or “smishing”) to applications with real functionality that use a malicious payload to bypass security checks on app marketplaces.
By providing customers with mobile banking options which do not have security built in from the outset, financial services organisations are providing cyber criminals with easy, additional forms of revenue, such as ransomware, ad-click fraud, and other types of malware.
As a starting point, it is important that banks consider driving cultural initiatives not only around cyber awareness and front-line defence, but also relating to the digital and cloud-based environment in which they operate today.
Importantly, this must be an ongoing effort rather than intervention based.
Continued warnings to customers about unexpected pop-ups and overlays asking for sensitive information are essential, as are supplementary authentication techniques.
Banks should educate mobile banking customers about good security habits
Beyond building in security from the start, both on-premise and in the cloud, banks should play an active role in educating their customers about safeguarding their devices with an additional layer of security software to protect their credentials.
There is no doubt that mobile services bring significant opportunities to the banking industry, from providing a seamless customer experience to the potential for open banking.
However, with every new opportunity comes an element of risk. Today’s architectures are device-to-cloud and so businesses need to extend their controls to address this attack surface.
This includes both devices and cloud applications that are beyond an organisation’s control, such as bring your own device (BYOD) or “unsanctioned” software-as-a-service applications.
This needs to be achieved without adding exponential complexity and cost, so built on the already existing policies and systems.
Security lapses can destroy trust among mobile banking users
Financial services organisations must set themselves up with the capability to actively protect the data they hold without adding additional friction.
Customer trust is vital if banks are to build long-term, lasting relationships, but it’s impossible to achieve and maintain this trust if banks can’t be relied upon to provide services that are resilient to fraud.
That’s why banks need to be more effective in detecting attacks across their whole offering, and if an issue occurs, quickly correcting the problem to minimise the loss of data.
IT related shut-downs can be quick to destroy hard-earned customer trust, so managing downtime and eliminating potential exposure to further threats should be an integral part of the resiliency process and can’t be overlooked.