Banking Review

Crossing the channel

If banks want to make the mobile channel commonplace, it must simply be more convenient, easier and safer

BY DIARMUID MALLON

While most banks in Australia offer some form of mobile banking, financial institutions need to better tailor their services to respond to their customers’ everyday needs. Mobile banking has to make life safer, easier and more convenient for consumers if banks want the mobile channel to become more widely used and accepted.

According to a recent survey commissioned by Sybase 365, to date, only 13 per cent of Australians use mobile banking at least once a week, although 55 per cent of respondents stated they are interested in mobile banking services.

The same study highlighted the potential for mobile banking to enhance the security of existing banking and payment services. Nearly two-thirds (63 per cent) of respondents would like to be alerted of potentially fraudulent transactions on their account, a 10 per cent increase over a 2007 consumer survey by Sybase 365. The second most popular service among consumers was the ability to freeze cards with their mobile phone, with 49 per cent of Australians expressing interest in this kind of service.

To fully utilise this potential, the mobile channel itself also has to satisfy the most stringent security requirements. The tried-and-true best practices that secure a local area network and wide area network were first adapted to Web-based technology for online banking, and now to mobile technology for mobile transactions. These existing security best practices require multiple safeguards at four levels: the physical location, network, transaction and user.

Transaction protection
In mobile banking, most security questions centre on how the transaction between payer and payee is protected. With mobile banking, there is the need to secure multiple types of communication channels, including SMS, USSD (Unstructured Supplementary Service Data), browser-based exchanges and downloadable, client-based applications. Banks and mobile operators have the flexibility to assign the level of security and user authentication required based on payment type, transaction value, number of daily transactions and so on.

Low-risk transactions or communications can be done by SMS, for example, while higher value transactions can be completed over USSD, a Web browser or downloadable client-based application. The higher risk transactions can require a Personal Identification Number (PIN) or out-of-band authentication. Banks and operators should consider the security and risk thresholds they want to add for each type of mobile transaction based on action and channel.

User/customer safeguards
The hardest security level to implement starts with the customer. Educating customers of security policies and techniques to protect their mobile devices and personal information is challenging, to say the least. Because financial organisations are often unable to force customers to use authentication or add remote wipe options to their device, the mobile banking application in use should have inbuilt safeguards to help limit security breaches in the case of lost or stolen devices.

Most importantly, no sensitive data is ever stored on the mobile device. Transaction limits, cumulative limits and account balance limits protect both customers and mobile commerce providers. Banks and mobile operators can set transaction limits that vary by customer, for example only allowing the customer to withdraw $400 a day or $4,000 a week or month. Mobile commerce providers can further reduce risk by adding cumulative limits and account balance limits.

Business rules also minimise risk. Banks should set limits and thresholds based on what is suitable for their customer base. They may also choose to use SMS for lower risk transactions and require authentication via WAP and a secure Web browser or Interactive Voice Response (IVR) for moderate or high-risk transactions.

Banks and mobile payment providers should apply due diligence when signing up customers for mCommerce services. Proper identification is critical during the first mCommerce exchange and should be managed through a mix of soft and hard authentication.
Soft authentication is checking identifiers such as account number, user names and so on. Hard authentication could include sending a test SMS to verify the customer is in possession of the device. The text message would include a code that must be read back or entered somewhere.

Ask the right question
I’m often asked the question “Is mobile banking secure?”, and I always respond with “That is the wrong question to ask”. As any consultant will tell you, it is impossible to make a service completely secure, so the right question is: “Can I make mobile banking as secure as my existing banking channels?” By use of techniques such as those outlined above, and appropriate business rules, mobile can not only be as secure as existing channels, but can even improve those channels as it provides a second-factor authentication (something I have) to the first-factor PIN (something I know) that is used by existing channels.

Diarmuid Mallon is senior product marketing manager of mCommerce with Sybase 365.