The advent of mobile banking technology has definitely brought flexibility in the ease of banking transactions, but at the same time has increased the risk of banking frauds. Various mobile banking applications have been introduced by international and local banks throughout the world, but most of them have not been tested to the extreme against banking fraud.
Customers are definitely feeling more comfortable completing transactions through their mobile handsets, but at the same time, an awareness of the threats that mobile banking technology poses before them is necessary.
Mobile Banking Technology Threats
The increasing number of developers for software being used on smart phones has its pros and cons. The fact cannot be denied that a large number of developers has reduced the effective cost of any mobile application, but several cases have been reported where a developer has compromised with little tricks such as phishing and scanning, that ultimately capture a user’s confidential bank account information.
Security Flaws with Mobile Banking Applications
Since mobile banking applications make use of the GSM (Global System for Mobile Communication) and GPRS (General Packet Radio Service), the security of a transaction being carried out through a cell phone, also depends upon the security of data transfer through these services.
The GSM network uses A3/A8 mechanism to authenticate a cell phone over a mobile network. The most common algorithm used in this process is the COMP128, which was broken by Wagner and Goldberg in less than a day. Also, GSM uses the A5 algorithm to encrypt transmissions between a cell phone and a base station subsystem. This algorithm was also reverse engineered and cracked.
The GPRS has its flaws as well. Owing to the low processing capabilities of smart phones, the WTLS (Wireless Transport Layer Security) key sizes need to be restricted. These restricted key sizes are unable to meet the security requirements of the mobile banking applications.
A detailed version of the security flaws and their remedies was provided by Kelvin Chikomo, Ming Ki Chong, Alapan Arnab and Andrew Hutchison, in their journal titled, Security of Mobile Banking, for the University of Cape Town.
Security Measures to be Taken By Banks And Mobile Networks to Prevent Mobile Banking Fraud
The security measures that must be adopted to prevent such threats have to be divided into two broad categories viz, the steps to be followed by the bank and those to be followed by the bank’s customers.
One important step that all banks can take is to provide an official mobile banking application to its customers, that prevents them from using an application developed by another individual or entity. This helps users from falling into ‘phishing’ traps set by fraudulent developers.
Secondly, a secure and encrypted data transfer must be enabled between the user cell phone and the service provider, in this case, the telecom carrier. All further connections to the banks servers should be done through dedicated lines or virtual private networks.
Thirdly, transactions that ask for credit or debit, must pass through multiple levels of authentication such as authentication of the cell phone, the customer identification number and the secret mobile PIN or personal identification number allotted to a customer.
Fourthly, at any time during a transaction, the PIN must not be allowed to be transferred as plain text. It should be encrypted and must be interpreted only at the sending and receiving ends.
Precautions Needed While Using a Mobile Banking Application
Never keep messages on the mobile device that contain information such as login passwords sent by the bank. Make a note elsewhere and delete the message.
Secure the information needed for authentication of the cell phone over a network, such as the SIM card number and the SIM card module.
Security is essential not only for the mobile banking application but also for the cell phone. Password protect the mobile device if possible.
Choose a strong password to use the mobile application. Do not use the same passwords that are used for logging into email accounts or public forums.
Try not to flash the firmware of the mobile device with a software not trusted by the mobile phone vendor. Possible vulnerabilities in an untrusted software leave the device prone to security threats.
Various mobile software protection software such as mobile antivirus programs are available in the market. Use such software on the cell phone to prevent any malware from exploiting the cell phone’s system.
Consumer Awareness is the Biggest Asset Against Mobile Threats
According to Victor Smilgys, Tech CU’s AVP of eCommerce and a mobile security expert, “Fraudsters know that the key to their success lies in the consumer” (source: Credit Union Offers Mobile Banking Security Tips published in Dark Reading). It is the consumers who benefit from technology and it is consumers who lose to fraudsters. An aware customer is many times better than any security system. Hence, the safe use of a mobile banking application lies in the hands of an aware customer.