Unknown Risks of Mobile Banking

Perspective: Layered Security is the Only Option
Unknown Risks of Mobile Banking
One pioneer in mobile banking suggests that banks and credit unions should not let security fears inhibit their moves into mobile innovations. Many security unknowns surround this emerging channel, but San Francisco-based Patelco Credit Union, $3.75 billion in assets, pushed its way ahead of the pack when in 2001 it launched its browser-based mobile banking service.

Anthony Vitale is Patelco's assistant vice president of information technology development; he's been with the credit union for nearly 10 years, and says Patelco's vision for mobile banking has changed quite a bit over the last decade. The credit union, up until recently, only targeted online users for its mobile banking service. Today, the institution is leveraging the channel to reach new members. "We recognize the need to reach beyond online banking users to the subset of the population that are heavy cell phone users," Vitale says. "This is an untapped market, and one which will require greater cost to acquire through print media, statement inserts, newsletters, communications, etc., and which will be a focus for Patelco in 2011, and the final months of 2010."

In this interview, Patelco's Vitale shares his views about how banks and credit unions should approach mobile banking, adding that security is an issue, but it should not halt innovation.

At Patelco, Vitale oversees the software development process for desktop applications and online delivery solutions, including online banking, mobile banking, new account automation and loan origination systems. He also oversees the development and support of Patelco's database reporting systems. Vitale is a member of the technology committee at Open Financial Solutions, a leading technology-based research and development organization for credit unions.

TRACY KITTEN: Anthony, please tell the audience a bit about your role with Patelco, and a little bit about the credit union and its membership?

ANTHONY VITALE: Patelco is based in the San Francisco Bay Area; it's a community-chartered credit union. It has a field of membership that serves approximately 1,000 large and small businesses throughout California and Illinois. It began as the credit union for the Pacific Telephone and Telegraph Company, which is where its name was derived from. It was founded in 1936, with $500 in deposits and has grown over the last 70-odd years to approximately $3.7 billion in assets today, and has approximately 290,000 members. My role here at Patelco is to manage the software development process for desktop applications and online-delivery solutions, such as online banking, mobile banking, our new membership platform, consumer loan origination systems, as well as our data warehouse and reporting system.

KITTEN: Patelco has been exploring innovative banking channels, such as the mobile channel, for nearly a decade. How and when did the credit union launch its mobile banking offer?

VITALE: I've been with Patelco now for nearly 10 years, and there has always been a commitment to offer its members access to the latest and most convenient banking services. It is in that spirit that we partnered with MShift back in 2001 to build and integrate a browser-based mobile solution. MShift used a screen-scraping technology, which allowed them to bring a product to market fast. They essentially pass the user request to our site behind the scenes; we perform the transaction and MShift takes the response and presents it in a user-friendly fashion suitable for a mobile device. It was very innovative and enabled Patelco to offer a mobile solution before many other financial institutions did at that time.

KITTEN: At Patelco, you said about 60 percent of your membership currently banks online. Has Patelco focused its marketing for mobile banking toward those online users?

VITALE: Most recently, Patelco's marketing efforts, with regard to mobile banking, have been focused on existing online banking users, as it has been the most cost-effective means of reaching those members who are predisposed to non-traditional banking -- for example, using resources other than a branch or ATM. But, we recognize the need to reach beyond online banking users to the subset of the population that are heavy cell phone users without ready access to a computer. ... (This) will be a focus for Patelco in 2011, and the final months of 2010.

KITTEN: Do you think, Anthony, that financial institutions missed the mark by solely focusing mobile-banking strategies toward their online users?

VITALE: During the 2009 holiday season, over 60 percent of shoppers between the ages of 18 and 34 used their mobile phone for in-store activities, to do things like price comparisons, reading peer feedback and downloading coupons. There are apps out there now, one of which called RedLaser, and it's one of the top five pay apps in the Apple Store. So, people are willing to pay for this. It lets you scan a UPC code and give you price comparisons. Another similar app is called ShopSavvy, it's the top free app in the Android Marketplace. So, based on these statistics, I don't necessarily think your mobile users are a subset of your online banking users. I think they can be mutually exclusive and can be segmented and targeted differently.

KITTEN: Patelco has about 8,000 mobile banking users, which accounts for about 3 percent of your overall membership. Patelco offers SMS/text and browser-based mobile banking that we've been discussing. Are the majority of your mobile banking members using both mobile options?

VITALE: Yes. But, what has been interesting is that we have been seeing a much higher growth rate in our SMS/text banking service. We launched text-message banking back in very early 2008, and its adoption rate has been much higher than our mobile-based solution in 2001. But, I would add that it's probably correlated to timing. Every year for the past six years, we've said it's the year of mobile, and if it isn't this year, maybe it's next year; but we're getting close. Just to give you some data to back that up, if you think of the adoption of mobile phones, two-thirds of the world's population had a mobile phone. You basically have 4.6 billion mobile subscribers. That is more than the number of people with a personal computer, and adoption is eight times faster. Some people say that mobile isn't really happening in retail or commerce, but if you think about ShopSavvy and the RedLaser examples, as I mentioned earlier, it's changing the retail landscape. So we expect our mobile adoption to continue to increase over time, through both SMS and our browser-based solutions.

KITTEN: And then, from a security perspective, browser-based mobile banking poses some security risks, because of the need for users to oftentimes download applications, such as the iPhone apps for mobile banking. What considerations did Patelco take into account before deciding to offer mobile banking that requires users to download any type of application?

VITALE: Well, Patelco is currently in the process of developing and launching its first downloadable app. We're still learning as we go through the process; but we are approaching it in a way similar to our online channel, using a layered approach to security, with the understanding that there are emerging threats that we still haven't seen. With that in mind, incorporating authentication measures throughout the process is one area we focus on. We're looking at different types of transactions and the risks they pose, since not all types of transactions pose the same type of risk. In addition to authentication, there are ways we are mitigating risk by incorporating certain types of transactional limits embedded within the app and notifying the user of certain types of events through different means, such as e-mail or text. We also incorporate behavior profiling and embed that within the application design. We also incorporate design considerations, such as how we cache and how we encrypt, and how we validate user input.

KITTEN: I know Patelco works with MShift for its mobile banking platform. What other providers did you talk to, and what security measures does MShift have that provide layers of security for Patelco and its members, such as not caching the pages?

VITALE: The mobile banking platform was implemented in 2001 by John Shields, who at the time was our chief of technology here at Patelco. It was through his leadership and vision that we partnered with MShift at the time. MShift has a number of security measures in place to safeguard the mobile sessions. Their platform is leveraged through your Internet banking site. This means that there is no redefinition of the rules you already have in place. Sensitive user information is transmitted via end-to-end SSL, so the transmission from a handset is no different than an SSL transmission from a PC. Sessions are encrypted and devices are authenticated in real time against MShift's device signature. No data is stored during the conversation process. The Web page provided by Internet banking is converted into a mobile page and delivered back to the handset in real time. The entire process occurs within the memory space of the application and takes place in one transaction.

KITTEN: With that tie between online and mobile, Patelco is now working to offer more services via browser-based mobile devices. One of those offers is peer-to-peer payments. Please give us some background, as it relates to Patelco's P-to-P offer online. I know you use CashEdge's PopMoney service; how does the credit union plan to transition that offer to the mobile channel?

VITALE: The mobile channel is an exciting area right now; there is a lot happening within that space. When you look at the trends and the growth rate, all the innovation that is happening, it's an exciting opportunity and an area our members are interested in. So, I think that's kind of what set the stage to look at our mobile banking. We have a long-established partnership with Cash Edge through a product we call MoneyLink-24. It's a service powered by CashEdge that allows you to transfer money from your Patelco account to another financial institution and vice versa. When we learned about PopMoney, we were in a good position, already having worked with CashEdge. The first stage is to configure the service and then launch it through our regular online channel. The next step in transitioning to a mobile channel was to make it available through the mobile browser-based version of our mobile solution, which was powered by MShift. So, we were able to leverage CashEdge's PopMoney platform and MShift's screen-scraping technology to deliver a fully integrated P-to-P solution available through our mobile channel.

KITTEN: What doors, Anthony, do you expect P-to-P to open for mobile users?

VITALE: P-to-P essentially enables you to send money to another individual, and all you need to know is their e-mail address or mobile number. Moreover, there is no financial information being exchanged between the sender and the recipient. So, you can basically send money to anyone. The way PopMoney P-to-P works is that the sender just plugs in how much they want to send and enters an e-mail address or mobile number and off it goes. The recipient receives a notification of the money being sent, and if that recipient banks at a financial institution that also partners with PopMoney, they can go right onto their online banking site and accept the transfer. Or else, they can provide the routing information through PopMoney's website and accept the funds that way. The sender only knows the recipient accepted the money. So, P-to-P basically makes sending money very convenient for mobile users.

KITTEN: And, finally, Anthony, what are the top three security concerns credit unions should consider before launching any mobile service or application?

VITALE: You definitely want to consider the fact that you do not have the ability to safeguard the phone, physically. The phone can be stolen or lost by the end-user. No. 2, there are emerging threats in mobile malware, phishing and social-engineering tactics. Many of the vulnerabilities we see on the online channel also pertain to mobile, as well. No. 3, you can't control the member, how they use their phone, what they use it for, what kind of information they store, what apps they download. So, it's an unknown risk you can't control. You just never know what kind of personal information they are exposing on their phone, or the type of application they're running that could compromise it.


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.com, you agree to our use of cookies.