M-banking adoption outpacing security

As mobile banking use continues growing, the security risks associated with it are not limited to malicious software or viruses targeting mobile devices. That the device becomes the main channel for banking transactions, its compact size, and an underdeveloped mobile security landscape also compound the risks, observers say.

According to Axelle Apvrille, senior mobile antivirus researcher at Fortinet, two of the current biggest threats in mobile banking are the malicious mobile components of Zeus and SpyEye malware. Zitmo (or "Zeus in the mobile") and Spitmo, as they are called respectively, steal the banking credentials that customers receive via SMS on their phones giving them access to the accounts, she said.

Security researchers also noted that the dangers of mobile banking were also in exacerbated vulnerabilities, and not just mobile-targeted malware. For instance, mobile users are more likely to fall victim to phishing as the phone's small screen size means lengthy URLs are not displayed totally, so they may inadvertently enter their credentials on a fake Web site, Apvrille explained. Similarly, a small touch-enabled keyboard may drive mobile banking customers to use simpler, shorter passwords than on a PC, making it easier for criminals to crack through brute-force attacks.

Luis Corrons, PandaLabs technical director at Panda Security, said the biggest risk was identity theft via Trojans and phishing attacks, which are more likely to happen on mobiles since these usually connect to unsecured wireless networks.

Security is also at risk when the mobile becomes a PC substitute for online banking. Paul Ducklin, head of technology for Asia-Pacific at Sophos, said two-factor authentication (2FA)--via a code sent to the phone--supposedly makes it harder for cybercrooks since they need to compromise both the PC and phone. "But if you're receiving your [verification] code and doing your banking on the same device, you really only have one factor of authentication. That puts you back to where you started in terms of online banking [security]."

Ducklin added in his e-mail that the main problem lies in the disparity between the mobile's platform's growth and its defense quality. Mobile devices and their operating systems (OS) are in a state of extremely rapid change, and users have developed expectations that they can do the same tasks of electronic banking on mobile as on a desktop or laptop, he said.

"Yet neither iOS nor Android have encouraged innovation in mobile security by security software vendors, so you pretty much rely on the security baked into the device since third-party software vendors aren't welcome at the core of the OS."

Corrons, however, noted that the heterogeneous landscape of different mobile operating systems is what "makes life harder for cybercriminals" because it takes too much effort to develop Trojans for each platform.

Security essential as m-banking gets more popular
Gilbert Chuah, UOB's regional and Singapore head of Internet banking, added that security risks are significant largely due to the fact that even though more users access the Web on smartphones and tablets, there is a lack of compatible antivirus software for these mobile devices available in the market.

Banks contacted agreed that the mobile security vulnerabilities called for added attention and vigilance, especially as m-banking gains traction due to convenience and better connectivity.

Singapore bank OCBC had growth of more than 100 percent year-on-year in the number of users and transaction values with its mobile banking services, said Pranav Seth, OCBC's head of e-business. With the increasing adoption of mobile banking, mobile platform security will also grow in importance, he added in an e-mail.

Seth said OCBC takes mobile banking security "very seriously", and implements various features to minimize the potential risks. These include end-to-end encryption to ensure that customers' credentials are not intercepted. "We are constantly looking at ways to improve our security features in view of hackers getting more sophisticated," he noted.

UOB also saw "positive uptake" with more than 120,000 customers conducting transactions using its mobile banking app that was launched last December, according to Chuah.

Besides reviewing its mobile security strategy, he said UOB continually monitors security developments in the mobile banking space as well as establishes partnerships with mobile development agencies, device manufacturers and telcos to stay vigilant.

Chuah added that UOB had several protection measures to help ensure customer security with its mobile banking service. For instance, before any mobile fund transfer can take place, a user must first register a list of recipients including identification details. Users also receive a specific reference number via SMS, which allows them to cancel the transaction any time within 24 hours.