Mobile Banking: Today's 'Must-Have'Avoid Security Risks with Planning and Layered Controls
"We've seen significant growth in the number of our customers choosing to use mobile banking as a primary source to gather information about their personal accounts," Gordon says. "As we look at the past year, the primary changes that we've done to our services have been really to make the product and capability easier to use for our customers."
BofA has rolled its mobile offering out to all of the major mobile platforms and applications, including a new iPad app. But the bank also understands its foray into this new banking arena has not come without risk. In fact, Gordon says any banking institution that wants to make mobile services a win for consumers must ensure it consistently reviews and implements security layers and controls.
"As you look at online threats today, in many cases, those same concerns transfer over, regardless of the device customers are using," Gordon says. "The [mobile] application itself gives us more opportunity to include security capabilities. ... The challenge that we see is that we need to be able to validate who our customers are and authenticate them effectively."
During this interview with BankInfoSecurity's Tracy Kitten [transcript below], Gordon discusses:
- Challenges the mobile channel presents for user authentication and device identification;
- Why layered controls, even on the mobile device, are the best ways to ensure security; and
- The need for strong education about mobile malware and mobile behaviors that could put customers at greater risk of an online account compromise.
At BofA, Gordon develops and manages the authentication and security strategies and product development for consumer online and mobile banking. His team's responsibilities include product management for online and mobile banking authentication, authorization, privacy and security, customer education, identity management, domain management and enrollment. Gordon also manages the e-mail security strategy and acts as an expert on online threats and fraud at the enterprise level. Gordon also has been active in the development of BofA's Enterprise Cyber Security strategy. The Security by Design strategy his team developed is in a patent-pending status. His ADA compliance team has a Trade Secret filed for ADA testing and compliance process.
BofA and the Mobile Channel
TRACY KITTEN: It's been more than a year since I last spoke with BofA about mobile banking and payments offers. Can you give our audience some background as well as updates about the offers and services BofA is now providing its customers via the mobile channel?
KEITH GORDON: Mobile banking has become a primary channel for our customers. We've seen significant growth in the number of our customers choosing to use mobile banking as a primary source to gather information about their personal accounts. As we look at the past year, the primary changes that we've done to our services have been really to make the product and capability easier to use for our customers, so we've rolled out to all of the major mobile platforms, including a new iPad app. Our customers have asked for it to be easy to use but intuitive at the same time. With the updates that we've made over the past year, I believe we've done that and we continue to get a lot of great feedback from our customers noting so.
KITTEN: When it comes to mobile banking, are the majority of your users relying more on mobile applications or Internet banking?
GORDON: That's been a gradual change over the past probably three or four years, where primarily in the past it was Internet banking over the phone. However, as we look at our usage today, it's primarily far and above the use of mobile apps, the ones that they've downloaded onto their mobile devices.
Mobile Channel: Security Concerns
KITTEN: What are the security concerns when it comes to the mobile channels? Whether these particular transactions are conducted through an application or they're just accessing their online banking accounts through the mobile device, what security issues do you see?
GORDON: It's interesting. As you look at the online threats today, in many cases those same concerns transfer over regardless of the device customers are using. However, if you look at some basic things that our customers can do to help protect themselves on a mobile device, they're very similar to those on a PC, things like making sure that you've got protection on your device, whether that be antivirus protection or even something as simple as adding a pass code to your phone. But as we look at the threats like malware, those exist both in the online as well as the mobile space. Yet we do have controls in both environments to help protect our customers.
KITTEN: Are there unique security concerns for either methods, applications vs. online access through the mobile devices? Is there one that's more concerning than another?
GORDON: I would say that the application itself gives us more opportunity to include security capabilities that allow our customers to do more with it, and do that more securely. The challenge that we see is, just like in the online space, we need to be able to validate who our customers are, validate their identity and be able to authenticate them effectively to allow them to do the full suite of capabilities. Because of mobile having fewer opportunities to do some of those, we've been slower to move some of those functions to the mobile channel. But, if you look at the difference between the two, there really isn't a significant difference as it relates to security.
Prevention and Detection
KITTEN: Prevention, detection and of course ongoing risk assessments are keys to heightened and ongoing security. What steps is Bank of America taking in those areas?
GORDON: Prevention, detection and resolution are three of the key terms that we use throughout both our security and fraud ecosystem. At the bank, we've got a full suite of capabilities, but the thing that I want to emphasize here is that layers of security and controls are the primary things in making sure that we have a secure environment for our customers to transact. If you look at things like prevention solutions, and making sure that our customers are educated to understand what threats are available to them, we've got a lot of educational materials on our privacy and security site. We have some other products that we offer, like SafePass, which is a one-time pass code for a lot of our customers to integrate into their mobile and online experience. Specifically within mobile, it allows customers to have that extra layer of control around authenticating.
If you look at some of the detection capabilities we have, this really is where we work hard to know our customers, and because we know our customers, it allows us to quickly be able to tell when something doesn't seem right. The term that we use in many cases is anomalous. If we look for some anomalous behavior, something that just doesn't look right, it gives us that heads-up to know that something may not be exactly as it seems. Our security systems that we have in place today, especially from a fraud detection standpoint, analyze millions and millions of transactions a day, looking for those patterns. One of the things that we also offer to our customers to help is our e-alerts. We've got over 51 e-alerts, including things that notify customers if there's irregular activity in their account.
From a resolution standpoint, we offer our zero-liability guarantee which means you aren't held reliable for any unauthorized account transactions or purchases on your debit or credit card.
KITTEN: You mentioned a website that offers information for consumers. Could you give that URL? Is this part of your customer education program that you offer for all of your banking users?
GORDON: Absolutely. If you go to BankofAmerica.com, there's actually a security component on the homepage that allows you to drive right into those pages. It's the privacy and security site and we give specific education to mobile banking users because that was one of the things that we noticed that the customers were asking for, very specific information around mobile protection. We added that this summer.
KITTEN: You've also talked about authentication, and when we talk about authentication we need to talk about not only the online channel but also the mobile channel. What unique authentication challenges face mobile users?
GORDON: As you look at authentication as a general topic, one of the things that we've been very deliberate in doing is ensuring that our customers get the same experience whether you're online or mobile. If you're going in to authenticate, you're used to getting your site key, you're used to having to enter your user name and enter your password; you're going to get the same experience in either channel. The nice thing, from a technology standpoint, is we're using the same set of technologies to do that. We're able to ensure that both ways are equally secure. But as you look at authentication from a mobile standpoint, I wouldn't say that there are any unique challenges to mobile other than the fact that it's just coming in from a different user interface.
KITTEN: Then what about device identification? What challenges does the mobile channel present when it comes to actually identifying the device?
GORDON: We call it device fingerprinting just because it's a way for us to really get a deeper understanding of the device that you're using. Every time you come back to us, we're able to match up that fingerprint and ensure that it's you coming through the front door. One of the things that we've seen, and this has been an evolution in the online space, is the device recognition capability is really deep and goes pretty broad within the operating system. However, with mobile we're still evolving how deep and how broad we can go to get information, so it's a little bit more of a limited data set that we can get to. However, we still have plenty of information that allows us to effectively validate the end-user device.
KITTEN: I wanted to also ask about other options for mobile, such as relying on the mobile channel as an out-of-band method to help PC-initiated online banking transactions.
GORDON: That's actually part of our roadmap and a part of our strategy to ensure that customers are not only going through our online channel so we can have a way to effectively identify them and authorize transactions outside of that experience within the online channel. The mobile device has proven to be that perfect capability to do so, and we offer that today and that's a product called SafePass, where if you're in the online space and as an example you want to do a wire transfer, you will be prompted to enter in your SafePass code and that SafePass code would be sent to your mobile device. We found it to be an extremely effective fraud mitigation control and continue not only to use it but expand the usage of it.
KITTEN: Before we close, what final thoughts would you like to share about mobile banking and mobile security generally?
GORDON: From an over-arching perspective, we're absolutely doing all that we can and it's our responsibility to provide our customers with the most comprehensive security protection we can. We use the latest technologies to prevent fraud, identity theft and to detect suspicious activity and resolve problems quickly and easily should they occur. We're excited about the opportunities mobile is bringing us for our product set, and we will absolutely ensure that it's the most secure and safe environment for our customers to do business with us.