Small banks already face a mobile-banking adoption deficit to their larger competitors, but some community institutions are still questioning the channel's safety, weighing emerging security threats against consumer expectations of new mobile banking services.
"Mobile is still an emerging technology, and it isn't fully mature," says John Caton, executive vice president at BankFIRST, a $680 million-asset bank based in Winter Garden, Fla.
Caton says the bank is not offering the latest mobile banking native apps. Part of the concern is the possibility of infiltrations to the native apps' operating system.
According to the bank's website, customers can access some rudimentary services by mobile phone, such as text balance inquiries for customers that are already registered for online banking via their personal computer. But the more advanced mobile transactions, such as person-to-person payments, mobile check deposit and smartphone-specific apps, are still tabled until the bank is comfortable with security protections.
"We're primarily focused on securing the PC or a Mac," Caton says. "We are assessing mobile and will offer it eventually, but we won't offer it until we know we can do it securely."
Caton's worries sound contrarian in an otherwise go-go period for mobile banking, but tech providers and analysts say there are threats to mobile banking, including dangers such as new malware strains and hardware vulnerabilities such as stolen or lost devices.
In an interview, Aaron McPherson, practice director at IDC Financial Insights, said mobile devices are behind the curve in terms of security and antivirus technology, partly because there haven't been enough attacks yet to warrant large-scale development of preventative technology, but that the attacks on mobile banking and preventative techniques will also increase over time.
Amit Ashbel, product manager for the mobile product line at Trusteer, says the exploits and vulnerabilities are increasing rapidly for mobile banking; in the past three years the number of specific attacks has grown five times as rapidly as during the past 15 years of PC-based Internet banking.
"We are seeing a big trend toward an increase in mobile malware that is infecting different smartphone platforms," Ashbel says. "The main threat is the malware that resides on the device."
The threats include "jailbreaking," in which users gain root access to the operating system, allowing iOS users to download additional applications, extensions, and themes that are unavailable through the official Apple App Store, Ashbel says.
"That software may be a credential stealing program," Ashbel says.
Mobile malware and jailbreaking threats can be countered by a layer of security software that's added to the browser or native banking app that notifies the bank if the app has been compromised in some other manner. The bank then follows with a series of countermeasures such as denying log in, Ashbel says.
Bart Narter, senior vice president at Celent, says balancing usage parameters against consumer usage patterns can also mitigate mobile banking security threats.
For example, banks can limit mobile payment to recurring payments to pre-existing payees instead of allowing new payment relationships from being initialized in the mobile-banking application. By forbidding the adding of new payees in the app, it becomes harder for a mobile device to be infiltrated, or stolen outright, by a crook that then initializes him or herself as a new biller, then "pays" himself by using the mobile banking app.
While that does limit the app's functionality, the limitations aren't prohibitive for most users, Narter says. "You generally don't need to send a wire transfer immediately to a person that you've never sent a wire transfer to before," Narter says.
Similar minor constrictions can be placed on functions such as mobile remote deposit capture, Narter says. "Some banks will give slower availability of funds to reduce the risk of 'double deposit,' for example," he says.
What do you think about this? Send us your feedback. Click Here.