For the time being the mobile banking environment is fairly safe. That's not because mobile phones are secure, often they're not. Few people use passwords or install anti-virus software. Security experts say they're safe simply because cybercriminals have not yet seriously targeted phones for malware. But as more people adopt mobile banking and it becomes more transactional-not just checking balances and getting alerts-the threats are likely to mount quickly.
Jacob Jegher, a senior analyst at Celent, says criminals have not targeted mobile phones for the same reason they have bypassed Macs in favor of PCs. Criminals want to develop spyware for the masses, and mobile banking adoption is simply too small to attract serious attention.
Someday, however, there will be a tipping point. Nick Holland, a senior analyst at Aite, says: "People are extremely naive and have no idea that mobile devices are susceptible to fraud. They're not connecting the same threats to the laptop to that of mobile devices because it hasn't happened yet. But mobile banking is transitioning to something much more transactional and fraudsters are acutely aware of the opportunity in the pipeline."
All the big vendors, including Symantec, VeriSign, RSA and McAfee, have anti-virus solutions. Typically these are imbedded in third-party solutions, or loaded onto a phone's software; they're not offered by the banks themselves. "I don't think the banks are looking at the security aspects at all, which could be problematic," says Holland. "If a vendor says it had 128-bit encryption, they trust it will work."
The nascent threat to mobile banking now takes two forms: worms and malware masquerading as legitimate banking apps. Some analysts say the app stores of the iPhone, Android and Blackberry, with their tens of thousands of apps, are vulnerable. "It's an arms race for apps, with an emphasis on quantity rather than quality. Are they really doing due diligence on all of them?" asks Holland.
In one of the first such cases in December, a phisher hoping to harvest bank login information smuggled his app onto the Android app store, which offers more than 20,000 apps. The rogue app posed as a legitimate banking applet but was designed to trick users into handing over bank login details to fraudsters. The malicious app, posted by Droid09, was quickly identified.
Another potential threat comes from worms, says Joram Borenstein, senior manager, identity protection & verification at RSA. Security experts are following one in particular called SexyView, which travels through SMS. SexyView grabs phone numbers from an infected phone and then sends text messages to them with a link to download a new copy of the worm from the Web. It also gathers data such as the handset serial numbers and phone numbers and posts them to a remote server. The purpose of SexyView is unknown, but some fear that the worm might be assembling the first mobile botnet. To Borenstein, this all seems very 2006. "It's like you're rewinding to what was happening with the PC three or four years ago." Some of the malware today are "innocuous," he says, but serve a nefarious purpose.
Despite these looming threats, mobile banking could prove one of the most secure banking channels, argues Jim Van Dyke, president of Javelin Strategy & Research. The fact that a phone conveys real-time information, has geo-positioning capabilities and could incorporate biometric security features such as fingerprints and voice recognition means the channel could become an important place to boost security for consumers and the bank. "With mobile devices, things could go very right or horribly wrong," he says.