This blog is based on an article authored by David Vergara, Director of Security Product Marketing, VASCO, that first appeared 2/21/2018 in Credit Union Times.
As part of a secure and seamless mobile first strategy, banks, credit unions, and other financial institutions must rethink the customer journey. Financial institutions strategically aim for customers to do more with mobile while minimizing fraud exposure tied to untrusted, high-risk devices. To enable growth in the mobile channel, financial institutions need to provide fast, convenient, and frictionless high-value services delivered as securely and fraud-proof as possible.
To achieve this goal, building more trust is priority one. Many consumers are waiting for banks to prove that high-value mobile banking services can be made trustworthy enough to earn their business and loyalty. However, before banks can crack consumers’ psychological apprehension regarding mobile security, they must address technical issues that are unique to mobile. Banks need to see mobile security as a complete picture and create a dedicated, multilayered mobile security strategy that focuses on securing the:
- Identity of their online and mobile users
- Integrity of the devices their customers use
- Reliability of customers’ banking transactions
A Successful Mobile First Strategy is Built on Trust
Building on these three pillars, here are eight best practices that will enable banks to build customer trust and deliver a secure mobile banking experience:
- Provide fast and secure login to banking apps
Customers generally want a secure mobile experience that allows them to use more services on their mobile device. As a foundation, banks first need to enable fast and secure login to banking apps. This requires multi-modal biometrics and multi-factor authentication. Your bank should have the ability to easily add, change, or combine PIN, fingerprint, or face recognition to provide the right level of security for each transaction. This will increase customer trust and loyalty.
- Deliver a frictionless experience
Friction dampens customer enthusiasm for mobile banking – and the login and authentication stage is where delays occur most often. While consumers are used to clicking through multiple screens to complete an action on a desktop, they expect mobile banking to be much simpler. The mobile banking app and supporting IT uses multiple security technologies for securing devices and communication. Look for ways to tie these processes together without requiring extra actions by the customer. For example, a mobile device can authenticate itself when a new session is started. Behavioral authentication is another frictionless option.
- Protect mobile banking apps
As mentioned in Credit Union Times, the increased popularity of mobile banking creates a very competitive and challenging environment, especially for mobile app developers. Rushed releases often create vulnerabilities in the application layer. The BankBot Android mobile banking malware, for instance, besieged more than 420 leading banks in countries such as Germany, France, Austria, the Netherlands, Turkey, and the United States. The malware allows attackers to create windows that sit on top of legitimate Android applications and intercept user information. Best practice is to harden the app via mobile app shielding. This keeps the app (and backend systems) safe even when the app is running on devices with disabled OS protection or devices already infected with malware.
- Measure risk on each mobile device
The foundation of strong security is multi-layered controls. If a hacker manages to get past one layer, other controls mitigate malicious activity. Among these are technologies that analyze each device and associated behaviors of its user while engaged with a mobile banking app in real time. The goal is to score the risk of each mobile transaction and provide actionable data for implementation of policy when critical thresholds are too high.
- Adopt an omnichannel approach
To stay competitive, financial organizations need to seek ways to achieve a great user experience across channels – including mobile. Different channels often require different ways to prove the customer’s identity and authorize transactions. Variances can lead to friction and frustration. Look to inject a simple, intuitive experience with fewer required steps. For example, as part of your mobile first strategy, give customers the ability to scan a secure image instead of typing a username and password.
- Combat social engineering and other threats
Phishing and other types of social engineering exploit trust to steal valuable information such as usernames, passwords, credit card numbers, or other sensitive data. Even with education and additional user controls, social engineering is still successful. The simple reason is that the final decision to complete a transaction is made by the user who authenticates to the financial institution. The best approach to reduce the human risk in banking fraud is to make the bank the sole initiator of a transaction verification request. A security solution that has been designed to thwart Man-in-the-middle and other sophisticated attacks will take the trust decisions out of the hands of the user, and ensure that only the bank or credit union can initiate a transaction verification request. This shifts transaction authorization control from the user to the trusted device and the financial institution.
- Be ready for regulation
As mentioned in Credit Union Times, the financial services industry is one of the most heavily regulated, and more rules are on the way. For example, the New York State Department of Financial Services’ Cybersecurity Requirements for Financial Services Companies includes requirements for multi-factor authentication and application security. Given that many financial institutions do business in New York, the law affects hundreds of institutions. In the EU, the new Payment Services Directive 2 or PSD2 regulates the security of electronic payments — including mobile banking and retail payments security. Other regulations such as PCI DSS require multi-factor authentication to protect data or access control.
- Enable customers to sign documents with e-signatures
Mobile has become the central access point for digital transactions because it provides a level of freedom and flexibility that wasn’t available just a decade ago. If the mobile banking experience includes ink signatures at any point during the transaction, it isn’t a fully digital one. E-signatures help keep banking processes digital by eliminating the need to use paper to complete loan contracts, open accounts, and sign banking documents. A flexible electronic signature platform accommodates any business process across any channel — online, the call center, the retail branch, interactions with financial advisors outside the branch, and mobile.
For more information on adopting a mobile first strategy, download this eBook:
8 Industry Best Practices for a Successful Mobile First Strategy