How to secure banking transactions with mobile devices, if at all possible
Clearly, banking with your smartphone is quick and handy. But again and again, we hear about huge breaches of mobile banking transactions. Greedy hackers are becoming more and more aggressive and their attacks more elaborated. Is there still a way to make mobile transactions relatively secure?
Often mobileTAN is being praised as a safe and flexible alternative to online banking with transaction authentication numbers on paper. However, no mobile system today is completely secure, not even iOS. Breaking it might cost a little bit more effort and money than with other operating systems, but it’s still possible.
The most crucial element for secure mobile SMS banking is the SIM (subscriber identity module) card since it contains a “secure element”, on which sensitive information is stored. The card thus has to be delivered to its intended recipient in a secure way. The challenges therefore start with the digital keys and the question of how to deliver them securely to the rightful person. Personal handover would be theoretically the best solution. Post Identity Procedure, where the customer has to appear in person at the post office with an ID card before being able to use online banking is also quite safe. However, this requires a bigger effort on the user side and it takes longer before he’s able to start using the service. That again conflicts with the notion of convenient online banking.
Probably the safest option for online banking today is finTS, the new protocol that has superseded HBCI (Home Banking Computer Interface). However, this method is highly technical and not meant for banking on the go. Thus, mTAN is a good compromise between security and convenience, as long as you take some security precautions, such as encryption of your data on the mobile as well as cutting-edge malware and phishing protection, regular updates of operating system and software, firewall-sheltered communication ports plus new passwords for every transaction. According to Risk Based Security, user names and passwords are a favorite target. In 2014, the percentage of incidents exposing passwords was 62.6%, a remarkable rise compared to 47.8% in 2013. Altogether 3,014 incidents and 1.1 billion records were reported in 2014.
Mobile banking should also only be carried out on SSL-/TLS-encrypted websites and on two separate devices, one for receiving the PIN (out-of-band user authentication) and the other for the actual transaction. Simple SMS-based two-factor authentication has been successfully hacked several times already. Because of those man-in-the-browser attacks, using just one device isn’t enough. Mobile Security may not depend on a single entity.
Biometrics like fingerprints or even the customer’s heartbeat would also be desirable add-ons for smartphone security, as would be secure stores for sensitive information. More useful tips for secure mobile banking can be found here.
Multi-layer security needs to be designed and implemented
However, the best path to take for safeguarding mobile transactions would be multi-layer security, i.e. making use of various protection layers like for instance first a firewall, then the encryption of information transmitted over the network, differentiated concepts for authorization and authentication as the third layer, endpoint security at the client side as the next one and so forth. This may be more inconvenient, but every additional control reduces the risks.
Multi-layered models have to be meticulously designed and implemented. The goal here is not to use as many technologies as possible, but to amplify security with several layers of protection. A successful attack on a single point of failure will thus not be able to compromise the whole security system. It is therefore necessary to identify not only the SIM card, but also the device that’s being used for a transaction.
Attackers already use multiple layers of aggression
Attackers often also try to get to your data on multiple levels to make it more difficult for the defenders to deploy the right countermeasures if the attacks are discovered. According to US telecom provider Verizon, 70 percent of cyberattacks combine phishing and hacking with a secondary victim to create complex attacks. Secondary victim means that the criminals lure their targets into the belief that the attack comes from someone else. In case of a counterstrike, this unknowing person or institution would be the target, not the true aggressor.
With a multi-layered security approach, the potential victims are better prepared from the start for any kind of attack. If there are software risks that can’t be changed by improving software, it is still possible to put layers in front to achieve the necessary level of protection. For example, risk-based authentication/authorization helps banks to recognize unusual user behavior in real-time. They can thus request further credentials. However, this is pretty limited – with a lot of smaller transactions unusual behavior often remains unrecognized.
There should also be risk- and context-based authentication and authorization that take elements such as the location of the user and known current threats into consideration. Banks should deploy software that detects injections from harmful websites. A step towards Security and Privacy by Design covering all available methods is unavoidable.
If banks take a risk-based approach and communicate it openly, the growth rate of new mobile banking users probably won’t come to a halt like currently in the US. Today, however, they seem to leave customers often in the dark about security issues. Yet trust and security are crucial if online banking is to make sense for both parties, banks and customers. For the customers because they can trust the payment procedure. For the banks because risks remain calculable and the much more attractive (in comparison with paper-based transactions) online banking sector can keep growing.
Martin Kuppinger is Founder of the independent Analyst Company KuppingerCole and as Principal Analyst responsible for the KuppingerCole research. In his 25 years of IT experience he has already written more than 50 IT-related books and is known as a widely-read columnist and author of technical articles as well as reviews and is also a well-established speaker and moderator at seminars and congresses. His interest in Identity Management dates back to the 80s, when he also gained considerable experience in software architecture development. Over the years, he added several other fields of research, including virtualization, cloud computing, overall IT security, and others. Having studied economies, he combines in-depth IT knowledge with a strong business perspective.