Mobile banking security should be balanced with risk
Hannes van Rensburg,
Date Posted: Wednesday, July 04, 2012
There has been numerous reports on mobile banking security (specifically about the supposedly inadequacy of it) (Read here, here and here). Reading between the lines, many of these articles are predominantly produced to support a specific agenda, I think. Also, there have been reports of fraud in mobile banking recently. (Read here and here). While this is worrying, it is an indication of substantial business growth. (making criminal activity worthwhile and also big enough to get reported in the media.). I would have liked to more directly comment on one of the specific frauds referenced here, but this will have to happen later (after investigations are completed).
However, considering that this is a hot topic, I would like to make the following comments:
It is important to balance the implementation of security with usability. It is of no use having stirling security, but to implement it in such a way that it is difficult to use the system.
The first objective of mobile banking security is to provide consumer protection. Consumers must have the confidence that their money can not be stolen. This can be achieved via secure authentication, but best would be if it is backed up by some kind of guarantee.
Fraud is most often perpetrated by employees (or even sometimes management) that steals from the company. Good business process and segregation of duties is critical to ensure that these types of fraud does not occur.
Security is more relevant when things go wrong. The criminally-minded, often target elements of the system when a phone stop working, or when a PIN is forgotten to design fraudulent attacks. It is important to give sufficient attention to design security into these business processes.