A new report* by the independent technology analyst states that banks should work with mobile network operators and handset vendors to improve security. In addition, they should plan for living with malware and always assume the possibility of an attack.
Graham Titterington, principal analyst at Ovum and report co-author, believes doing nothing is not an option.
He said: "Mobile banking is inherently vulnerable. Mobile devices may be lost, stolen or hacked and are used in situations that are inherently less secure than sitting in an office or at a home computer.
"Mobile networks may be intercepted either by breaking the wireless encryption mechanism or by hacking into the wired backbone of the network where encryption is not mandatory under telecommunications standards. IT malware that compromises back-end servers, but is harmless in the wireless environment, may be passed through the mobile banking interface."
Ovum believes defence has to design incrementally to a level that is at least equivalent to that deployed in Internet banking. However, mobile security must not be simply a copy of Internet security. While many of the concerns and strategies are similar, the approach must be tailored to the characteristics of the channel and the way in which it is used.
In addition, security must not detract from usability. Ovum believes security must be unobtrusive enough not to interfere with normal transaction flows, but at the same time provide users with the confidence to know that their banking activities are protected.
"Banks must adopt a 'defence in depth' strategy to detect and limit the effects of an attack", said Titterington. "Network vulnerabilities can be avoided by adopting end-to-end encryption of transactions, independent of any encryption provided by the network operator.
"The main objection to this in the past has been the limited computational power of the mobile device, but the time has come to reject this argument as mobile devices become more powerful. Encryption, while not a panacea, protects against eavesdropping, message alteration, and 'man-in-the-middle' attacks."
The report adds that banks should be particularly rigorous in checking the creation of new payment mandates, while emphasising ease of use when making further payments using an existing payment instruction. It recommends that banks should consider offering to reverse payments made in error, as they do with direct debit payments, even if fraud is not proven.
SOURCE: OVUM
* The report is entitled The malware threat to mobile banking.
