Is 'good-enough' security good enough for Mobile Banking?

CEB TowerGroup predicts mobile banking usage will reach 17 billion transactions in 2015. At the same time, customers are still worried about security, which is the number one fear among potential mobile banking customers (according to a recent Javelin study). Yet this fear has to be balanced with usability. Some banks have turned to the concept of ’good-enough’ security to manage this gap. Is this the right way forward?

Banking apps are undoubtedly the most critical mobile applications. The highest security is expected. According to the research conducted last year by IOActive, 90% of mobile banking apps from leading banks have serious vulnerabilities that could compromise sensitive user data. The most common faults are missing protection against JavaScript injections or Man in The Middle (MiTM) attacks. This study brings to light that financial institutions need to increase the security standards of digital banking solutions, not just in online but mobile solutions too.

Meanwhile, mobile manufacturers have been working on implementing security solutions in their devices. Mobile biometrics (fingerprint, voice and face recognition) and sophisticated privacy settings have evolved into commonly used features in smartphones to ensure enhanced security.

The good news is that, for today, the fear is worse than reality. Even though there is more to be done, heavy investments in mobile security in the last few years have made a big impact. Financial services providers continously try to improve perception and change the way consumers think about security. There is no way institutions can prepare for all security incidents, but they can be prepared to handle them and react immediately.

While the improvements in security are crucial, Consult Hyperion’s Dave Birch said at MobeyDay conference in Barcelona, "Future is not about security, its about convenience!". In other words, noone will use a banking application because it is secure, if it is impossible to use. Innovators in the market (Huntington Bank, Ohio Bank) are already lowering security regulations on mobile and letting customers access their balances and limited functionality without logging in. Disruptive startups are rethinking the whole banking process and applying so called ’good-enough’ security principals. Good user experience can no longer be limited by security regulations. Successful startup applications (TransferWise, Simple) offer simple user experience while keeping it secure. Financial institutions can learn from them to combine controls of the smartphone and complement it with behaviour analytics to identify suspicious and out of pattern activities that may raise a flag.

As technology evolves, so will the challenges faced by banks. I've been reading blogs about how to hack Apple's Touch ID, which might not be the most robust security feature. A hacker can copy and use my fingerprint with a gummy bear - indeed it is the most convenient way to do so. A lock on a door cannot keep out determined criminals, although it is effective enough to handle common threats. I believe we must teach customers to be more careful about their mobile habits and choose the level of safety which makes them comfortable.

Is this the way to go? Will it revolutionise what we think about security today? Ultimately, time will tell. But banks must continually consider how best to balance security and user experience.