Security as a Service

One of my pet hates with most mobile banking projects is how security is treated as an adjunct rather than a key scope item.  Any product or marketing manager worth their salt knows the number one reason consumers don’t adopt mobile banking services is security concerns.  The reason security is treated as a ‘black sheep’ is that it isn’t doesn’t deliver tangible customer satisfaction improvements.  And even though customers expect it, they don’t often get excited about it.  A change in mind-set is required. Security should be treated as a service.  If you get it right, and promote it appropriately, it could be the key factor in your bank achieving above normal user adoption.

With more and more threats emerging every day, it is becoming clear that having a secure and robust platform is going to be a key enabler to achieving competitive differentiation.  In a recent US study, the primary reason given for not using mobile banking was security.  Four in ten respondents had concerns that prevented them from using the platform.  Security also closely relates to how quickly a bank can bring new services to market.  One of the longest lead times on any mobile project is security approval.  With security assessments and penetration testing being on the critical path, the more robust your security platform is, the less time you need to spend debating whether your new mobile payments feature is going to create additional loop holes.  Here are ten key items to consider when developing your mobile security strategy:

1. Don’t make the customer work

I hate it when banks make a decision that makes life easier for them but harder for their customers.  One of the best examples of this is the handful of UK banks who have replicated their online banking authentication model for mobile.  DO they honestly expect their customers to carry around card readers on the street?  The key to a successful authentication approach is to not make the customer work.  The security solution needs to be integrated and consistent with the form factor of the device and if that means setting up a tailored approach – go for it.

2. Go Native

One of the common elements often overlooked in the ‘Native v HTML5’ debate is the fact that native apps are intrinsically more secure than web.  By going native, banks can implement a process of device verification whereby the unique characteristics of a mobile handset are used to create a secure key.  This key is validated every time the user authenticates.  This means that a fraudster cannot simply phish login credentials.  They would need to get access to the handset as well.  This significantly reduces the banks threat profile and should be proactively communicated to customers as a benefit.

3. Control your environment

With mobile banking you have an excellent opportunity to maintain control of your environment. Banks can utilise the latest device, behavioural, location and transaction profiling techniques to protect their ground. Organisations such as Trusteer offer banks advanced Malware and Jailbreak detection API’s which can be updated without subsequent client releases.  These can be coded into native app builds using standard code libraries.  Finally banks can use firms like Melbourne IT for rapid identification, takedown and analysis of fake apps and websites targeting mobile products and services. 

4. Always keep one eye open

As more and more people start to use mobile banking, fraudsters will start to follow.  In its '2012 Threat Predictions' report, McAfee forecasts that over the next 18 months attackers will improve on their skill set, attackers are likely to bypass PCs and go straight after Mobile banking apps.  So always keep one eye open through effective identification and assessment of the emerging security threat landscape, from both closed and open sources.  Don’t assume that because you have strong measures in place today, that they will be strong in the future.

5. Roadmap it

Most product, strategy and marketing teams have extensive roadmaps outlining what features they aim to launch over the next few years.  Have you ever seen something similar for security? Rarely.  Banks must set a clear mobile security strategy that links together with the channels product backlog.  Remember what your potential customers are telling you.  The number one reason they are not adopting your new mobile service is because they have security fears.  If customers told you they wanted access to setup direct debits on their mobile you would do it.  So go ahead and alleviate those fears.

6. Track benefits

One of the number one reasons security is not a primary scope candidate is that fraud losses are generally tracked at group level, not at an initiative level.  This is also linked to how security initiatives are structured.  They are generally managed as group initiatives and benefits are not tracked accurately.  By treating security as a feature, you can start tracking its impact on hard benefits such as improved customer acquisition and most importantly a reduction in fraud.  If the product manager for your mobile project felt accountable for these benefit areas, then security would automatically get a higher priority.

7. Create a different perception

Do you know that all major UK banks offer a fraud guarantee?  They guarantee to refund customers who suffer from legitimate acts of fraud via their online and mobile channels? You wouldn’t guess this was the case if you looked at their websites. They are currently caught half pregnant.  If they promote it, they are concerned it will give customers something to worry about, if they don’t, they don’t have a chance to alleviate any fears.  I firmly believe that banks need to start promoting this service.  They should develop an icon that is consistently presented across digital channels at all relevant opportunities – especially login.  Banks also need to ensure that the way they design their mobile service should give an immediate impression of strength and safety.  Use icons, colours, gradients and tone of voice to improve the perception.  Customers will subconsciously notice.  Banks should also provide simple, clear and accessible guidance for customers to ensure safe and secure banking whilst on the move. 

8. Mobile is a horizontal capability

One of the great advantages of Mobile is that it’s with your customers all of the time.  It is the greatest communications tool ever invented.  Mobile should not just be treated as a vertical channel but a horizontal capability that can be leveraged across the bank.  From a security perspective it can be used as a delivery channel for services such as card fraud alerts or to validate card not present transactions.  It can also be used to validate overseas transactions.  Customers can be notified when their card is used, or by validating that they are overseas, they can ensure transactions are not blocked by the banks fraud systems.

9. Set budget aside

The security landscape is constantly moving, as soon as you think you are one step ahead, you are one step behind.  Banks need to be ready to act so they should establish a dedicated Mobile security team that is empowered, funded and resourced to deliver tactical changes in response to evolving mobile security threats.  The last thing you want to do when an issue goes down is be haggling over budgets and resources.  By having funding and resources allocated at the start of the year, small changes, minor enhancements and tactical fixes can be deployed rapidly.

10. Biometrics is coming

Biometrics technology such as iris scans, face recognition or finger print scanning has been touted for years.  Australian bank, ANZ, recently announced that they are looking to deploy finger print based ATM’s.  More locally we have seen excellent traction in schools with WisePay who are deploying finger print scanning technology that allows children to purchase goods in school canteens around the country.  Why aren’t banks doing this yet?  Not sure. There has been a significant improvement in biometric security over the last few years, and of any option available, biometrics is likely to be the solution capable of converting the unconverted.