When banking goes mobile

With the increase in adoption of mobile banking applications, there is also a rise in security risks associated with them

taru

Taru Bhatia | May 13, 2016 | New Delhi


#banking apps   #KPMG   #mobile banking   #m-banking  


Net banking is becoming passé. Banks today are offering their services on mobile phones for the convenience of users. Around 59 percent of customers avail various banking services on phones, according to KPMG, a global financial and business advisor. However, the security of such banking applications is still a matter of concern. While banks use two-way authentication process to identify their users, security experts consider this method is now as outdated and hackable. 
 
Experimenting biometrics as a security gateway is under discussion. But can banks rely on biometrics taken on mobile phones? The answer is still debatable.
 
The two-factor authentication method comprises of one-time-password (OTP) and a PIN number. According to Tarun Wig, security consultant at Delhi-based Innefu Labs, the method is obsolete now. “If my device is compromised, a hacker can take out sensitive information such as card number and PIN number without my knowledge. They can access my OTP and send it to the bank to complete the transaction,” he says. A device here could be a SIM card, an app or a mobile phone.
 
“Unlike internet banking, the process of two-way authentication for mobile banking has got converged, meaning that I am putting my password on the same phone where I am receiving the OTP. So, if my phone has been compromised, there is a possibility that the attacker is able to access the combination of SIM and OTP without my knowledge,” says Akhilesh Tuteja, head, risk consulting at KPMG, adding that it is possible though not easy.
 
There are different ways in which malware can be put into a phone. If we go to an app store, we can find thousands of small applications available for free. Some of these mobile apps are made by rogue developers to deceive users and track passwords and locations. So, users need to be much careful to read about an app before downloading it.
 
Besides, when a user visits various websites from his phone, say to download songs, possibility of malware entering the phone increases. Hence, usage of internet on phone has made our phones vulnerable to attacks.
 
Moreover, in the two-way authentication method, banks generally accept a numeric password for their mobile banking apps, which Tuteja feels is easier to break compared to alphanumeric passwords.
 
Handling of device is also an essential factor to determine the vulnerability of banking applications. “The biggest problem lies in user awareness. In any app, you are required to put the password. So, how good or strong password you keep is an important consideration,” he says.
 
To keep mobile phones secure, the user must frequently change the banking application passwords. Users may also choose not to download any app from non-credible sources, Tuteja says. 
 
Banks also provide their users an option to subscribe to SMS and email alerts. Users must opt for this service in order to keep track of their banking activities. 
 
Looking at biometric-based security
To enhance security of banking apps, banks must explore biometrics as a security gateway, believe experts. But implementation of the same is a challenge. Not all phones available in the market support the biometrics feature. Among the ones which allow users to take biometric samples, the level of accuracy has to be considered along with considering whether the format of the sample is able to integrate with the backend system of banks.
 
State Bank of India (SBI), with over 15 million m-banking users, will soon launch biometric-based security feature for mobile banking. “The technology is still under evaluation. The customers will not be asked to share passwords or PIN number if the biometric sample is accepted,” Shiv Kumar Bhasin, chief technology officer, SBI, says. The biometrics could include fingerprints, iris and voice, he says, adding that they would ensure that the method to verify users by their biometrics is user-friendly and requires no external device. 
 
Now one has to see how many of SBI’s customers using its m-banking application will be able to adapt to this new feature. 
 
Phones with such an advance feature to support biometric are expensive. For example, the fingerprint scanner is available in phones in the price range of above Rs 10,000. To assume that everyone owns such a phone is not prudent. We need to give this technology some time until we have mobile phones that can incorporate this technology accurately, and are affordable enough to reach the masses.  
 
Industry solution
While users should take precautions for safe mobile banking, banks can also implement some technology to detect malware coming from its users’ device. Vaidhyanathan Iyer, business unit executive, IBM Security, says that we cannot blame applications alone. How security inside banks works also matters. “Our cloud-based solution Trusteer tries to prevent web frauds. If I am availing banking services from a malware-infected mobile phone, banks’ backend system integrated with this solution tells which users’ devices have been infected with a malware. With this information, banks can stop the transaction. This is one way of protecting it. By another way, banks can help customers remove malware from their device,” says Iyer. 

taru@governancenow.com
 
(The article appears in May 1-15, 2016 edition of Governance Now)
 

Comments

 

Other News

Think twice before tarnishing image of Indian Army

Ever since the controversy over Major Leetul Gogoi`s meeting with a young girl in a Kashmir hotel started raging on May 23, I have seen that people, particularly scribes, are leaving no stone unturned to blemish the Indian Army’s image. First things first! If the meeting had happened a

IIT Bombay Racing to launch ‘EVoX’ tomorrow

IIT Bombay Racing will launch its 6th generation electric car ‘EVoX’ in the institute’s on Saturday. The racing car developed by Formula Student team from India based at IIT Bombay is designed to run at 100 km per hour in just 2.88 seconds. It is powered by 40 KW motors, titanium uprights

SAIL supplies 10,500 tonnes of steel in Kishanganga hydroelectric power project

SAIL has supplied 10,500 tonnes of steel for the 330 mega watt hydroelectric project, featuring three power generating units of 110 MW each. The enterprise’s steel supply consists of TMT rebars, structurals, plates and sheets. SAIL had also supplied around 70 percent steel used in the

Algerian Ambassador visits Goa Shipyard

The recent visit of Ambassador of Algeria to India H.E. Hamza Yahia Cherif to Goa Shipyard Limited has given a boost to the PSU’s ambition of receiving international orders from the Mediterranean region. CMD, GSL, Rear Admiral (Retd) Shekhar Mital apprised the Ambassador about various

IOCL posts Rs 21,346 crore net profit in 2017-18

IndianOil has clocked a net profit of Rs 21,346 crore for 2017-18 fiscal as compared to Rs 19,106 crore in the last fiscal. The reported revenue from operations for 2017-18 FY was Rs 5,06,428 crore as compared to Rs 4,45,442 crore in 2016-17. IndianOil’s reported revenue from operation

NTPC to help Bihar improve power sector

A memorandum of understanding (MoU) was entered amongst Bihar government, Bihar State Power Holding Company Ltd. (BSPHCL), Bihar State Power Generation Co. Ltd (BSPGCL), North Bihar Power Distribution Company Ltd.(NBPDCL), South Bihar Power Distribution Company Ltd.(SBPDCL), Bihar State Power Transmission

Current Issue

Current Issue

Video

CM Nitish’s convoy attacked in Buxar

Opinion

Facebook    Twitter    Google Plus    Linkedin    Subscribe Newsletter

Twitter