Akamai Diversity

The Akamai Blog

New Security Threats in Online Banking Demand Innovative Responses

As we begin a new year, it is worthwhile to look back at some of the events of 2011 - and project where some of the biggest challenges will lie ahead for us in 2012.  Security threats to the online world of financial services were perhaps the number one threat in 2011, and the risks will continue to build in 2012.

Akamai commissioned research by IDC Financial Insights to further understand these threats. The resulting whitepaper, titled 'New Threats Demand Innovative Responses,' exposes some of the challenges that IT departments and their business-side counterparts face in responding to these threats.  Some of the major recommendations include:

- IT security teams need to ensure that security strategies are reflective of business goals and strategic direction where the growth of the digital banking channel is concerned. This requires IT to be involved in the design and development of new products and services from the outset, particularly where newer interaction mechanisms - namely mobile and social - are involved.

- As a priority, banking IT security teams must become more knowledgeable regarding the threats posed by mobile malware. While the likelihood of attack is currently low, IDC Financial Insights believes this situation will change in 2012, as cyber criminals seek ways to exploit vulnerabilities in mobile OSs and develop more sophisticated methods by which to perform fraudulent activities.

- Banks should continue - or in some cases commence - to educate customers as to how they can identify fraudulent attempts to gain access to personal financial data (by means of phishing or smishing attacks). Historic fraud education methods have, in IDC's opinion, often been found wanting. Interactive training, where banks simulate phishing and smishing attacks to ensure customers know what signs to look out for and how to react offers a better alternative.

- If existing security technology suppliers are lagging behind in the provision of dedicated solutions to improve the robustness of the mobile channel, institutions should consider using specialist niche vendors who solely concentrate on innovations in mobile security.

- IT departments should seek ways to better engage with business-side users in order to obtain executive sponsorship (and budgetary contributions) for initiatives to improve digital banking security. Conversely, business-side users should not get ahead of their skis and consider launching new services or applications before they have been adequately assessed and signed-off by IT security.

- Innovations in digital banking can still occur, provided they are underpinned by suitably innovative security solutions.

- With an increasing number of attacks expected through both PC and mobile devices, banks should plan their survival strategies accordingly. Ultimately it is far better to be over-prepared rather than woefully ill-equipped to deal with the consequences.

The catch-up game in mobile finance:

Perhaps the greatest security threat emerging is that of mobile banking.   As the popularity of mobile banking solutions continues to rise, the security controls within those mobile solutions, and the customers' understand of those controls are not keeping pace.  Many of the security techniques in the online Desktop, which are well understood by users, world have no equivalent in the mobile world.

Two simple examples are 1) URLS which are clearly visible in a Desktop browser are not exposed in a mobile application, and 2) the simple display of https in the browser address.  Non-technical banking customers that use Desktop websites are by now very familiar with these basic security measures.  But new mobile finance apps that provide a native application, or hybrid application in which the browser is embedded within an App shell, do not display these elements to the user. Issues such as this will require firms to undertake entirely new effort to educate users about the security threats in the mobile world.  

Ultimately however, I believe that mobile finance will be more secure than the online or "desktop" equivalent.  The main factor is that the desktop browser is prone to security threats.  In the mobile world, developers can take full advantage of the native application, and take complete control of the security of that application, unlike a browser.  And secondly, the device itself includes features such as a camera, GPS, voice control, and other emerging features, that will provide the means for future innovation to secure the mobile finance channel.

Do you agree?  Will mobile finance ultimately be more secure than current desktop browser environment?  What technologies do you see emerging that will ensure the security of the mobile channel?

To register for the complete IDC report, click here.

Rich Bolstridge is Chief Strategist, Financial Services for Akamai