Mobile Banking Not (Yet) Feeling the Security Love

Mobile Banking Not (Yet) Feeling the Security LoveBanks are heavily promoting mobile banking. And with consumer use of smartphones growing like gangbusters, mobile banking is on the fast track for greater popularity. But – so far, at least – security for mobile banking is sitting on the side track.

Which could put the banking industry on a high-speed train headed straight for trouble. Legendary bank robber Willie Sutton said he robbed banks because "that's where the money is." Cyber-thieves have the same motivation. And if they learn how to exploit mobile banking technology before adequate security safeguards are in place, they could clean out the vaults faster than Willie Sutton ever dreamed of.

The industry's problem seems to be that federal bank regulators have not yet specified compliance procedures for mobile banking. The Federal Financial Institutions Examination Council (FFIEC) surprised industry observers last June when its Authentication Guidance made no specific mention of mobile banking. Formal rules may not appear before the end of this year, though the Federal Deposit Insurance Corporation (FDIC) may issue guideline suggestions this July.

Banks and related financial institutions, however, should not sit around waiting on the feds. Yes, it is understandable that institutions would prefer to design their mobile security policy in line with federal compliance rules up front. That way they don't have to tweak procedures after the fact to match compliance standards, with the extra work and complications that this entails.

But cyber bank robbers are not going to wait on the federal government. And their intended victims shouldn't wait either. Security compliance is not just about dotting i's and crossing t's to make regulators happy. It is most fundamentally about putting measures in place that make cyber-thieves unhappy.

The time for banks to protect their mobile banking systems is now. Take action before someone figures out how to break into the mobile banking cyber-vault.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."