Mobile Banking - Is it Ready for Prime Time?

Early-Adopters Say Customers Want Convenience of Conducting Business Via Cell Phone
Mobile Banking - Is it Ready for Prime Time?
Mobile banking - just how real is the trend? And how secure are the solutions?

Increasingly so, according to industry analysts and practitioners who are at the leading edge of the movement to deliver banking services to customers' cell phones and PDA's.

In the U.S., there are an estimated 1.5 million banking customers who receive some kind of banking information via their cell phones, according to Nick Holland, information security analyst at Aite Group, the Boston-based consultancy. This estimate includes 500,000 users that Bank of America - the largest player in the market -- says is using its mobile banking service.

Customers of banks offering mobile banking via cell phones and smart phones can check their account balances, transfer funds between existing accounts, and -- with some services -- pay bills online.

While the exact number of banks and credit unions now offering mobile banking services to customers isn't pinned down yet, Holland estimates that after the mobile banking "breakdown" in the 2000-2001 timeframe, the number of banks and credit unions beginning to offer mobile banking to customers is rising rapidly. "Surprisingly, quite a number of credit unions have begun offering mobile banking to their members," Holland says.

As early adopters, credit unions typically embrace new technology and so do their customers, Holland says.

Most of the institutions offering mobile banking to customers have taken the approach to deliberately make it as safe as possible to encourage adoption by customers. "The majority of mobile banking services now offer the same functionality as an ATM, and it is more informational and less emphasis on transactions," Holland says.

To gain further acceptance of consumers, most mobile banking offerings have more than one way to accept information. The three ways consumers can view their bank information are via cell phone are:

  • Text messages;
  • Browser-based capabilities;
  • Downloadable software that connects them to their institution.
Mobile services vendors are quick to anticipate this prospective marketplace, as witnessed by recent activity:
  • Deployment of 50 credit union mobile banking offerings operated by mobile service provider M-Shift;
  • Announcement in early January that Verizon is entering the mobile banking arena, paired with mobile banking service provider Firethorn;
  • November announcement by AT&T of similar arrangements with Firethorn.

How Safe Is Mobile?
Consumers have embraced the new ability to check their accounts via their cell phone, and security limitations seem to be no barrier to acceptance, Holland says.

David Miner, Senior Director of Financial Services Industry Solutions at Symantec, a major information security vendor, sees the mobile market as a place of "converging dynamics" -- a perfect storm of customer demand and the increasing use of the cell phone for more than just voice. He suggests that institutions offering mobile banking to customers need to think out carefully their encryption strategies, and what steps will be taken for wiping information off of lost cell phones.

"We see mobile as an increasingly targeted end point that the bad guys will want to go after, with more attacks, spam and viruses," Miner says.

Holland describes one vector where mobile phones could be most vulnerable to attack. "Where phishing is primarily an attack over email, and it moves the victim to a fraudulent website, with mobile there is very little integrity in any of the channels," he says. "There are multiple channels users have to be aware of."

If, for example, an SMS message comes laden with a virus, it can then infect via Bluetooth all the other phones in the area equipped with Bluetooth.

From a fraudster's perspective, banking by cell phones "will be an absolute goldmine, once real transactions begin," Holland says. To prevent fraud, institutions will have to go "out of channel" to authenticate a transaction. For example, the institution would send an SMS message to the customer, and they would have to send a reply back in order to authenticate a transfer. Holland sees at this point the mobile market is not very robust, and still is struggling with a very low degree of standardization across the mobile environment in terms of technology.

Holland recommends that institutions consider the following before implementing mobile banking:

  • Avoid any degree of complexity when implementing mobile banking;
  • Don't be overly ambitious, offering too much to your customers at once;
  • Gradually turn up the heat and push for acceptance once it gets going.

The question of which consumers will want mobile banking points to the existing online banking customers. "I think it has been adopted by those who are already using internet banking," Holland says. "Adoption has been pretty strong, the benefits are self-explanatory, and it has its use in real world. People see it as something that is useful."

Case Study: Wells Fargo, an Early Adopter
When Wells Fargo's Eskander Matta, Senior Vice President of Internet Services Group, says the rollout of the bank's mobile services to consumers has been a smooth one, he speaks from personal involvement. His team tested the institution's mobile banking services.

In early 2006, Wells Fargo, with $549 billion in assets, began offering text messaging alerts on customer phones. In 2007, the bank added browser-based customer account balance checks, Just this past October, text-based (SMS) messaging capabilities were added.

"Customers are able to send relatively short text messages to Wells and receive their account balance on screen," Matta says. At the end of 2007, Wells began offering an ATM and store locator as an additional convenience to its mobile customers.

Wells Fargo's mobile text banking service does not send a text message with any confidential information, Matta explains. Wells Fargo customer account numbers are never displayed via text banking, but are represented by the mobile account nicknames that the customer specified during enrollment.

While not ready to disclose the number of customers signed up for mobile banking, Matta notes that the interest and enrollment of mobile banking customers "dramatically exceeded our expectations -- more than double what we expected."

Wells Fargo's Internet Services Group has seen a very high rate of utilization of the mobile banking services. Additionally, Matta also sees the increased use of mobile phones to access account information, further helping the drive to detect fraudulent activity on accounts. "It puts the customer in charge of their account and increases dramatically the chance that they will catch a fraudulent transaction quickly."

In the future, Matta says Wells Fargo is also looking to perform more complex transactions through the online channel, possibly looking at using the phone as an authenticator. Wells Fargo is using the same layered approach in security for mobile banking as it uses in its internet banking offerings. In the mobile channel, Wells Fargo also offers the same 100% online security guarantee to its customers.

Matta shares two points his team discovered over the past year, "One of the interesting things we've seen is mobile banking is fairly broad-based, and the adoption has been broader than what many institutions think." A second trend Matta sees is that the diversity of choices in the types of mobile offerings. "A few months ago or even a year ago, if you had asked banks or analysts studying mobile banking, the question was 'Will it be browser- or text-based, or will you download a banking application onto your cell phone, which one will win out?'"

Now Matta sees it as probably not being just one, "Depending on the level of security you need and the type of transaction you're making, it may be a combination or one or more." For more complex messages requiring more security, users may be asked to switch to a browser.

Huntington Bank: Preparing for Rollout
What led Huntington Bank, with $54 billion in assets, and the 24th largest bank in the U.S. into mobile banking is the idea of being able to offer it customers more choices and convenience. The Columbus, OH-based bank plans to go live in the second quarter of 2008 with its mobile banking service, says Brandon McGee, Vice President and Senior Product Manager of Mobile Banking at Huntington Bank.

"It is a tremendous resource for customers -- the benefits are additional services and the users knowing their bank account balances whenever they need it," McGee says. "Many people don't have the ability to be in front of a PC all the time."

Huntington Bank's plan is to give its customers the ability to be connected to their account and set up their alerts to tell them when certain actions are being taken on their account such as balance alerts and even transaction alerts, reducing the risk of fraud. McGee sees this fraud reduction as being where the power of mobile banking is. "What customer wouldn't want to know and have instant access to their account information?"

His team plans to perform extensive piloting and testing of the system before it is released to Huntington's customers. Similar to Wells Fargo's approach, Huntington Bank's plans are to roll out mobile over a layered security architecture.

McGee envisions that mobile banking, while not replacing all other forms of online transactions, may overtake and compete with internet banking. "There will be times that a mobile transaction will be faster than logging into check an online balance screen."

With the advent of smart phones such as the iPhone, McGee sees mobile banking as a very powerful channel. "It will be part of the mix - online/Internet, call center, and all the other ways we will develop in the future."

Question: How ready is your institution for mobile banking? Share your thoughts with editor Tom Field.


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.