Taking a risk-based approach to mobile security

By : Dena Hamilton

November 07, 2016 08:00 AM


It's now undeniable that mobile banking will have a key role to play in the future of the financial services sector. As smartphones reach saturation point in developed markets, consumers will expect that anything they would previously have used a PC for can be achieved on mobi

Recent Figures from the American Banker's Association,for instance, suggested that in the US, the majority of people (58 percent) use mobile banking at least once a month, with almost three-quarters of users (72 percent) rating their bank's app as excellent or very good.

Yet despite the progress, there's still resistance in some quarters, and one of the main reasons given is worries over the security of the solutions.


Work to be done to build trust

A recent study by Kaspersky is the latest to highlight these concerns. It found almost three-quarters (74 percent) of people in the US and the UK who do not use mobile banking cited security worries as a key reason. However, both current mobile banking users and non-users said they would be likely to increase their usage of these solutions if they were seen as more secure.


Kaspersky noted that while mobile banking usage is still popular overall, usage of high-margin services such as account openings, payments and transfers remain low. It also noted that in the coming years, the next generation of online and mobile-first consumers will show interest in such services, but only if their personal financial safety is guaranteed.


A risk-based approach

But how can this be achieved? For financial institutions aiming to improve their mobile offerings, it's a constant challenge to find the right balance. Make security processes too lax and you run the risk of leaving your customers exposed to fraud. But too strict, and consumers will get frustrated with the inconvenience and turn elsewhere.

This is where risk-based authentication comes in. Essentially, this means taking a more dynamic approach to security, instead of covering all mobile activities with a blanket policy. So, for example, if a person simply wants to be able to check their balance via their bank's smartphone app - a passive activity that won't expose the customer or the bank to much risk - they can do so without stringent authentication processes.


But on the other hand, if they want to perform transactions such as setting up a recurring payment or transferring money between accounts, this is an activity that comes with higher risk, so such should require a higher level of authentication. This may involve having to re-enter a password or two-factor authentication such as a one-time code.


The right tools

Understanding when to apply higher levels of authentication is the key to boosting confidence in the security of mobile tools, without compromising on convenience. With the right tools, factors to consider may not just include the type of transaction, but the location of the user and how it relates to their previous behavior.


Banks now have a large amount of information at their disposal when it comes to assessing mobile banking activities and identifying potential fraud attempts. A strong risk engine should be able to analyze any transaction in real-time and determine how to proceed - whether to allow it, request more information, or block access entirely.


Dena Hamilton

Dena Hamilton

GM/Director, Enterprise Fraud & Security Software Solutions

Other articles by this author

Dena specializes in fraud, risk, compliance and security with over 35 years in the financial services space. Her focus is in the development and deployment of enterprise financial crime solutions optimized in prevention, detection and back office efficiency.