More banks now look to offer mobile banking services. But while welcoming the convenience, security experts say safety guidelines need to be followed for the services to gain ground.
According to Gary Singh, General Manager, Nokia Mobile Payment Services, mobiles are safer than using an ATM card with a PIN. “You need a password for the application and a separate PIN for the transaction. We also check the phone number and the IMEI code, so you have four levels of security.”
However, Graham Cluley, Senior Technology Consultant, Sophos, points out that many of the PIN codes used by users are easy to crack. “We found that around 25 per cent of users make bad decisions for PIN and use simple ones such as 1234, 0000 or 1111,” he says.
This is especially dangerous when one considers the fact that Symantec observed a 43 per cent increase in mobile vulnerabilities in 2010. In that year, the company documented 163 vulnerabilities that could be used to gain control over mobiles.
What can be done to safeguard mobile transactions? One way to enhance security is to use encryption, says Shantanu Ghosh, Vice-President, India Product Operations, Symantec. “If you use hardware encryption, you also have the added benefit of ensuring that you can destroy confidential data on a device if it is stolen.”
While such technology is always useful, prevention is still better than cure. But who should take the security steps? Experts are divided over this.
Maninder Bharadwaj, Director, Deloitte Touche Tohmatsu India, says a key issue is that “Businesses say, ‘get me functionality and I will think of security later'.”
“The bank must be careful because users who make a mistake will ultimately blame the bank,” he says.
But Siddharth Vishwanath, Associate Director - Consulting, PricewaterhouseCoopers, says one may be forced to place limits on security at times.
“When the amounts are small, how much will you spend on security?” he poses. As an example, a bank could consider authenticating a user based on a token that keeps changing. “If the amounts are small, will the bank want to give a token?” he asks.
And finally, apart from addressing security from the technology perspective, there is also a need to look at it from a social angle. “You need to educate people in rural and even in urban markets so that they get confidence,” stresses Anshul Gupta, Principal Research Analyst, Gartner.
Going forward, what can be done about security? Taking a futuristic peek, Cluley says, “I suppose, in the future, some biometric device could be used, like a fingerprint reader on a laptop. But it will make the device expensive.”
Ghosh stresses that banks can look for patterns to determine fraud.
“You can figure out from which tower the connection has been established. If you find a transaction happening from one person in Bangalore and another happening five minutes later from the same person in Delhi, you know that something is wrong,” he adds.
Mobile banking tips:
Choose a difficult PIN code
Change the PIN often
Don’t give your mobile phone to anybody
Don’t keep too much cash in any bank account linked to a mobile payment gateway
Keep a printout of officials whom you may have to contact to disable your mobile account in case you lose the phone