It’s easy to understand financial institutions’ enthusiasm for driving more transactions to the mobile channel when you look at the potential cost savings. While a transaction processed by a teller in the U.S. costs an organization 65 cents and one done via ATM costs eight cents, mobile beats them both by costing a mere three cents.
While financial executives love the cost savings, customers are embracing the convenience factor. Just this year, mobile devices surpassed tellers as the third “most important way” for consumers to do business with their bank, now only behind online banking via a desktop or laptop and ATM transactions.
According to an annual survey conducted by the Federal Reserve, 43% of adults currently use their mobile device for financial activities. That figure jumps to 63% among millennials who, as a group, are more likely to use the technology than interact with a teller or ATM. Globally, mobile is the obvious choice because it’s ubiquitous, making it the low-cost computing option available to millions. In Africa for example—the second most populous continent in the world—there are more mobile subscribers than bank accounts.
Whether the target is existing customers not yet using mobile, millennials that never put their devices down, or the underbanked and even unbanked who may never walk into a brick and mortar branch to conduct business, the mobile channel is poised to help savvy organizations stay competitive, reach new markets, innovate and remain relevant. That is, if they can confidently secure this channel.
Threats in the Mobile Channel Are Real
Concerns over the security of mobile banking threaten to hold back both the consumer from using mobile banking services, as well as financial institutions from fully leveraging and building out a more robust mobile banking offering.
For consumers, the same Federal Reserve study found that 73% of non-users of mobile banking cited security concerns as a common reason for not using mobile banking. Financial institutions are concerned as well. An IBM study found 58% of security experts at financial institutions ranked security concerns as a top risk indicator inhibiting full deployment of mobile services.
One of the key areas for fraud in the mobile channel is in the creation of new accounts. According to a Javelin Strategy & Research report, the opening of fake accounts using stolen identities surged in 2015 and were used to create fraudulent checking, credit card, loan and other accounts.
The problem is expected to accelerate as counterfeit card fraudsters are being shut out by the adoption of the EMV security standard and migrating to the more vulnerable digital channel. According to Javelin, new account fraud jumped in 2015 when the EMV standard was adopted in the United States. This form of theft now accounts for 20 percent of all fraud losses.
Trust But Verify
So how do financial organizations combat these and other types of fraudulent activity in the mobile channel without creating additional friction?
It’s clear the current password system alone is not up to the task. Users are already overwhelmed with the number of passwords they are forced to remember and organizations are loath to put up additional barriers that impede transactions and interfere with the smooth running of operations.
Newer requirements are pushing for the use of two-factor authentication (2FA)—a method of confirming a user’s claimed identity by using two different attributes, either a combination of something the user knows (for example, a PIN number), possesses (for example, an ATM card) or is inseparable from them (for example, the user’s fingerprint).
Instead of relying on user names and passwords alone, two-factor authentication asks for an additional piece of information confirming the person is who they claim. Unfortunately, traditional 2FA typically involves the use of SMS messages, a method widely agreed by security experts as insecure.
Fortunately, there is a way to better protect the mobile channel by using a more advanced form of two-factor authentication that is more secure—using the users’ mobile device itself as an additional unique identifier.
Because of the way mobile devices are engineered, there are thousands of attributes contained within the device, such as such as build information, media details, and usage data. Using software tools such as InAuth’s InMobile solution, financial institutions can use this data to establish a unique permanent ID for the device that cannot be spoofed or reset.
Once established, this permanent device ID acts as an additional attribute for authenticating users in the 2FA framework—that is, something the user possesses in addition to an attribute the user knows, possesses, or is part of their person (i.e. biometric data). Combined with this additional authentication factor, the two work together to effectively shut out fraudsters. In fact, this method is so effective that, done right, mobile banking can actually be more secure than online banking via a browser.
Best of all, using this method ensures the process remains frictionless for consumers with no unnecessary barriers to normal operations. Security works best when it’s inconspicuous, quietly operating in the background to protect everyone from fraud.
Seen in this fashion, mobile banking is a win-win for both banks and their customers, representing an opportunity to offer financial services that reach more people at lower cost that is more secure.
As Bill and Melinda Gates said, “In the next 15 years, digital banking will transform the lives of two billion people. Mobile phones are they key.” We agree and add that it is crucial to get security right in order to keep those two billion people protected from fraud.
Photo source: Flickr