Banks need to reinforce security for their mobile payment services or else face a litany of problems similar to those encountered by early Internet banking services, according to an Ovum research report.

The independent technology analyst urged banks to understand the vulnerabilities in mobile payments at every level of its infrastructure. A strategy of “defense in depth” is necessary to ensure the integrity and success of the mobile banking sector, per Ovum.

“Attacks may occur at the mobile device, in the mobile network or in the back-end banking and payments system,” said Graham Titterington, principal analyst at Ovum, London. “Defend in depth [means securing the ecosystem] at the mobile device, in the network, at the bank’s gateway and at the back-end server – for example, by fraud detection techniques and varying the security requirements according to the risk of each transaction.”

“Work in cooperation with the device vendors and the network operators to attack the malware problem,” he said. “Do not be afraid to press for a ban on all forms of spyware on mobile devices.”

Ovum, a Datamonitor company, provides independent business and technology analysis.

Security strategies and tactics
There is already need for strengthened security measures in mobile, per Ovum.

“Attacks on mobile banking already exist, even if most of them are currently in the proof-of-concept stage,” Mr. Titterington said.

While companies should learn from the lessons of Internet banking, they need to understand how mobile differs from the Web and how that impacts security necessities.

“The biggest threat is weak authentication on the mobile device and the vulnerability of the device to theft,” Mr. Titterington said.

If strategies of defending the mobile banking ecosystem are to succeed, Ovum says a number of tactics could be invaluable.

“[Security methods should include] user authentication, keeping the mobile device free from malware, encrypting all transmissions end-to-end, monitoring banking sessions, using out-of-band techniques to strengthen authentication, blocking suspect connections and applying fraud detection techniques to all transactions,” Mr. Titterington said.

Still, a certain amount of vulnerability is inevitable, according to the analyst.

“Plan for living with malware,” Mr. Titterington said. “While the industry must do all that it can to maintain the integrity of the mobile ecosystem – and it should seek to learn from the mistakes of the Internet pioneers to avoid repeating their mistakes – it is inconceivable that they will eradicate all malware from mobile ecosystems.

“As the ecosystem becomes more diverse, more powerful and complex and more integrated with the IP world, hackers will find ways to attack it and perpetrate fraud,” he said. “The question is ‘how large will the problem be?’”

Whatever the security solutions may be, Ovum says that efforts will need to be coordinated across mobile and Web segments, because handheld and tethered banking services will be connected in a larger ecosystem.

“Mobile and Internet banking security communities must work together,” Mr. Titterington said. “Although the means of attack are channel specific, the business level threats are the same.

“As mobile banking services become more powerful, the two channels will move towards being alternative interfaces to a common service,” he said. “This will create the danger of crossover threats, where weaknesses in one interface may be used to attack the other one.”

While it is important to have airtight security, defense measures have to work seamlessly and invisibly, so as not to detract from the mobile experience, per Ovum.

“Use case scenarios are crucial for designing good security,” Mr Titterington said. “To be effective, security has to be deeply embedded both in the business logic of the use cases and in the technology.

“Designers also have to make mobile services easy to use to make the service attractive and viable,” he said. “Security must not detract from usability.

“The service must also be available whenever the user has an urgent need for it, and a business view is needed to arbitrate when requirements conflict.”

Security crucial to growth of mobile banking
Banking and financial services represent a nascent and growing sector in the mobile space.

Banks and payment services worldwide are offering mobile, including the National Bank of Abu Dhabi, which tapped MoneyGram to facilitate money transfers (see story) and BancorpSouth, which launched a mobile banking application last month (see story).

Mobile banking usage worldwide is expected to double to 400 million users by 2013 (see story).

Ovum was clear to emphasize the importance of good security for mobile money payments and money transfer. It believes that in order to maximize the potential of the sector, great pains need to be taken to avoid the pitfalls of early Internet banking.

“It is very important to get [mobile banking security] right, not only to protect customers, but also to protect the reputation of the banks and the usability of the service,” said Mr. Titterington. “We have a great opportunity to act before the problem gets serious and keep ahead of the threat – and not be continually running to catch up as was the case for Internet banking.”

Final Take
Peter Finocchiaro, editorial assistant at Mobile Commerce Daily, New York.