Consumers are increasingly turning to mobile banking applications as their preferred channels for financial interaction, in part because of the convenience and enhanced security such platforms offer. A mobile banking channel also provides financial institutions with a chance to improve engagement with consumers, especially for cybersecurity awareness and outreach.
A new report from Javelin Strategy & Research, Cyber Lessons for Mobile Banking: Connecting with Consumers, Framing Cyber Awareness, offers lessons from top-tier banks that set an example for community banks and credit unions to follow. Javelin Director of Fraud and Security Tracy Kitten, the author of the study, spoke about two important emerging trends in mobile cybersecurity that the report covers: biometrics and push notifications.
New Phases for Biometrics
Many modern consumers struggle with usernames, passwords, passcodes, and the other measures of authentication required to keep our financial data safe. Biometrics such as fingerprint and facial recognition have become less intrusive ways of authenticating your identity, with nothing for the user to remember.
But Kitten reports that behavioral biometrics could soon surpass physical biometrics in terms of ease of use for consumers and additional security for the institution. Behavioral biometrics encompass such things as how you hold your phone, or the cadence you use when you enter a number.
These recognition factors are not installed automatically. When you receive a new iPhone, you first have to agree to allow facial recognition or finger biometrics by signing a waiver that says you will share that information. After completing the approval process, you can use touch ID for any app that’s connected to the mobile device.
There are even more data sources that could be pulled in. “If I’m trying to make an in-app purchase, that particular payment platform could be pulling in anonymized data sources from multiple places,” said Kitten. “Is this a merchant that I typically shop? Is this the type of product I usually buy? They can pull in all these various bits of data that can be used to help authenticate me and verify me at the transaction.”
Banks can use some of those additional data signals or data sources in the background for authentication without the consumer even being aware it’s going on.
“If I’m sitting at home on my Wi-Fi connection using the same IP address I use every day, the same device that I’m logged into typically Monday through Friday from 8:00 am to 6:00 pm, and I’m conducting a transaction at a site I’ve been to many times before, and made purchases during this time of day on this device, on this IP address, then it should readily authenticate me,” Kitten said. “If I’m out of the country and the device is recognized but the IP address is different, the connection is different, and it’s a different time zone, then at that point, maybe I do need to have a one-time passcode sent to my phone to verify that this is me.”
Push Notifications
Another development that Kitten sees great potential for is push notifications, delivered through a bank’s mobile app. The communications are secure because the consumer knows that it’s coming from their financial institution. An email alert or an SMS text message might call into question whether it’s really coming from the bank or from someone spoofing it.
“The customer will not receive push notifications if they don’t ask to have them,” Kitten said. “That’s why it’s such a strong builder of loyalty and trust.
“What I would really like to see is that all notifications only come through the mobile app. We’re pushing communications about cybersecurity or potential fraud, so everything should come through the app. I would go further and say it should be a default setting, so the consumer is automatically enrolled in the alerts through the app and they would have to opt out of them. Get rid of email and text, because we’re trying to tell consumers think before you click.”
One reason for this is that the institution can benefit from the wealth of information available through mobile and online banking platforms. They can pull data and analytics—and make use of AI—on the back end to determine what kind of education or alerts they should be pushing.
Most consumers under the age of 65 do not need push notifications about education related to the latest elder scam. But if the institution knows that they have a parent or grandparent living with them, then it would make sense for their bank to deliver that kind of alert.
Looking to the Future
What’s coming up next in this field? There could be some good news for all those consumers who constantly have to click on the “Forgot Password” button. According to Kitten, the advances in mobile app security could lead to a turning point in security issues, where institutions no longer ask the consumer to create and remember passwords or usernames. We as consumers create security issues by reusing passwords and usernames, or by writing them down, or by sharing information with people we shouldn’t.
“The consumer is the weakest link,” said Kitten. “The more you can take the consumer out of the authentication process, the better. Because of facial recognition, behavioral biometrics and physical biometrics, I think we’re finally at a tipping point.”
