Mobile security in Mobile banking
For providers and regulators alike, the idea of mobile banking is inseparable from the question of mobile security. When stories like this pop up – about dozens of mobile banking clients defrauded in South Africa earlier this year – it raises warning flags for some. But are questions about mobile security really new questions, and does it provide cause to pause in pursuing mobile banking?
A new study from Bankable Frontiers digs deep into the issues. Some issues are very familiar: the use of outsourced IT providers, customers protecting their PIN numbers. Several are newish, but really permutations of issues with any electronic banking channel: the reliability and end-to-end security of communication networks carrying sensitive data.
These factors do not make most mobile banking channels more or less risky than other forms of e-banking. In fact, the range of m-banking technologies already available includes some with the highest degree of security possible. But automatically requiring the most technically secure platform carries substantial tradeoffs, not least of all that high-end technologies are substantially less likely to be suitable for low-income clients.
Low-literacy clients may be very comfortable with some of the more ubiquitous but somewhat less secure mobile technologies available – e.g. USSD which simulates much of the SMS experience. They may not try internet browsing, and indeed the cheaper handsets they tend to own are unlikely to support it.
Providers targeting the unbanked may also prefer basic technologies. Smaller banks and entrepreneurs which see the unbanked niche as attractive are – due to their size – likely to lack bargaining power with mobile operators. They face a tough time negotiating the right to put a mobile banking application directly onto the sim card in mobile phones (which enables a higher standard of end-to-end encryption). And even large banks may prefer technologies that work on any handset and any operator network. They want to ensure all bank clients can access the service, and it eliminates the need to negotiate any revenue sharing with operators: the bank keeps the whole pie. This explains why USSD – with a decidedly un-pretty user interface, and lower security – is still attractive to some banks.
It is possible to offset the lower security qualities of less secure mobile technologies by introducing operational controls. Balance and transaction limits can put a cap on risk, for clients and providers. The Bankable Frontiers report ends with advice for regulators: be careful not to entrench technology-specific standards in regulations which stifle m-banking development. Instead, they should create a flexible, proportionate framework which requires an active supervision of mobile financial services.
