Before mobile banking becomes truly universal, banks and financial institutions must consider the balance between security and usability, says Martin Walshaw, senior engineer at F5 Networks.
We live in an app world. We shop through apps, we catch up with the latest news, we follow our sports teams, we listen to music, we communicate with friends and we do our work through apps.
We also do our banking through apps, albeit to a lesser extent. But there is a steady rise in the use of mobile banking apps among South Africans. The Mobility 2014 research, conducted by World Wide Worx, found that 9% of respondents used banking apps in 2013, up from 1% in 2012. Cell phone banking also surged, from 28% in mid-2012 to 37% in late 2013.
CEB TowerGroup research suggests there will be 17-billion transactions in 2015. Security is obviously a big factor in the uptake of mobile banking; banks and customers are quite rightly worried about how much risk is involved.
But if banks and other financial services companies put too much emphasis on security, apps will become slow and cumbersome and customers won’t use them. I’m sure we’ve all had mobile experiences so frustrating that we’ve just abandoned whatever we were doing and switched to a PC, or got on the phone.
Having said that, there is also the danger of going too far in the opposite direction – sacrificing security to improve usability. The CEB article mentions that some banks are in fact allowing customers to check their balances (along with other, limited functionality) on a mobile app without even logging in! That is a very dangerous game to play.
While it is clear that convenience is incredibly important, banks should think about the repercussions of “good enough” security. Who will the customer blame if someone gains access to their account and steals money because of a flaw in the app? Their bank, of course.
Lawsuits would probably follow, leading to a financial loss and a damaged reputation.
So the key is to find a balance between security and usability, and in our opinion that means assuming everyone is infected. If a bank approaches security from that point of view, then the emphasis shifts away from the device that is being used and instead focuses on ensuring the data is secure.
It’s something that we at F5 Networks have talked about previously: forget the device and concentrate on protecting the sensitive data that is flowing across the network. An additional, transparent layer of protection – away from the device – increases protection for the business without impacting the usability of the application.
If a business takes the viewpoint of not trusting any device then that is a good start. It removes confusion for end users; they don’t have to worry about Man in the Middle (MitM) attacks or other malware that could interrupt the mobile banking session and take extra money out of the user’s account, for example.
Before mobile banking becomes truly universal, banks and financial institutions must consider the balance between security and usability. Stripping back security to ensure a smooth and fast user experience is simply the wrong way to approach it, as is adding in so many layers of security that the app becomes unusable. Instead, take the device out of the equation: focus on securing the data. That is, after all, where the value is.