Developing a mobile security strategy in banking and financial services

The rise of enterprise mobility and mobile finance malware means organizations, especially those in the banking and financial services sector, have to adapt and redefine security for the mobile economy of today, which is moving into an era of mobile banking and mobile transactions.

Enabling mobility for both staff and customers is something that many financial institutions in Singapore are implementing; in fact, many are running a ‘mobile first’ strategy to empower their workforce and customers.

In an economy where customer experience has become paramount, protecting your customers’ transactions and safeguarding your organization’s reputation are both critical.

But finding a balance between ease of use without negatively impacting the user experience is a challenge. Even more important are meeting the security and privacy compliance standards laid out by the Monetary Authority of Singapore (MAS).

This compliance is key to any mobility strategy, said the attendees at an IBM-sponsored Executive Roundtable Discussion that was held at the fringe of Questex Asia’s 5th Info Security Conference in Singapore. Many said that there are solutions available, but finding one that matched their strategy is the difficult part.

Mark Johnston, APAC Business Security Architect for IBM Security raised the possibility of removing the impact of an onerous two-factor authentication (2FA) requirement. For instance some banks allow limited access to information, and require 2FA if the user wants to do more, such as transferring funds or paying bills he said.

Victor Ng, Enterprise Group Editorial Director at Questex Asia and moderator of the discussion, then asked attendees to share the impact that different mobile devices are having on their mobile strategy.

For Alagu Karuppiah, Senior Manager for Information Technology at Diners Club International, due to the volume of malware on the Android platform, the onus falls on the financial institution to secure the mobile device or provide a secure container within it. What he felt is needed is a method of providing another level of authentication to give added physical security to the customer.

National Australia Bank’s Technology Production Support Manager Warwick Fraser found that, at the end of the day, no financial institution could afford to trust any mobile device. They have to find a way to deliver the information and services the customer expects but in a way that is circumspect and secure.

RBS Singapore has no retail banking in Singapore but, according to Eleenor S Bata, their Vice President for Corporate Security, where they do they used to use 2FA but users can now opt for an SMS prompt. “While the phone used to be considered less secure, we use it more now for customers’ convenience, as users may not always have their token on them, but they always have their phone,” he said.

UBS AG’s IT Risk Director Barry Fu, agreed with Bata saying that their research has shown that most users are using their mobile devices as their preferred choice to login rather than the PC. “They feel a mobile device offers the best balance of security and convenience,” he said, “But, there is no technology that can protect one hundred percent of the time.”

He added that it was important to keep educating staff and customers on how to protect themselves and why security regulations were in place. “Customers may not like 2FA because they find it inconvenient, so we can allow them access for information that is not sensitive via 1FA. If they want to want to do more, then they will need 2FA,” he suggested.

OCBC Bank’s Krishan Kumar Chugh, their Vice President for IT PMO, agreed with limiting the functions users could perform on a mobile device, while allowing them greater functionality on a PC. But, he added, one advantage of mobile apps is the ability to block them the moment a problem is detected.


Vincent Leong, Manager for IT Security from Maybank Etiqa, remarked that the bank used to have a trusted computing model for computers and maybe something similar could be developed for the mobile space. We need the functionality and security in managing the device and applications, he said. “Using a 2FA SMS authentication solution can still be a problem if the device itself is compromised

Krishan added that it is easier to get users’ buy-in to use a security solution if it is something that is included from the start. The likelihood of customers complaining about how onerous a security solution is is less likely if they have been exposed to it from the start.

IBM’s Johnston agreed, saying that banks need to deliver a level of safety that caters for the end user and is still secure enough for the bank. “The problem is balancing the least amount of inconvenience for customers but still giving them as little influence as possible,” he said, “The pressure is always on IT to open doors and say yes to everything.”

Ultimately, to protect customers and their trust in banks and financial service providers in the mobile world of today – and to uphold business reputation – we need mobile security solutions that offer real-time analytics to provide visibility of our customers’ mobile security posture, with the ability to block a mobile banking app from any customer device as the need arises, while complying with the regulatory requirements set by the Monetary Authority of Singapore (MAS) to protect confidential data, customers and privacy.

As Alagu from Diners put it: “Compliance and regulations laid out by the MAS are very strict and all banks need to see what risks anything will bring before they can make a decision to deploy anything.”