Bankers’ dilemma
Promoting financial apps forces institutions to back victims of cyber crime
Canadians lose hundreds of thousands of mobile phones, laptops and tablets each year through theft or carelessness — an inconvenience for the owner no doubt, but also a growing concern for banks that are encouraging people to replace their debit and credit cards and even their entire wallets with such devices.
These kind of mobile devices are increasingly used to store personal information and to do business, including shopping and banking. But if the information falls into a stranger’s hands, and is used to steal money, it is almost always the bank that is on the hook for the loss.
“For legal and competitive reasons, the customer is almost always made whole,” says Fred Cate, a professor of law and senior fellow at the Center for Applied Cybersecurity Research at Indiana University. “As a bank, you just can’t say to your customer: ‘Sorry you lost money with us.’ ”
It’s scenarios like this that keep bank executives awake at night.
Recent data breaches that exposed personal customer information, like the ones at retailers Target Corp. and Home Depot Inc., can hurt any company’s brand. But banks are unique because their reputation is based on the security of their customers’ money.
The risk and potentially high cost to try to mitigate that risk through insurance and increased technology spending, as well as reimbursing customers when things go wrong, might seem like ample reasons for financial services companies to discourage mobile banking. But they don’t. On the contrary, they are encouraging it to feed the demands of customers seeking convenience, and potentially pad their bottom lines with new revenue sources.
Among the recent offerings is Royal Bank of Canada’s RBC Wallet, which allows customers to make Visa or debit payments using Bell Mobility Android smartphones.
On Monday, tech giant Apple Inc. rolled out its Apple Pay mobile payment system in the United States with hundreds of banks already signed on to the technology that aims to replace credit cards swiped at a cash register with smartphones.
As the push for convenience ramps up “wearable” devices could be next, according to e-commerce service PayPal Inc. Canadians are clearly embracing the options. Almost a third, 31%, report having used mobile banking in the past year, up from 19% in 2012, according to the Canadian Bankers Association. Even one-fifth of those 65 and older reported that their use of mobile banking is increasing.
Bankers are watching the trends with a combination of glee and trepidation. They can glean information about their customers during online and mobile transactions, which makes it easier to sell them products and services. The banks can also get a slice of revenue generated by the “mobile wallets” that are often rolled out through partnerships between the financial services firms, phone makers and distributors, and credit card companies.
But with the added layer of relationship-building for banks, and convenience for customers, comes additional risk because mobile transactions account for a disproportionate amount of fraud. About 27% of all transactions are now mobile, but 40% of all frauds “come from the mobile channel,” says Angel Grant, senior manager of fraud risk and intelligence at RSA, the Bedford, Mass.-based security division of information technology consultant EMC.
This trend is unlikely to change because so-called malware, the malicious software used to steal personal information, is “ever-increasing,” according to Lance James, head of cyber intelligence and cyber risk services at Deloitte & Touche LLP.
Banks are not immune to cyber malfeasance, as demonstrated by the recent high profile — and still largely unexplained — cyberattack on JPMorgan. And there are undoubtedly other breaches that have not been reported, in part because of the laws that govern such disclosures. Some cyber breaches may affect too few customers to trigger reporting requirements. The laws in the United States also differ depending on the sector, with retailers in many states compelled to inform the public of breaches while banks report many cyber compromises only to their regulators.
The potential openings for security breaches are numerous. Each year, more than 400,000 mobile phones are lost or stolen in Canada, according to the Canadian Wireless Telecommunications Association.
Beyond lost devices, banks must also contend with cyber-fraud that can happen when a phone or laptop is still in the owner’s hands. The simple act of logging onto a free wireless connection at a coffee shop or airport can go wrong when there’s a “man in the middle” scammer capturing banking information en route to a trusted Wi-Fi provider, cyber-theft experts say.
The problems are becoming more acute as mobile devices increasingly blur the line between our professional work stations and our personal devices, says Nick Galletto, Toronto-based cyber risk services leader for the Americas region at Deloitte & Touche. The rub is that people using mobile devices on-thego “don’t take as much care as they would on their workstation” at the office, he says, and they are more likely to be “letting their guard down” during such casual online interactions.
They might download applications without thinking much about it, for example, which can introduce lots of openings for cyber crooks.
“But what they’re really doing is collecting information to try to do an account takeover at your bank,” Ms. Grant says.
Sometimes, the device’s owner doesn’t even realize what’s happened until their money is gone.
The consumer is arguably “the weakest link” in the system, Mr. Galletto says, but banks are the ones that are compelled to take steps to try to thwart cyber attacks because they bear so much of the risk.
Regulators are aware of the trends, and the potential risks they carry.
Canada’s chief banking regulator, the Office of the Superintendent of Financial Institutions (OSFI), declared last year that “increasing operational risks from ongoing cyber threats” touch “nearly all business consumer relationships and potentially the safety and soundness of the institutions.”
OSFI has begun by requiring financial institutions to do detailed self-assessments of their preparedness.
The regulatory response has been different in the United States, where banks are already subject to specific requirements imposed on them by the watchdogs.
But OSFI has not ruled out specific regulations in the future.
“Cyber-security will be an issue of continuing focus for OSFI going forward,” the regulator said.
It’s clearly in the interest of the banks to do what they can to reduce the risk of cyber attacks on their customers. But there are competing interests at play: Banks don’t want to thwart the promise of convenience with their efforts to protect the security and privacy of their institutions and their clients.
Additional layers of security — such as a token that has to be inserted into a mobile phone to conduct banking business, or a picture that must be viewed and identified from a second authorized device such as a laptop computer — could also serve as the deterrent that sends customers to a rival bank with less cumbersome security requirements.