Is Banking by Cell Phone Safe – Yes

Cell phone banking, more commonly known as mobile phone banking, is the latest self service channel that banks have opened up to their customers. Its biggest appeal is convenience. As with Internet banking, you can access your accounts info at any time of day, but it offers the additional convenience of being able to access your accounts from anywhere. (Okay, I suppose you can access Internet banking from anywhere if you happen to carry a laptop about with you, but a phone’s something we always have on us whereas a laptop’s not!)

Alongside convenience, however, another factor that people have to weigh up is security. Is the service secure? What happens if I lose my phone? The scare stories that surround Internet banking have also added to the prominence that people place on security these days.

So, let’s look at a typical security model for mobile phone banking. The first thing to say is that the logon process will require the user to enter a passcode or password (or a combination of these), in the same way as you already do if you use Internet banking. You can increase the security surrounding your passcode details by not writing them down anywhere (and not saving them on your phone!) and by choosing a passcode or password that is not easy to guess. i.e. Don’t choose your year of birth, or your pet’s name.

The next important thing to point out is that no banking data is stored on your phone, so if you lost your mobile handset, a fraudster would not be able to retrieve any banking details from your phone. Instead, you just download an applet onto your phone and all the data is stored on servers rather than the phone.

Additionally, only a registered handset that is linked to the account can be used to access the account information. What that means is that it is only possible to access the service from your specific mobile phone using your specific passcode. This is quite an important point, as I’ll illustrate by making a comparison with Internet banking.

With Internet banking, account information can be accessed by putting specific logon credentials into any computer that has Internet access. So, if a fraudster gains hold of your security details, then they stand a good chance of compromising your accounts. However, for mobile phone banking, they would require not only to have your security details but also to have got hold of your phone.

Banks have been strengthening the security of Internet banking by rolling out something called Two-Factor Authentication (2FA). The basis of 2FA is that you should only be allowed to conduct certain online transactions (e.g. 3rd party payments) if you go through an extra security loop. Typically, this is being facilitated by issuing Internet banking customers with card reader devices. When the customer goes to do an Internet transaction, a one-time secure passcode is sent to their card reader device. The customer puts their debit/cash card into the card reader and retrieves the code, which they then enter into a screen within online banking to authorise the transaction.

The basis of 2FA, as an added protection mechanism, is that you have to use a combination of something you know (your passwords) and something you have (your card) in order to do the transaction. If you think about the mobile phone banking set-up, it automatically falls into this model i.e. you have to enter a passcode (something you know) into your mobile handset (something you have).

I don’t doubt that organised crime gangs will look at mobile phone banking and will try to find ways to exploit it. Internet banking has been affected in recent times by phishing attacks, where fraudsters send you an e-mail asking you to divulge your internet banking logon details. Where customers have been tricked into giving away their details, the fraudsters have been able to steal money, though for the most part banks have so far refunded any customers who have been affected. Mobile phone banking could also be subject to phishing attacks, so if you receive a text asking you to divulge your passcode details, then press the delete button! However, even if the fraudster does trick you into giving them your security details, they would also need to steal your phone before they could do anything, so it’s a fairly low risk, especially as many of the phishing gangs are based in far-flung countries.

Banks also conduct comprehensive penetration testing (conducted by independent technology experts) to make sure that their mobile phone banking (and Internet banking) services remain secure. (Note: The problems that have been experienced for Internet banking, through Phishing attacks, highlight that fraudsters rely on people giving away their security details. Fraudsters have not been able to hack their way into the banks’ secure services).

A final point to mention is what happens if I lose my mobile phone? The first thing you would do in such an instance is to phone your mobile operator to advise them that your phone has been stolen. They would then deactivate your phone number. Once that phone number’s been deactivated, you won’t be able to access mobile phone banking, even if you enter the correct security details. To reactivate mobile phone banking, you’d need to re-register for the service. For added peace of mind, you could also phone the bank’s helpdesk and they would be able to put a stop on the service.