Mobile banking: Safe, at least for now

Someone asked me recently whether I thought mobile banking was safe or not. I admitted that I don't do it but that doesn't really say much. Then I mumbled something incoherent and vowed to get a real answer.

After talking to a number of mobile and security experts, I've come to the conclusion that far from being less secure, mobile banking may even be more secure than logging on to your bank Web site over your PC. And the consensus is that it's probably less risky than using checks, which can be forged, and credit cards, which can be stolen or skimmed at ATM machines for clones to be made.

Apparently it will. The rules regarding liability in mobile banking are the same as they are for other methods of banking, said Jim Van Dyke, president of Javelin Strategy & Research.

"Credit card companies have zero liability policies that apply regardless of channel," he said. For instance, "Wells Fargo has a written guarantee that they will cover all your losses if it is through mobile banking."

That's good news for the brave few who have ventured into the market. Of all U.S. Internet users, 6 percent have done mobile banking in the last week, and 12 percent have done it in the last month, according to Javelin figures.

An estimated 30 million consumers in the U.S. do mobile banking, and half of all consumers think it's not secure, the research firm said in a mobile banking security standards report in December.

Despite the fact that online banking options abound in the U.S.--from AT&T, Nokia, Sprint Nextel, Visa, and the major banks--consumers have been reluctant. That could be for several reasons, my colleague Marguerite Reardon has concluded: they don't like downloading apps to their phones as is required by some banks, they are turned off by the small screen, and they can do it on their PCs more easily.

"We're not hearing of security issues in the mobile world," because the security benefits with mobile banking outweigh the disadvantages, Van Dyke said.

First, the con to mobile banking security:

Mobile devices are easy to lose: "It's more or less as safe as banking you would do from your home computer, maybe slightly more risky, similar to using a laptop at Starbucks," said Charlie Miller, a principal analyst at consultancy Independent Security Evaluators. "The biggest difference is you are carrying the thing around with you and are more likely to lose physical custody of it than a computer."

Even so, the convenience outweighs the risk, he said. "It is no riskier than calling someone using your debit card or buying on Amazon with a debit card."

Now for the pros:

Mobile banking can be done anywhere at any time: Because people can do mobile banking at any time, they are more likely to log on more frequently and thus the chances of them detecting fraud are increased, said Van Dyke.

Mobile has a diversity of platforms: In the mobile world in the U.S., there is no one dominant mobile platform that can be targeted by malicious hackers like there is with Windows in the PC market. The lack of standardization also reduces the chances that malware will be interoperable with a broad range of mobile software and get widely distributed, Van Dyke said.

No banking-related mobile viruses or malware yet: "In the mobile era, we're not seeing any such Trojans," said Roel Schouwenberg, a senior antivirus researcher for security firm Kaspersky, which has partnered with Barclays in the U.K. to offer security software to mobile customers.

Mobile banking functions are limited at this time: In general, U.S. consumers can check their account balances, transfer funds between their accounts, and see recent transactions over their mobile devices.

"You're getting information that is not transactional," said Nick Holland, a senior analyst at consultancy Aite Group. "In most instances, if someone found your phone and logged into your mobile banking account, the worst they could do is pay your electricity bill."

However, things will change as more transaction functions are enabled on mobile devices, the experts said. For instance, point-to-point transactions and cross-border money transfers are on the horizon, according to Holland.

"There will be more risk as payments move over to mobile devices because criminals will put more focus there and you will get spoofing attempts," said Van Dyke.

The ability to use your cell phone to buy things will undoubtedly put a dent in the credit card business, but it will also give mobile carriers additional revenue to make up for voice business they are losing to things like Skype and text messaging, said Jan Volzke, head of global marketing for McAfee Mobile.

"There is no reason people have to pull out a plastic card with a magnetic strip, technology developed 30 years ago, to buy a latte," he said. "Just hold the phone next to a cashier, it goes beep and there you go."

Other countries are already offering mobile transactions. For example, NTT Docomo in Japan, which uses McAfee security software to monitor for malicious activity on its mobile phones, initially started allowing consumers to use their phones to pay for public transport, and then added payments for things like ice cream and eventually banking, according to Volzke.

In the U.S., banks are more cautious. Payments and banking are the biggest security concern for mobile device manufacturers, according to a Mobile Security Report McAfee is set to release on Monday.

At the same time, the manufacturers aren't installing additional security protection on the vast majority of the devices and won't allow consumers to install security software like they can with computers, said Volzke.

To safeguard against security risks, mobile users should use their device PIN codes, download mobile apps only from their financial institution, switch Bluetooth off when not in use, and avoid lending their phone to strangers to minimize the chance of someone downloading a malicious app onto the device.

All in all, "mobile banking is secure and there's not really any cause for concern," said Holland of Aite Group.