Ethics of mobile banking (security)


What comes to mind when you start brainstorming about security on a mobile device? Encryption? SSL? Access tokens? Multi-factor authentication? Those are all technical terms and they sure are important. But often, another important aspect of security is ignored: ethics.

It’s all about responsibilities. Say you work at one of the biggest banks in your country and you’re the team lead of a mobile app development team. What do you do when you notice that one of your latest mobile app users is an 80-year-old man who decides to pay with it? Do you smile because you’re happy that you’ve reached a wide audience? Or are you alarmed because you didn’t expect that kind of stereotype to use your app?

Let us be honest here. Yes, there certainly are old people with smartphones doing crazy stuff like mobile payments. But the majority of them don’t even have an internet connection, let alone a smartphone. What if your statistics are lying? What if the old man was sitting at home watching TV while his account was used for a mobile payment? What if someone called him and used a phishing technique to activate the mobile app? These ‘what ifs’ aren’t even that unrealistic. They do happen. Every single day.

I asked you what the right reaction was when you saw that statistic. I think you’ve should have called that man. He probably would have picked up his Nokia 3310 and told you he doesn’t have a smartphone. But if you’re that same guy from the bank that called him about the numbers on his debit card and you want him to put the card into the little machine with the codes again, he’ll gladly help you out. When the poor guy discovers someone emptied his accounts, you’ll tell him he walked into a phishing trap and there’s nothing you can do and you did everything in your power to make sure his bank account was safe.

But that’s not really true.

I’m an avid user of mobile banking and mobile payment solutions and I’ve moved from one bank to another a few times over the past years. When I sign up for a mobile banking/payment app, I always have to use some kind of card reader or digital signature to prove that I am who I say I am. I then give my app the permission to use my bank account. But there isn’t much more to it. I can start using my app right away. Most banks don’t even offer you the possibility to revoke that permission. When I log in to my online banking account, I can’t see on which smartphones I’m logged in or when I activated them. Can you do that with Facebook? Yes. Twitter? Yes. Any kind-of-important online community? Yes. The most important online system you use, your bank? No.

Managing activated apps is only one part of the story. Notifications are the other. When someone sets up a new smartphone for my account, I should know that. Someone should call me, mail me or text me. When? Immediately. I think that’s just common sense but it could be me because I have yet to see a bank that does that. I can get a text when I order pizza, but not when someone uses a new device to access my bank account. That’s kind of crazy, isn’t it?

See, security is more than just making sure your SSL certificates are strong and valid. Security is also about communication. It’s not an amazing feature that you can use to convince potential clients. But it’s way more important than that. And it’s time for some people higher up the ranks in the banking world to realize that.