Mobile Migration – Building Smartphone Services Into Your Credit Union


To move into mobile services, for banks and credit unions of any size, a secure platform and smart, well-educated users are essential.  

By Ondrej Krehel

With more than 82 million Americans now carrying smartphones, it’s no surprise that credit unions of all sizes are aggressively moving into mobile banking. Accessing accounts, paying bills and moving money from a handheld device is an established customer convenience, but implementing these services is not without risk.Mitigating that risk requires a two-pronged approach.

The smart credit union executive must consider the system and the customer. This amounts to asking, “How will a mobile app interface with my existing banking platform?” and “How can I ensure my customers are secure?” These are questions of implementation and the end user.

The System: People, Security, Connectivity

Perhaps this is obvious, but mobile banking requires app building. Whether it’s a program designed for Apple’s iPhone, the Google Android operating system, Windows Phone, RIM’s Blackberry, or all of the above, you’ll need an app and a programmer to code it. Here you’ll need to focus on finding the right people, emphasizing security and streamlining connectivity. Security and connectivity should be seamlessly integrated into your mobile migration plan wherever possible so the user experience isn’t interrupted by prompts or protocols that should otherwise remain invisible.


Odds are there aren’t any coders on your staff. So building a smart app starts with finding smart people. What’s considered smart in the competitive app development world? Track records. Has the third-party business you’re considering built mobile banking apps before? Who were its clients? Find those clients and call them. Ask for a review. When developing an app, a bank or credit union is essentially paying a firm for a job, then handing them the keys to the castle. They’ll need access to your computer system, from the inside out, so anything less than a full-scale vetting is simply reckless.


This needs to be the first thing you discuss with your app builder. If security and user privacy aren’t considered at a foundational level, the entire structure is at risk. This security by design must guide all decision-making right out of the gate. It’s tempting to jump into how the application will look and feel. A slick app, after all, does as much for company branding and marketing as it does for customer convenience. But to dive into aesthetics before security is like shopping for a car based on the color. To secure an app after it’s built is like considering the engine while you’re driving it off the lot.

A security-by-design approach is rooted in secure coding practices, in which the developers you’ve hired should be well versed. Also, think about consumer data-retention plans, including secure delete policies for any unnecessary information. Of course, whatever data is saved needs to be encrypted.


Mobile phone applications are not stand-alone programs. They look as such, sectioned off from other apps with clever icons and app store pages. But when it comes to banking, they’re calling a host of outside servers and services. Those computers aren’t necessarily what your credit union has in place. The application may require a reworking of your existing website or a parallel second site just for mobile devices. It might require a separate level of secured servers. Or it may require access to your current database servers. These are all questions to ask when considering programmers, and considering costs. How does the programmer plan to build connectivity between the existing online services and the app? And what kind of maintenance plan­–for the app and the new site it may require–is included?

Technically, you’ll want your platform to conform to safe coding practices. This will include encrypted transmissions; secure user authentication, including two-factor, greeting card-style logins; and extensive site and app testing.

Other essential connectivity precautions include:

  • SSL VPNN clients within the app environment to protect data in transit and ensure secure network access and authorization;
  • Mutual authentication approaches that incorporate multifactor, multilayered security techniques;
  • Antitheft and antifraud tactics such as online banking transaction confirmations via SMS text messages or call backs;
  • A well-controlled access mechanism to secure integration of connectivity access into the current infrastructure;
  • Log and monitoring of all communication channels, and proper log retention.

The Customer: An Aware and Educated Consumer is a Safe Customer

Earlier this year the Dream Droid app made its way into the Android Marketplace and a countless number of smartphones. The app tricked people into downloading malicious software that mined personal data, including financial information. GGTracker made an appearance a little later, automatically downloading itself onto user phones from infected websites and signing them up to costly SMS services.

In both cases the attack was not hackers going after an established app or banking system. It was hackers praying on unsophisticated smartphone users. This demonstrates a few truisms in new-wave cybercrime: mobile fraud is far more lucrative than traditional PC-based attacks. And these attacks are tricking customers, not computers. They tricked the smartphone user into unwittingly handing over those keys to the castle.

Dream Droid and GGTracker aren’t alone. New customized viruses, designer malware, and Man-in-the-Middle or sniffing attacks via unsecured Wi-Fi networks, are targeting specific mobile platforms to steal banking and personal data. Malware on Androids alone has jumped 400 percent since the summer of 2010. An Infosecurity report called apps and app stores “the greatest malicious software delivery system ever invented.”

Consumer Education is Threat Mitigation

The fix for these kinds of attacks isn’t technical–the technical should be secured with your platform approach and the underlying operating system of the smartphone. The fix is education. The curriculum is Mobile Security 101.

The conscientious business that offers mobile service must teach its users to treat their devices like the digital wallets that they are. According to a 2010 SANS Institute report, 85 percent of smartphone users don’t employ an antivirus solution to scan for malware. With antimalware programs available for all major smartphone operating systems, there is no excuse for your customers to go unguarded. The smaller the business, the more important the education process becomes.

Remind your customers–in your business literature, on your site, and in the app–to keep their phone safe with a screen lock and to use strong case-sensitive alphanumeric passwords. As convenient as auto-complete functions are–which save passwords and login credentials for ease of entry–encourage customers to disable them, entering credentials every time.

Ask your customers to activate effective security features in their phone’s operating system, such as encryption and time-out passwords. In your app these features should be default, unchangeable settings.

To move into mobile services, for banks and credit unions of any size, a secure platform and smart, well-educated users are essential. The most secure app in the planet is useless if the user is careless with his credentials, or unknowingly clicks on a malicious link. On the other hand, the most sophisticated users out there are powerless if the platform isn’t bulletproof.

As chief information security officer at Identity Theft 911—an identity theft and data breach management, resolution and education service—Ondrej Krehel manages a comprehensive information security program and leads computer forensic investigations. He helps businesses and individuals secure their information.