A bank in the United States, USAA, recently announced a new way their customers can deposit a check into a bank account: capture images on an iPhone and transmit them using an application provided by the bank. In fact, USAA has offered the capability to deposit checks using an ordinary document scanner for several years. Of course, scanners don’t fit in your pocket or purse and are connected to a more traditional personal computer — hence most of us are likely to trust the security of the scanner-based solution because it utilizes technology that has become familiar through regular usage in a variety of ways. More specifically, few people question the security of the transaction when they are able to view the lock icon in their browser while connected to their bank.A cursory read of USAA’s terms and conditions suggest that the security (and potential misuses) of the iPhone application have been duly considered. Indeed, USAA is planning to expand the capability to other popular ‘smart’ phones as well. Given the number of publicized security incidents at financial institutions in the last couple of years, does this have the potential to become another vector for miscreants?Since this application was initially launched for the iPhone, that will be the focus of my thoughts. Full disclosure: the latest iPhone (3GS) is the second one I’ve purchased. Previously, I had the ‘first generation’ — its security features were circumvented easily through shared programs developed by a clever group of grey hats. Of course, my professional curiosity was piqued and I spent some time reading about how they went about that, as well as running the program against my original phone. I was fully aware of the consequences (e.g. loss of warranty); I am not suggesting that you do the same. Finally, while I am not a customer of USAA, a colleague installed it and reports that the application employs good security measures, including multiple levels of authentication and the inability to save a username or password on the device. The bank has provided a video demonstration if you are interested in seeing it in action.In light of my curiosity, here are some thoughts and observations regarding the USAA iPhone application — not all of them are security-related.
- The increasing sophistication of mobile computing and smart phones has opened up new opportunities for productivity ‘on the go.’ Will this mean more opportunities for data loss and/or exploitation as well?
- As devices become more portable, they are more prone to unintended loss (e.g. seat pocket of an airplane) or outright theft. Does the responsibility to protect sensitive data rest with the ‘owner’ (human), ‘system’ (the mobile device and its application for accessing the bank, the provider’s network, the bank’s network and server), or some combination of both?
- What constitutes best practices for the system and the user? For my phone, it’s a combination of auto-locking the device after a short idle period + data wipe after N unsuccessful attempts to access it + consistent usage of secure networking between the device and ‘the cloud‘ whenever possible. For example, I will only read mail over SSL.
- For financial transactions, there has historically been a greater level of security through trust, e.g. the customer who knows his/her banker by face and regular contact, as opposed to now when issues are often resolved by a customer service representative over the phone. The ability to deposit checks without any physical meeting or even ‘snail mail’ further reduces face-to-face contact. For the safety of data, we need greater reliance on a holistic approach to the security of the systems involved, including user behaviors. In order for the ‘human network’ to be successful over the long term, it seems to be we must be able to construct what I term ‘paradigm equivalents.’ Cisco’s TelePresence seems to be a good example of that, albeit for in-person meetings instead of banking.
What are your thoughts regarding the continuing evolution of the ‘anywhere, anytime’ flexibility to conduct business? Does it equate to an increased security risk? I’d like to hear from you — no need to put it in the mail, however.