Is Mobile Banking Secure?

PHOTO: A sign advertising Citibank stands in the central business district in Jakarta, Indonesia, May 21, 2011.PlayEd Wray/Bloomberg/Getty Images
WATCH Fed Announces $25 Billion Foreclosure Deal

Online and mobile banking apps provide millions with easy access to their accounts and billpay, but what happens when something goes wrong?

Citibank customers who used an iPad app to pay their bills were charged twice, some without their knowledge, the bank aknowledged this week.

The problem began in July and went undetected until December, the New York Times reported.

Andrew Brent, Citigroup spokesman, said the now-fixed problem impacted less than 2 percent of all transactions executed through the iPad.

"We take seriously the functionality of our products and services as well as the satisfaction of our clients," Citibank said in a statement. "Upon discovering a technical bug in our Citibank for iPad app had caused a limited number of clients to encounter duplicate payments or transfers, we immediately fixed the technical issue. Even more important, we have reached out to clients who were impacted to ensure their individual situations are resolved completely."

Citi's iPad app, launched in July 2011, is one of a handful of mobile and online offerings from Citigroup. Early last year, Citi launched "Click to Call/Chat" via Twitter. In May 2011, Citi teamed up with Google to become the bank partner for Google Wallet, a "smart, virtual wallet" which allows you to tap your phone on a sensor for in-store on online shopping. In January, Citi launched the first Facebook program to enable rewards sharing and says it became the first credit card provider to offer account analysis tools on the iPad.

With the growth of mobile banking apps that allow users to do everything from deposit checks through their smartphones or transfer money, large, traditional banks and start-up companies are joining the fray.

Chase and Charles Schwab offer apps that allow customers to scan and deposit checks from their smartphones.

Schwab launched its brokerage and banking mobile deposit iPhone app in May 2011, followed by the Android app the following month. Nearly 40 percent of all check deposits at SchwabBank came through mobile devices since the launch of the app.

Security precautions and procedures to correct errors vary by bank. Though most institutions recommend you contact your institution immediately if there is an issue.

John Burnett, associate editor of, a resource for financial services professionals, said there is some potential for additional error on the mobile side of banking because users often move through a transaction quickly.

"You may not take the time to review what you have done once you have committed to it," he said. "Once you commit to it, it's typically gone."

The Electronic Fund Transfer Act gives some guidelines for transferring money, though Burnett said there's no special standard or compliance for mobile banking.

"So banks have taken a paradigm from online banking, sitting at computers – and translated that to a tiny screen on mobile phones," he said. "And that may or may not work well, given the different varieties of phones. Some are smart, some aren't so smart. There arer always that potential that not all the I's get dotted and Ts crossed."

Burnett said his small bank, Rockland Trust Company, also offers some mobile banking services through a third-party service provider.

Security issues go both ways, Burnett said.

One potential security concern of smart phones is they are portable.

"It's not uncommon for a smartphone owner to store password information right on the phone," he said. "Anyone picking up the phone with a high school education can start doing business with the bank on their phone. That's creating a problem for banks when consumers wake up to the fact that they've been defrauded when their phone's been abused."

Burnett offers these tips for mobile banking users.

First of all, always know where your phone is.

Second, don't allow your banking applications to store a password to log in.

Third, use the phone to review activity on your account regularly so you can check any problems quickly.

Diane Russell, Charles Schwab senior vice president of platform services, said if a customer makes an error in the check deposit amount, it triggers an out-of-balance alert that typically is detected within an hour, but otherwise before the end of that business day.

"As soon as we detect an error, we immediately e-mail the customer to alert them and include instructions to resubmit the check or to contact us for assistance," she said.

Russell said Schwab has not seen errors in check deposit amounts but the company has a process in place to quickly correct any mistakes. To prevent errors, she said Schwab uses image technology on its servers, as well as people to process the checks.

She said the Schwab app captures the information that a customer enters, and the information from the check image itself. If there's a mismatch, it alerts an operator to reconcile the discrepancy. She said this reconciliation process makes errors unlikely.

"If a mistake did occur, we would immediately send an email to the customer to let them know we have a mismatch and give them the option to resubmit the check, mail it in or bring it into one of our branches," she said.

Christine Holevas, spokeswoman with Chase, said as with any discrepancy with an account, the customer should Chase (at 800-935-9935) to inform the bank of the problem.

"We will correct the problem as quickly as possible, but because every situation is unique, we cannot guarantee a specific timeframe, but we understand the urgency of the situation for customers," she said. Subject to limitations, customers are reimbursed for 100 percent of unauthorized transfers to or from their personal Chase checking and savings account initiated through the Online and Mobile Bill Payment and Transfer Service.

Chase Online and Chase Mobile uses encryption technology and established user IDs and passwords are necessary to access account information, the bank says. Images do not reside on the mobile device, which helps protect personal information in case of theft.

Dwolla is a payments service competing with MasterCard and Visa's credit card networks and online and mobile payment systems like PayPal and Square, charge a percentage each time you make a transaction plus a small flat fee.

With Dwolla, you pay a flat 25 cents a transaction if you receive a payment, with no fees based on percentage. Users can go online and make payments or use an app on their iPhone or Android device. The company is also working to have retailers accept Dwolla payments in stores, with business owners in Des Moines leading the way. PayPal users pay a 2.9 percent transaction fee plus 30 cents to accept payments. Square, launched by Twitter co-founder Jack Dorsey, charges 2.75 percent when you swipe a card on the device. If you enter a credit card manually, your cost is 3.5 percent of the fund amount plus a 15-cent transaction fee.

Visa and MasterCard banks charge merchants an average credit card interchange fee of around 2 percent per transaction, according to the National Retail Federation.

Ben Milne, founder and CEO, said Dwolla has similar policies and procedures as banks. But he said Dwolla's role in the discussion of errors in mobile banking isn't so much about the policies and procedures but how his startup of a dozen people "handles these situations on a user level, both proactively and retroactively."

"Dwolla is a relatively new network with big aspirations, but trust must come before growth," he said. "As it should, this puts a lot of responsibility on Dwolla to proactively craft new technologies that put an emphasis on product scalability and a pleasant user experience. From there, it's about user engagement. How did we do? Tell us what sucks? Are creating a network that makes you happy? What can we do to make this a better product for you? And because we're a nimble tech focused startup, we can move at a pace that meets the expectation of the 21st century consumer."

Another service, Boom, allows is a mobile banking service through texting even without a smartphone for a "branchless" banking model.

Pete Kelly, vice president of business development with m-Via, the company that offers Boom, said Boom is competing with cash.

The company's target market is the "unbanked," or those without access to traditional banking services, which is about 80 percent of the global market. To serve that market, Kelly said the company was founded on the principles of security. He said that market is mostly migrants and those who chose not to be in the banking system.

"We're not just a money transfer provider," he said. "We're a mobile global bank."

Boom users pay an annual membership fee and a flat fee of $2 each time you load money into your account. You can join at a participating 7-Eleven convenience store, request one by phone or fill out an online form.

Users can deposit money at a 7-Eleven then send a text message to send money to a recipient, who will also be notified about the transaction via text.

Kelly said there is always a live operator to help via telephone and the service is easy and fast.

"It's certainly easier and faster than existing money transfer companies," Kelly said. "We're all about empowerment and so forth. The level of service we provide is better than anything offered."