Is Mobile Banking Secure?

Feb. 10, 2012 — -- Online and mobile banking apps provide millions with easy access to their accounts and billpay, but what happens when something goes wrong?

Citibank customers who used an iPad app to pay their bills were charged twice, some without their knowledge, the bank aknowledged this week.

The problem began in July and went undetected until December, the New York Times reported.

Andrew Brent, Citigroup spokesman, said the now-fixed problem impacted less than 2 percent of all transactions executed through the iPad.

"We take seriously the functionality of our products and services as well as the satisfaction of our clients," Citibank said in a statement. "Upon discovering a technical bug in our Citibank for iPad app had caused a limited number of clients to encounter duplicate payments or transfers, we immediately fixed the technical issue. Even more important, we have reached out to clients who were impacted to ensure their individual situations are resolved completely."

Citi's iPad app, launched in July 2011, is one of a handful of mobile and online offerings from Citigroup. Early last year, Citi launched "Click to Call/Chat" via Twitter. In May 2011, Citi teamed up with Google to become the bank partner for Google Wallet, a "smart, virtual wallet" which allows you to tap your phone on a sensor for in-store on online shopping. In January, Citi launched the first Facebook program to enable rewards sharing and says it became the first credit card provider to offer account analysis tools on the iPad.

With the growth of mobile banking apps that allow users to do everything from deposit checks through their smartphones or transfer money, large, traditional banks and start-up companies are joining the fray.

Chase and Charles Schwab offer apps that allow customers to scan and deposit checks from their smartphones.

Schwab launched its brokerage and banking mobile deposit iPhone app in May 2011, followed by the Android app the following month. Nearly 40 percent of all check deposits at SchwabBank came through mobile devices since the launch of the app.

Security precautions and procedures to correct errors vary by bank. Though most institutions recommend you contact your institution immediately if there is an issue.

John Burnett, associate editor of BankersOnline.com, a resource for financial services professionals, said there is some potential for additional error on the mobile side of banking because users often move through a transaction quickly.

"You may not take the time to review what you have done once you have committed to it," he said. "Once you commit to it, it's typically gone."

The Electronic Fund Transfer Act gives some guidelines for transferring money, though Burnett said there's no special standard or compliance for mobile banking.

"So banks have taken a paradigm from online banking, sitting at computers – and translated that to a tiny screen on mobile phones," he said. "And that may or may not work well, given the different varieties of phones. Some are smart, some aren't so smart. There arer always that potential that not all the I's get dotted and Ts crossed."

Burnett said his small bank, Rockland Trust Company, also offers some mobile banking services through a third-party service provider.

Security issues go both ways, Burnett said.

One potential security concern of smart phones is they are portable.

"It's not uncommon for a smartphone owner to store password information right on the phone," he said. "Anyone picking up the phone with a high school education can start doing business with the bank on their phone. That's creating a problem for banks when consumers wake up to the fact that they've been defrauded when their phone's been abused."

Burnett offers these tips for mobile banking users.

First of all, always know where your phone is.

Second, don't allow your banking applications to store a password to log in.

Third, use the phone to review activity on your account regularly so you can check any problems quickly.

Diane Russell, Charles Schwab senior vice president of platform services, said if a customer makes an error in the check deposit amount, it triggers an out-of-balance alert that typically is detected within an hour, but otherwise before the end of that business day.

"As soon as we detect an error, we immediately e-mail the customer to alert them and include instructions to resubmit the check or to contact us for assistance," she said.

Russell said Schwab has not seen errors in check deposit amounts but the company has a process in place to quickly correct any mistakes. To prevent errors, she said Schwab uses image technology on its servers, as well as people to process the checks.

She said the Schwab app captures the information that a customer enters, and the information from the check image itself. If there's a mismatch, it alerts an operator to reconcile the discrepancy. She said this reconciliation process makes errors unlikely.

"If a mistake did occur, we would immediately send an email to the customer to let them know we have a mismatch and give them the option to resubmit the check, mail it in or bring it into one of our branches," she said.

Christine Holevas, spokeswoman with Chase, said as with any discrepancy with an account, the customer should Chase (at 800-935-9935) to inform the bank of the problem.

"We will correct the problem as quickly as possible, but because every situation is unique, we cannot guarantee a specific timeframe, but we understand the urgency of the situation for customers," she said. Subject to limitations, customers are reimbursed for 100 percent of unauthorized transfers to or from their personal Chase checking and savings account initiated through the Online and Mobile Bill Payment and Transfer Service.