Both my regular readers are probably thinking what's wrong is that we're going to get another rant about online banking. Well, yes you are, but that's not the point. Buckle up, because I'm about to roll out Borepatch's Second Law of Security.
Let's think about a brick-and-mortar bank. It will be in a building with decent security. More importantly, the security will be well understood. There are people whose business it is to know how long it will take someone to knock a hole in drywall, or cinder block, or vault steel. Or bullet-proof glass, for that matter. When you design a bank branch office, you take these things into account.
You also take area characteristics into account. Is it a good neighborhood? High traffic? Well lighted? All of these effect the security of your customers when they're not in your building. The system of the branch office is more than just the building.
So what's the system of the online mobile bank? We need to understand this to understand the risks of the different system components to get a good understanding of the overall risk.
There's the web site itself (logo blurred out here to protect the guilty). My experience is that you'll find the best security in the Defense Department. Very close behind that is security at the major banks. I have made some snide comments in the past about online banking, but the problem isn't that they don't have cutting-edge technology, or skilled operations personnel, or processes and procedures that are backed by executive management. Someone's in charge of the system - you can ask the question who's the online security guy and get an answer. While there will always be the occasional security vulnerability in the web portal, the risk here is low.
There's the Internet, that sits between you and the web site. Security is lousy here, but the encryption used to scramble your data while it flies over Al Gore's Intarwebz is so good that the risk here is basically non-existent.
There's your phone, and your phone's browser. Technology is moving very, very fast here, which means that security is an after thought. You have many different vendors - one makes the phone, a different one makes the software, and a third one that sets everything up. For me, it's some company in China who makes the phone, and Apple who makes the software (OS X and Safari), and AT&T who sets things up.
So when it comes to your phone, you are the "online security guy". You need to configure the phone securely and make sure that things are working correctly. Not your bank - after all, it's your phone, not theirs.
So what's the risk of the overall banking system? Negligible risk in the banking web site and Internet transport, but indeterminate risk in your phone.
In an engineering sense, "indeterminate" is a Bad Thing, because you can't estimate costs and risks. It's more than just Ted has a bad feeling going on here, there are serious issues that you need to know before you know if the overall online mobile banking system has unacceptable risk:
Do you have a password on your phone? Passwords aren't the be all and end all, but not having a password means that any Tom, Dick, or Harry can use your phone.You have some sort of chance of knowing the answers to the first two questions; you have almost no chance at all of getting an answer to the third. Even more importantly, your bank can't find out, either - the web site can ask the browser a number of interesting questions, but not about these things.
Is all the data stored on your phone encrypted? If your company gives you a phone, and there's a guy in IT who sets things up, the answer very well may be "yes". Otherwise, it's almost certainly "no". "No" means that any Tom, Dick, or Harry can get your data if they get your phone.
Does your phone's browser clear all sensitive data when you're done browsing? Does it remember passwords? Does it save cookies? Does it have some sort of optimization to make it run faster, that involves saving a bunch of data so that the next time you go to http://uberl33tbank.com you get peppy load times?
So we're back to indeterminate. This is Bad Security juju, and this is where I will point to Borepatch's Second Law of Security:
Assume that all data on your phone is public data if you ever lose your phone.Remember Tina Sherman? She has a loving husband - so loving, in fact, that he used his camera phone to take some photos of her in the all-together. Then he lost the phone. Then Mrs. Sherman found that she was the (ahem) star of a raft of web sites.
Imagine now that instead of naughty pix of the little lady, Mr. Sherman had his banking account and password on his phone.
So if you know how the system works and think that the benefits outweight the costs, then go ahead. That, in fact, is the way that the system is supposed to work. As for me, I don't think I'm smart enough to figure out what my phone is doing.
So my recommendation to you is use an ATM, or if you absolutely must bank online, use your home computer. Just follow the 2 Simple Rules for Safer Browsing.
Your mileage may vary, void where prohibited, do not remove under penalty of law.
UPDATE 19 January 2009 21:14: Chris Byrne left a information-rich comment that is well worth your while.