Does mobile banking via text pose security risks?

New bank services allow customers to check balances and transfer funds via text message. It's convenient, but is it safe?

Hoping to attract younger clients, financial institutions are expanding their texting services so customers can do everything from viewing account balances to transferring funds.

But the move, which is being adopted by retail banks, retirement service providers and other financial firms, raises the question: Is texting financial information safe?

Doug Johnson

Doug Johnson of the American Bankers Association says text messaging offers limited functionality and, therefore, limited vulnerability.

After all, texting isn’t hacker proof – nothing is – according to network security experts. But texting does have one advantage over other forms of communication: Its simplicity actually makes it more secure.

“There’s not a lot of value that you can steal from text messages, so hackers are not all that concerned with stealing or getting into a text message,” says Marc DeCastro, research director with IDC Financial Insights.

Texting isn’t a “rich” data experience, DeCastro explains. Unlike websites and apps, the texting format is limited to a “short delivery mechanism.”

Limited vulnerability

With limited functionality comes limited vulnerability, says Doug Johnson, vice president of risk management policy for the American Bankers Association (ABA). Texting, he adds, is an “authenticating mechanism” for transactions initiated via phone or over a 3G or 4G data network used for email.

Dozens of banks now offer texting, including nationwide giants such as Wells Fargo, regional institutions like Bank First Financial Services in Mississippi, and community banks like East Cambridge Savings Bank in Massachusetts.

The safety of texting depends on each financial institution’s security procedures and what information they allow to be texted.

Bangor Savings Bank in Bangor, Maine, for instance, says account numbers are never revealed via texts, and information is only transmitted when activated by the customer’s own phone.

How customers communicate – either through cell service or the Internet – also affects the level of security, experts say. Criminals can steal email data by “phishing,” voicemail by “vishing,” and texts by “smishing.”

Citing the speed and convenience of texting, the retirement services and investment giant Principal Financial Group announced in January that it would allow retirement plan participants to sign up for defined contribution plans by text messaging.

Jerry Patterson, senior vice president of retirement income strategy at Principal, says the speed and convenience of texting is vital to increasing retirement savings. Customers can text the amount they want to deposit in retirement accounts, though investment selections must still be made online or by phone.

Demand for texting

Financial institutions say they need to offer texting to attract younger customers, who are more likely to be on mobile devices than anything else.

Generation Y — those roughly between 18 and 34 years old — send or receive an average of nearly 800 text messages a month. By comparison, Generation X — those roughly between 35 and 50 years old — average only 128 text messages a month.

This year, as many as 40 percent of all financial transactions will be originated out of a Gen Y household, according to research published by the bank transaction processing company Fiserv.

“Institutions allowing customers to text is driven not so much by cost but by customer preferences,” says the ABA’s Johnson. Banking customers, he adds, want as many mobile platforms as possible and texting is much more responsive. Emails often take hours or days for a response, while texts take only minutes or hours.

Desktop banking has reached a saturation point, but there’s still room to grow in mobile, says IDC’s DeCastro. What matters is how rich an experience customers want with their financial institution.

Cyril Tuohy
Cyril Tuohy, a former news reporter and magazine editor, is a freelance writer with expertise in banking and insurance. He has covered the financial services industry for more than 20 years. He lives in Pennsylvania.
Cyril Tuohy
Cyril Tuohy
Tags: Data Center,Technology
  • Ben_Katz

    This is not a significant security risk. a)the funds can only be sent to known counterparty b)the counterparty usually needs to be at the same bank, so low fraud likelihood. moreover, the recipient is known to the bank, so tracking fraud should be easy.

    lastly, velocity limits on text p2p are common, so any losses will be small.