The morning after Kirk Herath, Nationwide's chief privacy officer, told me he wouldn't bank on his mobile device "to save his life," I stood in the line at the grocery store looking back and forth from my phone to my debit card. I wanted to check my balance, but Herath's words rang in my head and I thought: Should I just dial the number on the back of the card and go through the interactive voice response to do it, instead of risking my data being compromised?
After all, both my wife and I have had our accounts tapped into without our consent. Our bank was quick to refund our money, issue a fraud alert, and get us new cards in each situation, but the sense of unease doesn't go away as easily. I don't have bank information stored in many places, but as we've all learned from Wired's Mat Honan, it only takes one instance of stored information to start a chain reaction. If my device is truly compromised, who knows what havoc could be wreaked?
Still, with all these things on my mind, I selected my banking app, logged in, and checked my balance. I guess I really don't care that much about data security.
But I do, or at least I try to. I'm not going to detail every little thing that I do to try and keep my data secure, but I generally listen to what the technology executives I interview say about the risk of certain platforms and adjust my behavior accordingly. And yet, on this one point, I just couldn't bring myself to change my behavior.
My interview with Herath got varied reactions -- some said his caution was warranted, others thought he was overreacting. I don't think there's a truly "right" answer to the question of whether mobile devices should be trusted for financial transactions. Certainly there are a number of variables at play in determining that, including the openness of the mobile platform, the vigilance of the user, and the completeness of the financial institution's application.
I don't envy chief information security officers' jobs. Consumers are largely cavalier with their devices. And with the rise of bring-your-own-device, those risks are being imported into the enterprise. As Chip Tsantes, a principal in the Financial Services Office of Ernst & Young LLP, where he leads the information security practice, told me, "There's many compromised machines in an enterprise."
AXA Equitable CISO Roy Post added that when it comes to malware, "Right now I'm thinking about our employees... The things that are of more concern to us are lost devices that are inadequately secured, and the virus threat that will always be there. It's about securing the end point against leakage that may occur there for improperly configured devices.
For what it's worth, Tsantes and Post are both generally confident that their mobile devices are secure enough for financial transactions. Of course, it's safe to assume that they have safer habits than the average consumer, especially when it comes to keeping operating and security systems up to date. Likewise, Herath might have all the confidence in the world in his ability to spot potential leakage and simply be saying with his actions that he doesn't want to be in a position to pay for one error in judgment.
And in a world where one error in judgment could be all it takes to cause irreparable damage, shouldn't we all be so safe? Or should consumers take comfort in the amount of mobile transactions that go off without a hitch every day, and find strength in numbers? I want to respect both views — but it seems like one should take precedence. What do you think?