Security

Data security is not an issue that is particular or limited to mobile devices but many comments discussed security issues in the context of mobile financial services. There was widespread consensus among commenters that concern over security – real or perceived – is one of the most significant barriers to MFS adoption for consumers.231

4.1.1 Data and transaction security

Data breaches and hacking: Many commenters discussed the risk and the increasing

frequency of data breaches in general.232 _{The Massachusetts Attorney General’s office stated in}

its comment letter, “the storage and transmittal of financial information on and through mobile devices presents unique security risks.”233 _{Comments discussed the risks the mobile channel}

presents including the amount of personal and financial information provided and accessed through the channel; the wide range and variability of operating systems and reliance on the customer to implement updates; and that more advanced security measures are not yet widely offered on more affordable smartphones.234 _{One commenter cautioned that “even if the number}

of attacks on mobile financial services is much lower than on online services, we must understand this will not last forever.”235

Identity theft: Several commenters identified identity theft as a risk, particularly because

consumers are more likely to be in a public place when they access accounts through a mobile phone and they may not be aware of the risks when they transmit data using WiFi that is not

231 _{ASOC, #40, at 3,5; Gemalto, #37, at 1; ABA, #45, at 14; EPCOR, #46, at 3 (“Mobile device authentication and}

consumer authentication measures need to advance to make mobile banking safe.”)

232_{Budnitz, #48, at 4; One Financial, #33, at 6 (“Consumers are legitimately concerned about identity theft and data}

breaches, as well as about broader spectrum surveillance.”)

233 _{Mass AG, #20, at 2. The Office reported that from January 1, 2008 through December 31, 2013, it received notice}

of over 5,330 data breaches, affecting approximately 4.75 million Massachusetts consumers across a multitude of technologies.

234 _{ABA, #45, at 14; EPCOR, #46, at 3; Mass AG, #20, at 1.} 235 _{Gemalto, #37, at 8.}

their own.236 _{The impact of identity theft is more significant for low-income consumers, a}

commenter pointed out, because they have “few funds to absorb any economic loss that results.”237

Transaction security issues: Commenters noted that while there may be risks generally of

personally sensitive data being transmitted electronically, risks also arise on a per transaction basis. Making sure that a transaction is both secure (from the consumer’s perspective) and not fraudulent (from the provider’s perspective) is important to maintain trust in the e-commerce environment. Biometrics, innovative authentication measures, and tokenization were all raised by commenters as potential ways to help ensure that financial transactions remain safe.238

4.1.2 Security associated with the device

Theft of devices: Commenters noted that mobile devices can be easily lost, stolen, or

damaged, and consumers may not be able to access information if it was deleted or if they changed phones or providers.239 _{A commenter noted that consumers may become crime targets}

when they use mobile devices.240 _{Consumers Union reported that based upon a nationally}

representative survey of adult Internet users, Consumer Reports® projected that 1.6 million American were victims of smartphone theft in 2012.241 _{Consumers in cities appear especially}

vulnerable.242

236 _{MFY, #17, at 3.} 237 _{Budnitz, #48, at 5.}

238 _{See, e.g., Gemalto, #37, at 4.}

239 _{Id.; CFSI, #6, at 8; CBA, #10, at 8: “As many of us can unfortunately attest, the portable nature of mobile phones}

makes potential loss or theft an unavoidable reality.”

240 _{Consumers Union, #30, at 13.} 241 _Id.

242 _{Id. at 13-14. (Over fifty percent of the robberies committed in San Francisco during a certain period, for example,}

Consumers Union reported that 36 percent of consumers surveyed do not have a passcode on their phone.243 _{In addition, few consumers understand that when they retire a phone, they have}

to overwrite the information or the phone has to be destroyed to get rid of the data – merely deleting it doesn’t remove it permanently.244 _{EPCOR also noted that lost devices that are not}

passcode-protected and mobile malware represent significant threats to all mobile services.245

In its comments, Appleseed raised the concerns of both personal and financial security for immigrants and posed the question of how the shift to mobile may affect those concerns.246

Appleseed commented that vulnerable populations, such as immigrants, are more often the victims of street crimes and theft than other population subgroups.247

Difference in operating system security: Though all operating systems can experience

security breaches, a few commenters pointed out the different levels of risk associated with iOS (Apple phones) versus Android systems. According to comments, the Android’s open platform enables a greater number of users to access the platform, making it harder to monitor.248

Though Android and iPhone use across the general population is fairly equal, there is a contrast at the lower-income levels. According to Pew, in households with incomes under $30,000, 13 percent have iPhones, and 28 percent have Android (compared with 40 percent iPhone

as a “growing public safety problem,” citing article Lisa Ward, “NY AG asks smartphone makers to fight theft,” Silicon V. Bus. J (May 14, 2013) 2013 WLNR 11882324)

243 _{Id. According to the FRB2015MOBILE SURVEY, the share of smartphone owners who password protect their phone}

increased to 69 percent in 2014 from 61 percent in 2013.

244 _{Consumers Union, #30 at 13.} 245 _{EPCOR, #46, at 2.}

246 _{Appleseed, #41, at 7.} 247 _Id.

248 _{See NAFCU, #14, at 2; Gemalto, #37, at 9 (citing to 2013 figures that showed 97 percent of the malware attacks}

targeted android platforms at http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile- malware-is-on-android-this-is-the-easy-way-you-stay-safe/)

ownership rate in households with incomes above $75,000).249 _{According to Javelin, 24 percent}

of the unbanked who own a smartphone are on the iOS system and 57 percent are on the Android system.250 _{In contrast, 44 percent of the phones owned by underbanked and fully}

banked consumers run on the iOS system.251

Applications: The Privacy Rights Clearinghouse stated that the major app stores such as the

Google Play store and Apple iTunes store may be “more likely to catch bad actors than other third-party app stores” but, it noted, an app doesn’t have to be malicious to contain security vulnerabilities.252

Denial of service attack: One commenter described the risk that consumers will not be able

to access their institution because of a “distributed denial of service” attack.253 _{When these}

attacks occur, the commenter stated, consumers are not able to conduct timely financial transactions, which may result in late fee charges, or other consequences of late payment.254

The commenter suggested that current laws do not directly address protection for consumers harmed by these attacks.255

4.1.3 Enhancing security

Many pointed to the flip side of security concerns – positive characteristics such as the ability to track and manage accounts and to detect fraud. Comments pointed to real-time alerts of

suspicious transactions and the ability to block or manage account access instantaneously from

249 _{Pew Research Center, Smartphone Ownership 2013, http://www.pewinternet.org/2013/06/05/smartphone-}

ownership-2013/. 250 _{Javelin, #49, at 3.} 251 _Id. 252 _{PRC, #31, at 2.} 253 _{Budnitz, #48, at 6.} 254 _Id. 255 _Id.

the phone as “a powerful new kind of defense against fraud and theft” for consumers.256 _In

addition, the ability to detect when phones and payment instruments are not co-located and to track the location of a device, commenters explained, can help deter fraud and theft.257 _{As some}

commented, however, consumers need to be comfortable with using their mobile devices safely for this to be effective.258 _{For example, Appleseed cautioned that recent innovations in mobile}

payments may require an even “higher level of comfort with technology and many consumers may find it easier to pay with another method.”259