iba horse before the cart 101311 - infotex home...horse before the cart the top five risks with...

Horse Before the CartThe Top Five Risks with Mobile Banking(and how to manage them)

Dan Hadaway CRISCinfotex

infotex Horse Before the Cart: Top 5 Mobile Banking Risks

The Top Five Risks1. Late Majority Adoption2. Tepid Adoption3. Security Risk4. Compliance Risk5. Strategic Risk


Late Majority AdoptionAlias: The Risk of Losing Market Share

Stages of Innovation•Knowledge•Persuasion•Decision•Implementation•Confirmation

Risk Assessment?

Security Controls

Everett M. Rogers' Diffusion of Innovations

infotex 1. Late Majority Adoption

Roger’s Diffusion Theory of Innovation• Innovators •Early adopters•Early majority•Late majority •Laggards



Early Adopters in Banking•Physical Security• Information Security

Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations


Late Majority / Laggard•Virtualization•Cloud Computing•Social Media•Telecommuting

Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations

Softwareforcloudcomputing.com


Risk/Benefit Evolution CurveV

alue

Time

Features, Sophistication

Price, Problems



alue

Time


Price, Problems

Innovator

Early Adopter

Early Majority Late Majority Laggards


Stages of Innovation•Knowledge•Persuasion•Decision•Implementation•Confirmation

Risk Assessment?

Security Controls



What phase of adoption are we in?

• Innovators •Early adopters•Early majority•Late majority •Laggards

Mobile banking is growing about 3 times faster than On-line banking did when it was rolled out.


What phase of adoption are we in?

Mobile banking is growing about 3 times faster than On-line banking did when it was rolled out.


It’s not really new• Brief History of Mobile Banking

• Prior to 1999, SMS-based mobile banking apps were used in Europe

• In 1999, European banks started offering apps for “primitive smart phones” that were designed to use the “mobile web,” which is a mobile version of a normal website.

• Until 2008, SMS-based mobile banking and mobile web versions (.mobi) of normal on-line banking sites held the majority of the mobile marketplace


It’s not really new•Brief History of Mobile Banking

• With the introduction of the i-Phone in 2007, the third leg of mobile delivery became possible.

• Mobile Banking could now have it’s own electronic delivery application.


One way to think about it . . . . •Stanford Credit Union was the first to offer on-line Banking in 1994.

•Think about your adoption of on-line banking.

•40.6% Consumer Adoption 12/2005 (Lichstenstein and Williamson, January 2006)

• It’s about 2006 in the on-line banking adoption curve.



alue

Time


Price, Problems

Innovator

Early Adopter

Early Majority Late Majority Laggards


By the numbers



What are bankers saying?•54% Adopting mobile banking is a top priority

•42% Rated their customer's interest as either extremely or very high

March 30th 2011 Fundtech Limited Survey of 267 bankers


Growth of Wireless Banking (apps)•2009: 10 million . . . . . . 10.8%

•“The number of active users of mobile banking in the United States will grow from 10 million in 2009 to over 53 million in 2013.”

Tower Group: March 1, 2011


New Statistics (October 8, 2011)

•Total # American Smartphone Users:

84.5 million

Comscore: Through August 2011

That means Late Majority in 2013.


By the numbers



What are bankers saying?• 31% Believe that mobile banking will become a competitive differentiator for their bank

• 38% See mobile banking as just another service delivery channel

• 77% think fraud/security concerns are the biggest barriers to growth in mobile corporate banking.



Why Mobile Banking?•Convenience

• Anytime, Anywhere• Integrated Delivery

• On-line Banking, Social Media• SMS Banking, Mobile Web, Mobile Banking

•Generation Y•Competitive Pressure


Why Mobile Banking . . . .

NOW!


Why Mobile Banking?•With proper education, can be as secure if not MORE secure than On-line Banking• More convenient monitoring• Two-factor and OTP Authentication


Tepid AdoptionAlias: The Risk of Losing Reputation

and Market Share after spending a lot of money, but not as much as everybody else.

What are bankers saying?•77% think fraud/security concerns are the biggest barriers to growth in mobile corporate banking.


infotex 2. Tepid Adoption

Myths of Mobile Banking• It’s new.


Future of Wireless Banking• “Wireless banking is a convenience we all want to take advantage of, and one that financial institutions are eager to have implemented as soon as possible. While the pressure to implement wireless banking services is great, and its development and implementation are challenging, care needs to be taken to avoid the potential risks.”

Rod Ghani, Senior Consultant . . . . .IBM July 2001


Myths of Mobile Banking• It’s new.• It’s safer than on-line banking•It’s more dangerous than on-line banking

•Security is a barrier to adoption


What IS mobile banking?•Laptops?•Cell Phones?•Thumb Drives?• i-Pads?•Smart Phones


What do the regulators say?•Mobile Banking is actually referred to as Wireless Banking

•Wireless Banking is a subset of Branchless Banking

FFIEC E-banking Handbook, Appendix E


“Wireless banking occurs . . .”• “When a customer accesses a financial institution's networks through:• Cellular phones, Pagers, Personal digital assistants (or similar devices)

• Via telecommunication companies' wireless networks.”



Five Primary Questions1. What is the value proposition for

mobile banking? 2. What will motivate consumers to

adopt mobile banking? How are consumers utilizing mobile banking currently?


Five Primary Questions3. Who are the key vendors of

wireless banking solutions?4. What are the key success factors in

creating a wireless banking solution?

5. What are financial institutions offering now in mobile banking?


Question 1: Value Proposition•Financial Institution’s customers are on average 46% more profitable when they actively use a suite of mobile banking products.

Source:- Intuit Financial Services advertising

when you try to go to the americanbanker.com website.

Question 1: Value Proposition•Which investment offers the most obvious return?• New Branch• Wireless Banking

2. Motivating Consumer Adoption•Smart Phone Growth•Peers•Anytime, anywhere•Convenience

The customers are already motivated. How long will they wait for YOU to be motivated?

Question 3: Key Vendors•Start with your core and your on-line banking provider.

•Don’t end there.•A list of key wireless banking providers is on our portal.


4. Success Factors•Access

• AT&T or Verizon or Both• Integration•Security and Risk Management•Features (and quality of app)


5. Features (Bird’s Eye View)•Channels•Platforms•Core App Functionality (Front end + wallet)

•Non-traditional Features


Channels•Mobile web (.mobi)•Text banking•Smart Phone Applications


Mobile Web Features•Subset of your existing on-line banking features.


Traditional On-line Banking Feature Categories used in Mobile Web Non‐transactional

o Viewing recent transactionso Checking Account Balanceso Checking for deposits and when checks clear.

o Reading Secure Messageso Payments to Third Parties (already set up)o Funds Transfers (internal)


Traditional On-line Banking Feature Categories not used in Mobile Web Transactional

o Setting Up Payments to third partieso Downloading Bank Statements (multiple formats: PDF, QIF, CSV)

o Viewing images of checkso Applications (loans, accounts, etc.)o Investment purchase or sale


SMS Features•Checking your Balance•Find an ATM or Branch•One-way Account Alerts

• Balances, Transactions, Stock Prices• Recurring Deposits

•OTP Authentication


Smart-phone Application Features•Check balances•Pay Bills•Transfer Funds•Trade Stocks


(boring)

Smart-phone Application Features•Status of credit requests•Complaint submission•Branch and ATM Locations


(still boring)

Smart-phone Application Features•Customization

• Preferred Language• Date / Time format• Amount format• Monitoring Parameters (for SMS Alerts)


Let’s back up a bit


Another view: Types of Features•Front End of Existing Accounts

o Transact off existing Bank Accounto Starbucks, Subway, Amazon.o Mobile Web and Smart-phone Apps

•Self-Contained Wallet • The money is actually ON the mobile device


Smart-phone Application Features•Wallet Capabilities

• Scan and Pay• Wave and Go (Europe)• Peer to Peer (P2) Payments• Gift Cards

•Consumer Capture


Consumer Capture


The next screen SHOULD say:

• “Write “deposited” on your check in LARGE LETTERS and include the date.”

Advantage of Early Majority Adoption•Many new versions of Wireless Banking Apps are reading checks and checking back to the core database to compare MICR codes or other forms of check identification, then approving the check.

Deployment Challenges•System Integration•Application Distribution•Security Controls•Compliance Consideration


Tepid Adoption•Offer only one of the wireless delivery channels (SMS, Mobile Web, Applications)


And you lose.

What do you lose?•Generation Y Customers.•Reputation with Gen X and Baby Boomer Customers


Walk, not Crawl, Before you Run•Offer all three distribution channels but:

• Have a tactical plan to stagger platform release.

• Update your Incident Response Process• Limit high risk transactions

• Changing Authentication Credentials• Transfers to outside accounts• Volume of transactions• Size of transactions


Security RiskAlias: The Need for Awareness

What the regulators say . . . •Transaction/Operations Risk

• Limitations in Wireless Technology• Security solutions for Wired might not translate to Wireless

• Additional risks to integrity and confidentiality of data


infotex 3. Security Risk

Attack Vectors•Lost or Stolen Device•Non-malicious “dumb user mistakes”•Smishing (and Phishing and Vishing)•Fraudulent Apps


Attack Vectors•Malware

• Zitmo = Zeus in the Mobile• OTP Interceptions, Keyloggers

•Application Vulnerabilities

= (Patch Management)4


New i-Phone Operating System

•iOS 5 was released yesterday•New iPhone 4s

iOS 5.0

•Over-the-air updates. This makes the update process much simpler, therefore more people will do it.

•All iPhones AFTER the iPhone 3G (3GS, 4, 4S) support the new operating system, and therefore support over-the-air updates.

•This does include the iPad and iPad2.

Cloud Computing Side Note

•The new iCloud is available for any device running iOS 5.0 and some MacBooks.

•and Windows Vista or Windows 7•Music support on older iOS versions.• If you have users with bank-owned iPhones, you might want to consider disabling this feature.

Lost or Stolen Devices


Typical Airport Lost and Found Warehouse

Application Vulnerabilities


Application Vulnerabilities•Non-banking apps: Many are written by novice programmers who do not know security best practices.

•Non-banking apps: Even those published by corporate interests often do not have SDLC controls in place.


Application Vulnerabilities

•November 29 2010: Groupon, Kik Messenger, Facebook, Dropbox, and Mint’s smartphone apps fail to securely store username and application data.

•They were storing the password as plain text.


Banking Application Vulnerabilities

•August 2010: Citgroup admits that their smart-phone application saved account numbers and other sensitive information to the mobile device in unencrypted format.

viaForensics Audit, November 01 2010

Three days later, same app passed every test!

viaForensics Audit, November 04, 2010

Fraudulent Apps


Google Rolls Out•50 apps were removed from Google’s market due to complaints of fraud in first ninety days


App Distribution• App Store (Apple) 350,000 • Android Market (Google) 300,000• Ovi Store (Nokia) 43,535• App World (RIM – Blackberry) 16,121• Windows Phone Marketplace (Microsoft) 12,222• App Catalog (Palm/HP) 6405• Software Store (Palm) --- Closed 5000 in 12/08• Twenty-seven third-party distribution platforms ranging from Amazon to VZAppZone

Wikipedia, March 2010


Fraudulent App Distribution•Social Media•All platforms but Apple’s App Store•“Can I borrow your phone?”


Malware


Malware Statistics•Good news is that Smart Phone viruses do not spread as easily as computer viruses.

•Bad news is that they (so far) seem to be much more targeted.

•67 unique known smart-phone viruses in November 2010.

•


New Malware Statistics•Over 80% of Smart Phones have NO security products such as malware installed on them.

•25% of Smart Phone Users have no idea how to install AVS.

•25% of Smart Phone Users believe they can not afford AVS for their phones.

• Digital Trends Magazine 09/21/2011

Marc Rogers, Purdue University

Zeus Application and Zitmo

. . . zooming in . . . infotex 3. Security Risk

Jailbreaking•Eliminates application development controls that separates Apple from other providers.


Dumb User Mistakes

Non-malicious “dumb user mistakes”

Some people were actually burned by this scam.


Non-malicious (dumb user) mistakes

•Double deposits•Overdrafts

• As Gen X and Babyboomers start using mobile banking, they will have difficulties using the “cash float” that they have relied upon using older payment methods.


Non-malicious (dumb user) mistakes

•Lost and stolen mobile devices•Retired mobile devices

• SMS ends up in at least three places: your phone, the receiver’s phone, and at least one server somewhere in the middle.


Other potential customer vulnerabilities•Bad application reviews•Untrained Help Desk Staff


Jailbreaking•Allows you to use your iPhone in ways Apple did not intend.

•Allows further customization of iPhone•Allows use of unlicensed software


Jailbreaking•Violates Apple’s terms of use•Nullify’s Apples support obligations•Substantially increases risk of fraudulent applications.


Jailbreaking•Default password = “Alpine”•Standard port scanning techniquesidentifies Jailbroken iPhoneswith SSH turned on.

•Hackers then loginto phone with the default password.


Controls

Controls•Customer Awareness Training•Know your assets•Feature-based Risk Assessment•Vendor Due Diligence•On-going Vendor Due Diligence•Strategic Planning


On the infotex portal•Customer Awareness Tools

• Re-brandable flyer•Bank Wireless Security Controls Checklist


Compliance RiskAlias: The Risk of Increasing Risk

The bad news•Wireless banking involves every bank regulation you can think of.

infotex 4. Compliance Risk

Wow, the compliance implications . . .•GLBA•AML•CTF (Anti-Terrorism)•CIP (KYC)•OFAC•E-sign Act•EFT Act•“And other regulations” FFIEC E-banking

Handbook, Appendix E


What the FFIEC left out:•Bank Secrecy Act•Red Flags•US Patriot Act


The Good News•Vendor due diligence is the key control.

•Vendor Due Diligence Checklist is on the portal.


Strategic RiskAlias: The Risk of Evolution

What is Strategic Risk?•The risk of a loss arising from a poor strategic business decision.

infotex 5. Strategic Risk

What the regulators say . . . •Strategic Risk

• Evolving Standards (Uncertainty)



Then why is this on Dan’s Top Five?

• Multiple Environments: Different technologies appeal to different market segments

• Each cell phone has it own set of limitations.


Then why is this is Dan’s Top Five?

•Wireless platforms more numerous• Increased permutations = Increased complexity = Increased Likelihood of Problems.

•Wireless platforms still early adoption phase = quickly changing standards.

•Standards? Are there standards?•Wireless application vendors unproven


Response Process•Uncertainty (we know there are more unknowns than knowns)

•We need to dust off our Incident Response Programs

•Incident Response should be part of the strategic plan!


Wired Operating Systems•Microsoft •Unix


Mobile Operating Systems•Symbian (primarily non-North American markets) Open Public License 36.6% WWW Market Share

•Android from Google 25.5% Marketshare Open Source

• iOS from Apple: 16.7% Marketshare Proprietary


Mobile Operating Systems•RIM (Research in Motion) by Blackberry 14.8% Marketshare Proprietary

•Windows Mobile from Microsoft 2.8% Marketshare Proprietary

•Others: Linux, Palm, bada, MeeGo, Maemo, Limo, BrewOS 3.6% Marketshare Proprietary and Open Source


New Statistics (October 8, 2011)•Android: 43.7% •Apple: 23.7%•RIM (Blackberry): 19.7%•Windows (Mobile + Phone 7): 5.7%•Simbian: 1.8%

Comscore (through August 2011)

New Statistics (October 8, 2011)

•Total # American Smartphone Users:

84.5 million

Comscore (through August 2011)

New Statistics

•44% of Smart Phone Users are considering Windows Phone 7.

•Neowin.net 09/20/2011

If we reduce it to top three• Android (multiple providers, multiple releases)

• iOS (Apple: Announced version x while rolling out version y)

• RIM (Blackberry: have to wonder why so slow to smart-phone market)


Integration•Not only from wireless application to core processor (and other back-office applications) to on-line banking application.

•But also to social media presence


Compliance Versus Convenience•Registration of New Users

• Drive to make this as lightweight as possible

• Real AML and CTF implications• KYC (Know-your-customer ) usually complicates registration, leaving the “data set” with some holes until the customer can use other channels to fill them.


Registration of New Users• Mitigating Controls

• Only load limited funds into the wallet AFTER all CIP fields are complete.

• No other transfer of funds.

• Only allow purchase of goods and services until all CIP data fields are completed.

• Limit size of transactions• Enforce funds to be loaded or unloaded to one specific bank account


Future Issues

•Rapid Evolution (dare we say, “Revolution”)

•Google: “03/31/11 < Launches Mobile App < 04/02/11”

• 927,000 results, including• 04/01/11: W. Michigan U launches Mobile App for Buses• 04/01/11: Facebook launches new Mobile App• 04/01/11: Wicked Spoon launches mPunch with loyalty, payment

capabilities• 04/01/11: Google launches mobile Stock Viewer• 04/01/11: DTNA launches mobile Parts and Services app• 04/01.11: Eat24hrs launches mobile app with payment capabilities


Future Issues

•Federated Authentication • SSO between entities• Example: Use your Facebook account to authenticate to other social media platforms.

• Example: Google Authenticator


Federated Authentication• Competing Standards

• Higgins (Open Source)• Windows Cardspace (Microsoft)• Liberty Alliance• SAML (Secure Assertion Markup Language)

• MicroID, OpenID, SXIP, Shibboleth, INames,


Can we stay ahead of the risks?• It’s a moving target, requiring a moving risk-assessment process.

• Focus in on Vendor Due Diligence• Revisit your incident response process• Create a Strategic Plan


m.infotex.com/horse• Appendix E• Vendor Due Diligence Kit

• Key Vendor List• Threshold Analysis• Vendor Questionnaire

• Customer Awareness Re-brandable Flyer• Mobile Banking Tips and Trends

• Wireless Banking Risk Assessment• Password: Horse, of Course! (all lower case . . . . horse . . . . .


iba horse before the cart 101311 - infotex home...horse before the cart the top five risks with...

Documents