iba horse before the cart 101311 - infotex home...horse before the cart the top five risks with...
TRANSCRIPT
Horse Before the CartThe Top Five Risks with Mobile Banking(and how to manage them)
Dan Hadaway CRISCinfotex
infotex Horse Before the Cart: Top 5 Mobile Banking Risks
infotex Horse Before the Cart: Top 5 Mobile Banking Risks
The Top Five Risks1. Late Majority Adoption2. Tepid Adoption3. Security Risk4. Compliance Risk5. Strategic Risk
infotex Horse Before the Cart: Top 5 Mobile Banking Risks
Late Majority AdoptionAlias: The Risk of Losing Market Share
Stages of Innovation•Knowledge•Persuasion•Decision•Implementation•Confirmation
Risk Assessment?
Security Controls
Everett M. Rogers' Diffusion of Innovations
infotex 1. Late Majority Adoption
Roger’s Diffusion Theory of Innovation• Innovators •Early adopters•Early majority•Late majority •Laggards
Everett M. Rogers' Diffusion of Innovations
infotex 1. Late Majority Adoption
Early Adopters in Banking•Physical Security• Information Security
Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations
infotex 1. Late Majority Adoption
Late Majority / Laggard•Virtualization•Cloud Computing•Social Media•Telecommuting
Dan’s Interpretation of Everett M. Rogers' Diffusion of Innovations
Softwareforcloudcomputing.com
infotex 1. Late Majority Adoption
Risk/Benefit Evolution CurveV
alue
Time
Features, Sophistication
Price, Problems
infotex 1. Late Majority Adoption
Risk/Benefit Evolution CurveV
alue
Time
Features, Sophistication
Price, Problems
infotex 1. Late Majority Adoption
Risk/Benefit Evolution CurveV
alue
Time
Features, Sophistication
Price, Problems
Innovator
Early Adopter
Early Majority Late Majority Laggards
infotex 1. Late Majority Adoption
Stages of Innovation•Knowledge•Persuasion•Decision•Implementation•Confirmation
Risk Assessment?
Security Controls
Everett M. Rogers' Diffusion of Innovations
infotex 1. Late Majority Adoption
What phase of adoption are we in?
• Innovators •Early adopters•Early majority•Late majority •Laggards
Mobile banking is growing about 3 times faster than On-line banking did when it was rolled out.
infotex 1. Late Majority Adoption
What phase of adoption are we in?
Mobile banking is growing about 3 times faster than On-line banking did when it was rolled out.
infotex 1. Late Majority Adoption
What phase of adoption are we in?
Mobile banking is growing about 3 times faster than On-line banking did when it was rolled out.
infotex 1. Late Majority Adoption
It’s not really new• Brief History of Mobile Banking
• Prior to 1999, SMS-based mobile banking apps were used in Europe
• In 1999, European banks started offering apps for “primitive smart phones” that were designed to use the “mobile web,” which is a mobile version of a normal website.
• Until 2008, SMS-based mobile banking and mobile web versions (.mobi) of normal on-line banking sites held the majority of the mobile marketplace
infotex 1. Late Majority Adoption
It’s not really new•Brief History of Mobile Banking
• With the introduction of the i-Phone in 2007, the third leg of mobile delivery became possible.
• Mobile Banking could now have it’s own electronic delivery application.
infotex 1. Late Majority Adoption
One way to think about it . . . . •Stanford Credit Union was the first to offer on-line Banking in 1994.
•Think about your adoption of on-line banking.
•40.6% Consumer Adoption 12/2005 (Lichstenstein and Williamson, January 2006)
• It’s about 2006 in the on-line banking adoption curve.
infotex 1. Late Majority Adoption
Risk/Benefit Evolution CurveV
alue
Time
Features, Sophistication
Price, Problems
Innovator
Early Adopter
Early Majority Late Majority Laggards
infotex 1. Late Majority Adoption
By the numbers
Everett M. Rogers' Diffusion of Innovations
infotex 1. Late Majority Adoption
What are bankers saying?•54% Adopting mobile banking is a top priority
•42% Rated their customer's interest as either extremely or very high
March 30th 2011 Fundtech Limited Survey of 267 bankers
infotex 1. Late Majority Adoption
Growth of Wireless Banking (apps)•2009: 10 million . . . . . . 10.8%
•“The number of active users of mobile banking in the United States will grow from 10 million in 2009 to over 53 million in 2013.”
Tower Group: March 1, 2011
infotex 1. Late Majority Adoption
New Statistics (October 8, 2011)
•Total # American Smartphone Users:
84.5 million
Comscore: Through August 2011
That means Late Majority in 2013.
infotex 1. Late Majority Adoption
By the numbers
Everett M. Rogers' Diffusion of Innovations
infotex 1. Late Majority Adoption
What are bankers saying?• 31% Believe that mobile banking will become a competitive differentiator for their bank
• 38% See mobile banking as just another service delivery channel
• 77% think fraud/security concerns are the biggest barriers to growth in mobile corporate banking.
March 30th 2011 Fundtech Limited Survey of 267 bankers
infotex 1. Late Majority Adoption
Why Mobile Banking?•Convenience
• Anytime, Anywhere• Integrated Delivery
• On-line Banking, Social Media• SMS Banking, Mobile Web, Mobile Banking
•Generation Y•Competitive Pressure
infotex 1. Late Majority Adoption
Why Mobile Banking . . . .
NOW!
infotex 1. Late Majority Adoption
Why Mobile Banking . . . .
NOW!
infotex 1. Late Majority Adoption
Why Mobile Banking . . . .
NOW!
infotex 1. Late Majority Adoption
Why Mobile Banking . . . .
NOW!
infotex 1. Late Majority Adoption
Why Mobile Banking . . . .
NOW!
infotex 1. Late Majority Adoption
Why Mobile Banking . . . .
NOW!
infotex 1. Late Majority Adoption
Why Mobile Banking?•With proper education, can be as secure if not MORE secure than On-line Banking• More convenient monitoring• Two-factor and OTP Authentication
infotex 1. Late Majority Adoption
Tepid AdoptionAlias: The Risk of Losing Reputation
and Market Share after spending a lot of money, but not as much as everybody else.
What are bankers saying?•77% think fraud/security concerns are the biggest barriers to growth in mobile corporate banking.
March 30th 2011 Fundtech Limited Survey of 267 bankers
infotex 2. Tepid Adoption
Myths of Mobile Banking• It’s new.
infotex 2. Tepid Adoption
Future of Wireless Banking• “Wireless banking is a convenience we all want to take advantage of, and one that financial institutions are eager to have implemented as soon as possible. While the pressure to implement wireless banking services is great, and its development and implementation are challenging, care needs to be taken to avoid the potential risks.”
Rod Ghani, Senior Consultant . . . . .IBM July 2001
infotex 2. Tepid Adoption
Myths of Mobile Banking• It’s new.• It’s safer than on-line banking•It’s more dangerous than on-line banking
•Security is a barrier to adoption
infotex 2. Tepid Adoption
What IS mobile banking?•Laptops?•Cell Phones?•Thumb Drives?• i-Pads?•Smart Phones
infotex 2. Tepid Adoption
What do the regulators say?•Mobile Banking is actually referred to as Wireless Banking
•Wireless Banking is a subset of Branchless Banking
FFIEC E-banking Handbook, Appendix E
infotex 2. Tepid Adoption
“Wireless banking occurs . . .”• “When a customer accesses a financial institution's networks through:• Cellular phones, Pagers, Personal digital assistants (or similar devices)
• Via telecommunication companies' wireless networks.”
FFIEC E-banking Handbook, Appendix E
infotex 2. Tepid Adoption
“Wireless banking occurs . . .”• “When a customer accesses a financial institution's networks through:• Cellular phones, Pagers, Personal digital assistants (or similar devices)
• Via telecommunication companies' wireless networks.”
FFIEC E-banking Handbook, Appendix E
infotex 2. Tepid Adoption
Five Primary Questions1. What is the value proposition for
mobile banking? 2. What will motivate consumers to
adopt mobile banking? How are consumers utilizing mobile banking currently?
infotex 2. Tepid Adoption
Five Primary Questions3. Who are the key vendors of
wireless banking solutions?4. What are the key success factors in
creating a wireless banking solution?
5. What are financial institutions offering now in mobile banking?
infotex 2. Tepid Adoption
Question 1: Value Proposition•Financial Institution’s customers are on average 46% more profitable when they actively use a suite of mobile banking products.
Source:- Intuit Financial Services advertising
when you try to go to the americanbanker.com website.
Question 1: Value Proposition•Which investment offers the most obvious return?• New Branch• Wireless Banking
2. Motivating Consumer Adoption•Smart Phone Growth•Peers•Anytime, anywhere•Convenience
The customers are already motivated. How long will they wait for YOU to be motivated?
Question 3: Key Vendors•Start with your core and your on-line banking provider.
•Don’t end there.•A list of key wireless banking providers is on our portal.
infotex 2. Tepid Adoption
4. Success Factors•Access
• AT&T or Verizon or Both• Integration•Security and Risk Management•Features (and quality of app)
infotex 2. Tepid Adoption
5. Features (Bird’s Eye View)•Channels•Platforms•Core App Functionality (Front end + wallet)
•Non-traditional Features
infotex 2. Tepid Adoption
Channels•Mobile web (.mobi)•Text banking•Smart Phone Applications
infotex 2. Tepid Adoption
Mobile Web Features•Subset of your existing on-line banking features.
infotex 2. Tepid Adoption
Traditional On-line Banking Feature Categories used in Mobile Web Non‐transactional
o Viewing recent transactionso Checking Account Balanceso Checking for deposits and when checks clear.
o Reading Secure Messageso Payments to Third Parties (already set up)o Funds Transfers (internal)
infotex 2. Tepid Adoption
Traditional On-line Banking Feature Categories not used in Mobile Web Transactional
o Setting Up Payments to third partieso Downloading Bank Statements (multiple formats: PDF, QIF, CSV)
o Viewing images of checkso Applications (loans, accounts, etc.)o Investment purchase or sale
infotex 2. Tepid Adoption
SMS Features•Checking your Balance•Find an ATM or Branch•One-way Account Alerts
• Balances, Transactions, Stock Prices• Recurring Deposits
•OTP Authentication
infotex 2. Tepid Adoption
Smart-phone Application Features•Check balances•Pay Bills•Transfer Funds•Trade Stocks
infotex 2. Tepid Adoption
(boring)
Smart-phone Application Features•Status of credit requests•Complaint submission•Branch and ATM Locations
infotex 2. Tepid Adoption
(still boring)
Smart-phone Application Features•Customization
• Preferred Language• Date / Time format• Amount format• Monitoring Parameters (for SMS Alerts)
infotex 2. Tepid Adoption
Let’s back up a bit
infotex 2. Tepid Adoption
Another view: Types of Features•Front End of Existing Accounts
o Transact off existing Bank Accounto Starbucks, Subway, Amazon.o Mobile Web and Smart-phone Apps
•Self-Contained Wallet • The money is actually ON the mobile device
infotex 2. Tepid Adoption
Smart-phone Application Features•Wallet Capabilities
• Scan and Pay• Wave and Go (Europe)• Peer to Peer (P2) Payments• Gift Cards
•Consumer Capture
infotex 2. Tepid Adoption
Consumer Capture
infotex 2. Tepid Adoption
The next screen SHOULD say:
• “Write “deposited” on your check in LARGE LETTERS and include the date.”
Advantage of Early Majority Adoption•Many new versions of Wireless Banking Apps are reading checks and checking back to the core database to compare MICR codes or other forms of check identification, then approving the check.
Deployment Challenges•System Integration•Application Distribution•Security Controls•Compliance Consideration
infotex 2. Tepid Adoption
Tepid Adoption•Offer only one of the wireless delivery channels (SMS, Mobile Web, Applications)
infotex 2. Tepid Adoption
And you lose.
What do you lose?•Generation Y Customers.•Reputation with Gen X and Baby Boomer Customers
infotex 2. Tepid Adoption
Walk, not Crawl, Before you Run•Offer all three distribution channels but:
• Have a tactical plan to stagger platform release.
• Update your Incident Response Process• Limit high risk transactions
• Changing Authentication Credentials• Transfers to outside accounts• Volume of transactions• Size of transactions
infotex 2. Tepid Adoption
Security RiskAlias: The Need for Awareness
What the regulators say . . . •Transaction/Operations Risk
• Limitations in Wireless Technology• Security solutions for Wired might not translate to Wireless
• Additional risks to integrity and confidentiality of data
FFIEC E-banking Handbook, Appendix E
infotex 3. Security Risk
Attack Vectors•Lost or Stolen Device•Non-malicious “dumb user mistakes”•Smishing (and Phishing and Vishing)•Fraudulent Apps
infotex 3. Security Risk
Attack Vectors•Malware
• Zitmo = Zeus in the Mobile• OTP Interceptions, Keyloggers
•Application Vulnerabilities
= (Patch Management)4
infotex 3. Security Risk
New i-Phone Operating System
•iOS 5 was released yesterday•New iPhone 4s
iOS 5.0
•Over-the-air updates. This makes the update process much simpler, therefore more people will do it.
•All iPhones AFTER the iPhone 3G (3GS, 4, 4S) support the new operating system, and therefore support over-the-air updates.
•This does include the iPad and iPad2.
Cloud Computing Side Note
•The new iCloud is available for any device running iOS 5.0 and some MacBooks.
•and Windows Vista or Windows 7•Music support on older iOS versions.• If you have users with bank-owned iPhones, you might want to consider disabling this feature.
Lost or Stolen Devices
infotex 3. Security Risk
Typical Airport Lost and Found Warehouse
Typical Airport Lost and Found Warehouse
Application Vulnerabilities
infotex 3. Security Risk
Application Vulnerabilities•Non-banking apps: Many are written by novice programmers who do not know security best practices.
•Non-banking apps: Even those published by corporate interests often do not have SDLC controls in place.
infotex 3. Security Risk
Application Vulnerabilities
•November 29 2010: Groupon, Kik Messenger, Facebook, Dropbox, and Mint’s smartphone apps fail to securely store username and application data.
•They were storing the password as plain text.
infotex 3. Security Risk
Banking Application Vulnerabilities
•August 2010: Citgroup admits that their smart-phone application saved account numbers and other sensitive information to the mobile device in unencrypted format.
viaForensics Audit, November 01 2010
Three days later, same app passed every test!
viaForensics Audit, November 04, 2010
Fraudulent Apps
infotex 3. Security Risk
Google Rolls Out•50 apps were removed from Google’s market due to complaints of fraud in first ninety days
infotex 3. Security Risk
App Distribution• App Store (Apple) 350,000 • Android Market (Google) 300,000• Ovi Store (Nokia) 43,535• App World (RIM – Blackberry) 16,121• Windows Phone Marketplace (Microsoft) 12,222• App Catalog (Palm/HP) 6405• Software Store (Palm) --- Closed 5000 in 12/08• Twenty-seven third-party distribution platforms ranging from Amazon to VZAppZone
Wikipedia, March 2010
infotex 3. Security Risk
Fraudulent App Distribution•Social Media•All platforms but Apple’s App Store•“Can I borrow your phone?”
infotex 3. Security Risk
Malware
infotex 3. Security Risk
Malware Statistics•Good news is that Smart Phone viruses do not spread as easily as computer viruses.
•Bad news is that they (so far) seem to be much more targeted.
•67 unique known smart-phone viruses in November 2010.
•
infotex 3. Security Risk
New Malware Statistics•Over 80% of Smart Phones have NO security products such as malware installed on them.
•25% of Smart Phone Users have no idea how to install AVS.
•25% of Smart Phone Users believe they can not afford AVS for their phones.
• Digital Trends Magazine 09/21/2011
Marc Rogers, Purdue University
Zeus Application and Zitmo
. . . zooming in . . . infotex 3. Security Risk
Jailbreaking•Eliminates application development controls that separates Apple from other providers.
infotex 3. Security Risk
Dumb User Mistakes
Non-malicious “dumb user mistakes”
Some people were actually burned by this scam.
infotex 3. Security Risk
Non-malicious (dumb user) mistakes
•Double deposits•Overdrafts
• As Gen X and Babyboomers start using mobile banking, they will have difficulties using the “cash float” that they have relied upon using older payment methods.
infotex 3. Security Risk
Non-malicious (dumb user) mistakes
•Lost and stolen mobile devices•Retired mobile devices
• SMS ends up in at least three places: your phone, the receiver’s phone, and at least one server somewhere in the middle.
infotex 3. Security Risk
Other potential customer vulnerabilities•Bad application reviews•Untrained Help Desk Staff
infotex 3. Security Risk
Jailbreaking•Allows you to use your iPhone in ways Apple did not intend.
•Allows further customization of iPhone•Allows use of unlicensed software
infotex 3. Security Risk
Jailbreaking•Violates Apple’s terms of use•Nullify’s Apples support obligations•Substantially increases risk of fraudulent applications.
infotex 3. Security Risk
Jailbreaking•Default password = “Alpine”•Standard port scanning techniquesidentifies Jailbroken iPhoneswith SSH turned on.
•Hackers then loginto phone with the default password.
infotex 3. Security Risk
Controls
Controls•Customer Awareness Training•Know your assets•Feature-based Risk Assessment•Vendor Due Diligence•On-going Vendor Due Diligence•Strategic Planning
infotex 3. Security Risk
On the infotex portal•Customer Awareness Tools
• Re-brandable flyer•Bank Wireless Security Controls Checklist
infotex 3. Security Risk
Compliance RiskAlias: The Risk of Increasing Risk
The bad news•Wireless banking involves every bank regulation you can think of.
infotex 4. Compliance Risk
Wow, the compliance implications . . .•GLBA•AML•CTF (Anti-Terrorism)•CIP (KYC)•OFAC•E-sign Act•EFT Act•“And other regulations” FFIEC E-banking
Handbook, Appendix E
infotex 4. Compliance Risk
What the FFIEC left out:•Bank Secrecy Act•Red Flags•US Patriot Act
infotex 4. Compliance Risk
The Good News•Vendor due diligence is the key control.
•Vendor Due Diligence Checklist is on the portal.
infotex 4. Compliance Risk
Strategic RiskAlias: The Risk of Evolution
What is Strategic Risk?•The risk of a loss arising from a poor strategic business decision.
infotex 5. Strategic Risk
What the regulators say . . . •Strategic Risk
• Evolving Standards (Uncertainty)
FFIEC E-banking Handbook, Appendix E
infotex 5. Strategic Risk
Then why is this on Dan’s Top Five?
• Multiple Environments: Different technologies appeal to different market segments
• Each cell phone has it own set of limitations.
infotex 5. Strategic Risk
Then why is this is Dan’s Top Five?
•Wireless platforms more numerous• Increased permutations = Increased complexity = Increased Likelihood of Problems.
•Wireless platforms still early adoption phase = quickly changing standards.
•Standards? Are there standards?•Wireless application vendors unproven
infotex 5. Strategic Risk
Response Process•Uncertainty (we know there are more unknowns than knowns)
•We need to dust off our Incident Response Programs
•Incident Response should be part of the strategic plan!
infotex 5. Strategic Risk
Wired Operating Systems•Microsoft •Unix
infotex 5. Strategic Risk
Mobile Operating Systems•Symbian (primarily non-North American markets) Open Public License 36.6% WWW Market Share
•Android from Google 25.5% Marketshare Open Source
• iOS from Apple: 16.7% Marketshare Proprietary
infotex 5. Strategic Risk
Mobile Operating Systems•RIM (Research in Motion) by Blackberry 14.8% Marketshare Proprietary
•Windows Mobile from Microsoft 2.8% Marketshare Proprietary
•Others: Linux, Palm, bada, MeeGo, Maemo, Limo, BrewOS 3.6% Marketshare Proprietary and Open Source
infotex 5. Strategic Risk
New Statistics (October 8, 2011)•Android: 43.7% •Apple: 23.7%•RIM (Blackberry): 19.7%•Windows (Mobile + Phone 7): 5.7%•Simbian: 1.8%
Comscore (through August 2011)
New Statistics (October 8, 2011)
•Total # American Smartphone Users:
84.5 million
Comscore (through August 2011)
New Statistics
•44% of Smart Phone Users are considering Windows Phone 7.
•Neowin.net 09/20/2011
If we reduce it to top three• Android (multiple providers, multiple releases)
• iOS (Apple: Announced version x while rolling out version y)
• RIM (Blackberry: have to wonder why so slow to smart-phone market)
infotex 5. Strategic Risk
Integration•Not only from wireless application to core processor (and other back-office applications) to on-line banking application.
•But also to social media presence
infotex 5. Strategic Risk
Compliance Versus Convenience•Registration of New Users
• Drive to make this as lightweight as possible
• Real AML and CTF implications• KYC (Know-your-customer ) usually complicates registration, leaving the “data set” with some holes until the customer can use other channels to fill them.
infotex 5. Strategic Risk
Registration of New Users• Mitigating Controls
• Only load limited funds into the wallet AFTER all CIP fields are complete.
• No other transfer of funds.
• Only allow purchase of goods and services until all CIP data fields are completed.
• Limit size of transactions• Enforce funds to be loaded or unloaded to one specific bank account
infotex 5. Strategic Risk
Future Issues
•Rapid Evolution (dare we say, “Revolution”)
•Google: “03/31/11 < Launches Mobile App < 04/02/11”
• 927,000 results, including• 04/01/11: W. Michigan U launches Mobile App for Buses• 04/01/11: Facebook launches new Mobile App• 04/01/11: Wicked Spoon launches mPunch with loyalty, payment
capabilities• 04/01/11: Google launches mobile Stock Viewer• 04/01/11: DTNA launches mobile Parts and Services app• 04/01.11: Eat24hrs launches mobile app with payment capabilities
infotex 5. Strategic Risk
Future Issues
•Federated Authentication • SSO between entities• Example: Use your Facebook account to authenticate to other social media platforms.
• Example: Google Authenticator
infotex 5. Strategic Risk
Federated Authentication• Competing Standards
• Higgins (Open Source)• Windows Cardspace (Microsoft)• Liberty Alliance• SAML (Secure Assertion Markup Language)
• MicroID, OpenID, SXIP, Shibboleth, INames,
infotex 5. Strategic Risk
Can we stay ahead of the risks?• It’s a moving target, requiring a moving risk-assessment process.
• Focus in on Vendor Due Diligence• Revisit your incident response process• Create a Strategic Plan
infotex 5. Strategic Risk
m.infotex.com/horse• Appendix E• Vendor Due Diligence Kit
• Key Vendor List• Threshold Analysis• Vendor Questionnaire
• Customer Awareness Re-brandable Flyer• Mobile Banking Tips and Trends
• Wireless Banking Risk Assessment• Password: Horse, of Course! (all lower case . . . . horse . . . . .
infotex Horse Before the Cart: Top 5 Mobile Banking Risks